Popular Mechanics (South Africa)
ENGINEERING FOR GAIN
THE EMAILS BEGAN TRICKLING INTO my inbox in January, about a month after the phone had gone missing*. My heart leapt at the first few words: “Your iphone 6S was found.” This was what I had been waiting for. I clicked on the link. It didn’t work. Instead, I found myself staring at an error message: “The website you have tried to access is in violation of company Internet access policy.”
I did a double take. Went back to the original email. It looked genuine enough. Except there was something not quite right about the grammar… no, actually it was poorly written. Not the kind of thing Apple would do.
I hovered my cursor over the link. A bubble popped up, displaying the URL that the hyperlink in the email was pointing to. It ended in .ru. Russia? And that was just the first of, oh, a dozen similar emails and Smses.this morning, for the hell of it, I dug deep in the inbox, located that original email and clicked on that suspect link once more. I still didn’t get taken to the actual website; firewalls will do that. This time, I was confronted with a message saying that the site had been identified as a phishing site.
Uh-huh. Let’s try an online search using the terms “your iphone has been found phishing”. Plenty of hits. One of them from South Africa the day before.
The person involved had responded to an official-looking SMS from Apple Care stating that the stolen device had been received from police, entered the requested details… and realised it had all been a set-up.
How does all this happen? My phone had been stolen, yes, but surely Apple’s belt-and-braces security – PIN code and fingerprint sensor – meant that you practically had to be the NSA, the KGB and the SSA rolled into one to crowbar your way into its contents? My guess: It’s not David Mahlobo sitting there sending me bogus text messages in the hope of scoring some free beats off my itunes account. It’s more than likely just a cellphone thief counting on human nature to gain access to my phone and, who knows, all the juicy personal information that it contains.
Thanks to me.
There are probably ways of doing this through the SIM card, but really it’s a lot easier if the iphone’s owner, like me, engages Lost Mode and places a helpful message on the lock screen saying something like, “This phone has been lost or stolen. Please contact joesoap@email.com or call 021 555 55555.” ( With appropriate details, of course.) Is it really that easy? Sadly, “Social engineering: the new wave of con artistry” in this month’s How Your World Works, explains that it really can be. As Nikky Knijf** found out in conversation with some extremely well-informed cybersecurity specialists, more than 90 per cent of all cyber attacks start with an email, so, it’s very likely you’ve been become a target, whether you’ve acted on it or not. And some will act on it. You can count on that. The social engineers certainly do. * Long story. ** Nikky’s promised feature on Blockchain and Bitcoin has been rescheduled for our June 2017 issue.