Skip to content
.ca
sign in
6 minhigh

Lookalike Domains Expose the iPhone Theft Economy

Infoblox Threat Intel uncovered a thriving underground economy on Telegram dedicated to unlocking stolen iPhones. Threat actors utilize specialized Windows binaries to extract device information and deploy targeted smishing campaigns via Apple lookalike domains to steal iCloud credentials, allowing them to bypass Activation Lock, wipe the device, and resell the hardware.

Conf:highAnalyzed:2026-05-14Google

Authors: Maël Le Touz, Elena Puga, Infoblox Threat Intel

ActorsFMI OFF kitsiCloud WebkitiSkorpionMagUnlocker
SmishingPhishingLookalike DomainsiPhone TheftFMI OFF

Source:Infoblox

IOCs · 26

Detection / HunterGoogle

What Happened

Cybercriminals have created a booming business out of unlocking stolen iPhones. When a phone is stolen, thieves use special software to find the owner's contact information and send them fake text messages pretending to be Apple. If the owner clicks the link and enters their password, the thieves can completely unlock the phone, erase it, and sell it for a high profit, making phone theft highly lucrative. To protect yourself, never click on links in text messages claiming to have found your lost phone, and only use the official Apple Find My app or website.

Key Takeaways

  • Thieves use specialized 'FMI OFF' kits and Windows-based unlocking tools to extract device info and craft targeted smishing campaigns against stolen iPhone owners.
  • The underground market operates heavily on Telegram, offering pay-as-you-go services for unlocking devices and generating phishing links.
  • Attackers prioritize the hardware value over data, wiping devices immediately after unlinking them from iCloud to resell them.
  • Threat actors use automated scripts with headless browsers to detect Google Safe Browsing blocks and submit fake delisting requests.
  • DNS telemetry shows a 350% increase in traffic to these lookalike domains in 2025.

Affected Systems

  • Apple iOS devices (iPhones)
  • Apple iCloud accounts

Attack Chain

The attack begins with the physical theft of an iPhone. The thief connects the locked device to a Windows-based unlocking tool to extract the serial number, IMEI, and owner details, sometimes augmenting this with OSINT from Telegram bots. The attacker then uses an 'FMI OFF' smishing kit to send a localized, personalized SMS or WhatsApp message to the victim, containing a link to an Apple lookalike domain. Once the victim enters their iCloud credentials and passcode on the phishing page, the attacker uses them to remotely remove the Activation Lock, wipe the device, and resell it.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but mentions that a full list of indicators is available on the Infoblox open GitHub repository.

Detection Engineering Assessment

EDR Visibility: Low — The attack primarily targets personal mobile devices and consumer iCloud accounts, which are typically outside the scope of corporate EDR deployments. The unlocking tools run on the attacker's own infrastructure. Network Visibility: Medium — DNS telemetry can identify lookalike domains, but the smishing delivery happens over cellular networks or encrypted messaging apps like WhatsApp, bypassing corporate network inspection. Detection Difficulty: Hard — Smishing occurs out-of-band on personal devices, and the phishing domains are spun up and rotated quickly, making proactive detection difficult without broad DNS visibility.

Required Log Sources

  • DNS query logs
  • Mobile Device Management (MDM) logs
  • Web Proxy logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Consider hunting for DNS queries to newly registered domains containing Apple-themed keywords (e.g., 'icloud', 'find', 'location') combined with generic TLDs.DNS query logsDeliveryMedium
If you have MDM visibility, consider monitoring for unexpected device unenrollment or remote wipe commands originating from unknown IP addresses.MDM logsImpactLow

Control Gaps

  • Lack of visibility into personal SMS/WhatsApp messages
  • Inability to prevent users from entering credentials on personal devices

Key Behavioral Indicators

  • DNS queries to domains mimicking Apple Find My services
  • Automated headless browser traffic to Google Safe Browsing reporting endpoints originating from non-standard infrastructure

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Verify against your organization's incident response runbook and team escalation paths before acting.
  • Block the provided lookalike domains and known phishing URLs at the corporate firewall and DNS resolvers.

Infrastructure Hardening

  • Evaluate whether corporate MDM policies enforce strict Activation Lock and prevent unauthorized device unenrollment.
  • Consider implementing DNS sinkholing for newly registered domains containing high-risk keywords related to Apple or iCloud.

User Protection

  • If applicable, ensure corporate mobile devices are enrolled in an MDM solution that can track and lock lost devices independently of consumer iCloud accounts.

Security Awareness

  • Educate employees about the risks of smishing, specifically warning them that Apple will never send SMS messages with links to locate a lost device.
  • Instruct users to only use the official 'Find My' app or iCloud.com directly when attempting to locate a lost or stolen device.

MITRE ATT&CK Mapping

  • T1566.002 - Phishing: Spearphishing Link
  • T1566.003 - Phishing: Spearphishing via Service
  • T1583.001 - Acquire Infrastructure: Domains
  • T1589.002 - Gather Victim Identity Information: Email Addresses
  • T1531 - Account Access Removal

Additional IOCs

  • Domains:
    • viewlocation[[.]]app - Apple lookalike phishing domain.
    • find-your-phone[[.]]help - Apple lookalike phishing domain.
    • findyourphone[[.]]help - Apple lookalike phishing domain.
    • apple[[.]]com-app[[.]]lt - Apple lookalike phishing domain.
    • applemap[[.]]us - Apple lookalike phishing domain.
    • applesupporter[[.]]us - Apple lookalike phishing domain.
    • smartthingsfind-samsung[[.]]com - Samsung lookalike phishing domain.
    • navigate-to-location[[.]]me - Apple lookalike phishing domain.
    • lphone-retained-store[[.]]us - Apple lookalike phishing domain.
    • view-location[[.]]app - Apple lookalike phishing domain.
    • photos-sharing[[.]]in - Apple lookalike phishing domain.
    • find[[.]]my-id[[.]]com[[.]]es - Apple lookalike phishing domain.
    • apple[[.]]connect-app[[.]]info - Apple lookalike phishing domain.
    • support-lcloud[[.]]xyz - Apple lookalike phishing domain.
    • icloud-f[[.]]com - Apple lookalike phishing domain.
    • mapsfind[[.]]info - Apple lookalike phishing domain.
    • locate-it-now[[.]]net - Apple lookalike phishing domain.
    • apple-mylocation[[.]]info - Apple lookalike phishing domain.
    • applebrasil[[.]]info - Apple lookalike phishing domain.
    • icloud[[.]]sa[[.]]com - Apple lookalike phishing domain.
    • phone[[.]]xuidns[[.]]pw - Apple lookalike phishing domain.
  • Urls:
    • hxxps://iremoval[.]app/app/webroot/clean_domain/data_domain.php - API endpoint used by the threat actor's script to fetch domains for Google Safe Browsing evasion.

Related