{"id":13609,"date":"2026-05-14T03:00:18","date_gmt":"2026-05-14T10:00:18","guid":{"rendered":"https:\/\/www.infoblox.com\/blog\/?p=13609"},"modified":"2026-05-14T03:01:10","modified_gmt":"2026-05-14T10:01:10","slug":"lookalike-domains-expose-the-iphone-theft-economy","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/lookalike-domains-expose-the-iphone-theft-economy\/","title":{"rendered":"Lookalike Domains Expose the iPhone Theft Economy"},"content":{"rendered":"

Authors: Ma\u00ebl Le Touz, Elena Puga<\/strong><\/p>\n

Executive Summary<\/h3>\n

Modern smartphones are extremely secure and can be remotely locked and turned into a worthless brick if they are stolen. iPhones in particular can be remotely secured using a feature called Activation Lock<\/a>, preventing all future use in case the device is stolen. Even individual components can be locked by the owner.<\/p>\n

And yet, iPhones are stolen … a lot. Figures indicate over 7.35 million are stolen in the United States yearly<\/a>. So, how do the thieves monetize them?<\/p>\n

After a friend reached out for help, we discovered a thriving underground marketplace, organized on Telegram, focused on one thing: unlocking high-end phones\u2014mostly iPhones. By combining technical tooling and social engineering, thieves now have a way to unlock devices at scale and make phone theft profitable.<\/p>\n

These so-called “unlocking tools” create a market for stolen phones by allowing anyone with a pulse to try to turn a bricked “lost or stolen” device into easy money.<\/p>\n

Despite the fact that there are no publicly disclosed vulnerabilities for late model iPhones, threat actors use clever techniques to convince the owner to enter their passcode. SMS phishing (smishing) is one of them, and our DNS telemetry shows steadily growing and persistent activity.<\/p>\n

We initially assumed thieves would be interested in the phone’s data. Those devices, after all, hold potentially priceless personal and corporate information. Interestingly, we discovered the opposite. Thieves are after a quick buck, and the value of the data is secondary to the value of the hardware. It seems like their phishing domains are often detected, and some of the tools sold in these forums contain mechanisms to detect DNS blocks and automatically request delisting from Google Safe Browsing.<\/p>\n

This paper will detail how, by analyzing DNS clusters, we were able to pivot from an initial text to reveal a thriving marketplace enabling and ultimately driving phone theft. We will then explain how this underground economy functions and how smishing is only one tool in the toolbox they use to gain access to stolen phones.<\/p>\n

From Smishing to Panels<\/h4>\n

When somebody loses access to their iPhone, they can set a message on the locked screen, directing the finder to contact a specific phone number to return the device. See Figure 1. Users will usually choose their spouse\u2019s or parent’s phone number. It’s this helpful feature that offers the scammers a way to reach out to the phone\u2019s owner and manipulate them into unlocking it.<\/p>\n

<\/p>\n

Figure 1. Lost iPhone displaying a contact number<\/p>\n

This is how one of our friends was contacted when their iPhone was stolen in Asia. Shortly afterwards, they received a text with a link to a URL hosted on applemaps-support[.]live.<\/p>\n

Lookalike domains targeting Apple are nothing new: we detect over 800,000 a year. But the timing of the text was suspicious, and whoever sent the message clearly had the device in their possession.<\/p>\n

At first glance, the page on applemaps-support[.]live closely resembles the real Apple Findmy page, but this is of course a decoy\u2014the website is not operated by Apple. The phone appeared to be moving on the spoofed map (see Figure 2) but before we could do anything else, a pop-up appeared asking for the PIN code to unlock the phone. Had our friend given their passcode, the thief would have immediately gained full control of the device.<\/p>\n

\n