'iServer', which was phishing for authentication information to unlock 1.2 million stolen smartphones, is closed



Europol has announced that it has dismantled an international criminal network that allegedly helped criminals unlock stolen or lost smartphones.

Criminal phishing network resulting in over 480 000 victims worldwide busted in Spain and Latin America | Europol

https://www.europol.europa.eu/media-press/newsroom/news/criminal-phishing-network-resulting-in-over-480-000-victims-worldwide-busted-in-spain-and-latin-america

Group-IB contributes to international “Operation Kaerb” | Group-IB
https://www.group-ib.com/media-center/press-releases/operation-kaerb/

Ever wonder how crooks get the credentials to unlock stolen phones? | Ars Technica
https://arstechnica.com/security/2024/09/cops-bust-website-crooks-used-to-unlock-1-2-million-stolen-mobile-phones/

According to Europol, a phishing scheme to unlock smartphones has been rampant, and an Argentine man has been arrested for developing and operating a website that carries out such phishing schemes.

According to investigators, the man set up a website called 'iServer' to connect criminals who unlocked smartphones with those who had access to other people's smartphones. He then charged a fee for the service and made money.


by

Europol

Group-IB, the security company that revealed the existence of iServer, provides a detailed explanation of how iServer was operated.

There are three main actors involved with iServer: the platform administrators, the unlockers, and the criminals who request the unlocking. The platform administrators developed a web interface that allowed them to steal device passwords, user credentials, and personal information from victims, and then sold access to these systems to the unlockers.

Once they have gained access to the system, the unlocker launches a phishing attack on the smartphone owner using a domain provided by iServer or their own domain, according to the criminals' unlocking requests. If iServer's domain is used, iServer creates its own phishing page and sends an SMS containing a malicious link to the victim.

Below is a phishing page from iServer disguised as a popular “lost device recovery service.”



Ultimately, the criminals who requested the unlocking received the credentials obtained through the iServer, unlocked the phone, and even turned off the 'lost mode' feature on iPhones and other devices, allowing them to use the phone freely.



Law enforcement officials reported that 483,000 victims worldwide were phished in attempts to regain access to their smartphones, mostly Spanish-speaking people in Europe, North and South America.

Europol, in cooperation with law enforcement agencies in Spain, Argentina, Chile, Colombia and other countries, conducted simultaneous investigations from September 10 to 17, 2024. As a result, 17 people were arrested and 921 smartphones and other electronic devices were seized.

The investigation revealed that more than 2,000 unlockers were registered on iServer and that more than 1.2 million smartphones had actually been unlocked.

Europol warned: 'Phishing messages may appear to be from a trustworthy organisation, may claim to be urgent and may ask you to take some action, such as clicking on an attachment or link or verifying your login credentials. Think twice before clicking any links or attachments.'

in Security, Posted by log1p_kr