Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- I was visiting Mexico and (almost) got defrauded, compromised, whatever you want to call it. Here's how:
- --------------------
- Summary
- --------------------
- - Walking down street
- - Transvestite puts arms around me
- - Quickly pushed it away
- - Realized about a minute after that it pick-pocketed my iPhone and ran to chase it down. It let me pat them down but no phone. Must have passed it off to someone else in that short time period. Phone case had my ID and credit card.
- - I quickly canceled my credit card and marked my phone as lost on FindMyPhone
- - Had my personal email address compromised and password changed. They briefly had access to my SMS on my locked screen notification window until I disabled SMS with Verizon. They used SMS to gain access to my account and change the password.
- - I was able to recover my gmail account with backup codes.
- - I discovered where they signed in from (details). It was in Playa del Carmen, Quintana Roo, Mexico (where my phone got stolen) on January 4, 4:12 PM, from IP address 187.252.94.69, Windows Device, Browser Chrome 47.0
- - They then tried phishing my iCloud credentials (see one of the phishing emails below). The link is now expired, but it went to a page that was a clone of the iCloud login page. From "supports@iserver.com" claiming to be Apple Support
- -- The link went to http://lcloud.center/E84EF2
- -- The whois information for lcloud.center is below
- -- The email is below
- - I proceeded to get calls from (661)748-0240 in Bakersfield, CA which I assume is a Skype Voip number. The caller was a male who barely spoke English. He claimed that "He just bought the phone at a flee market, but the phone is locked, and he will pay $250 to unlock it for me. He just wants to give it to his daughter and will even record himself wiping the phone after" - I kindly declined. The number seems to be frequently used for scams: http://800notes.com/Phone.aspx/1-661-748-0240
- - I also got calls from 18002752273 and Unknown callers
- - I assume this is quite a fraud ring at play
- --------------------
- Sign in location
- --------------------
- Device: Windows
- Time: January 4, 4:12 PM
- Location: Playa del Carmen, Quintana Roo, Mexico
- Browser: Chrome 47.0
- IP address: 187.252.94.69
- --------------------
- Email is from
- --------------------
- from: Support <no-reply@apple.com>
- date: Mon, Jan 4, 2016 at 11:26 PM
- subject: Notificacion
- mailed-by: mailing.rulerhost.net
- signed-by: rulerhost.net
- --------------------
- Phishing email
- --------------------
- SUBJECT: Apple Notificacion
- BODY:
- iPhone 6s Plus Rose Gold has been found today .
- iPhone 6s Plus Rose Gold last known location will be available for 24 hours.
- See Location [link to http://lcloud.center/E84EF2 which is now inactive]
- iCloud is an Apple Service. My Apple ID | Support | Terms and Conditions | Privacy Policy
- Copyright ? 2013 Apple Inc. 1 Infinite Loop, Cupertino, CA 95014, United States. All rights reserved.
- --------------------
- Email 2 after they saw I clicked
- --------------------
- Dear [MY NAME].
- We read your letter.. u can log into that site to retrieve location for you device. in case u don't want to verify the location just dismiss that email. location will be available for the next 24 hrs
- Apple Support
- --------------------
- Whois information of lcloud.center
- --------------------
- Domain Name: lcloud.center
- Domain ID: 05360674a6c944a19f7190b3d9e3df92-DONUTS
- WHOIS Server: whois.registrar.eu
- Referral URL: http://www.registrar.eu
- Updated Date: 2015-12-04T01:09:35Z
- Creation Date: 2015-10-08T03:18:31Z
- Registry Expiry Date: 2016-10-08T03:18:31Z
- Sponsoring Registrar: Registrar.eu
- Sponsoring Registrar IANA ID: 1647
- Domain Status: clientTransferProhibited https://www.icann.org/epp#clientTransferProhibited
- Registrant ID: pp904129mx3798
- Registrant Name: Proteccion Privacidad
- Registrant Organization: RulerHost
- Registrant Street: Calle Gema No 32 U. Habitac
- Registrant City: Tizayuca
- Registrant State/Province: Hidalgo
- Registrant Postal Code: 43800
- Registrant Country: MX
- Registrant Phone: +52.5514642471
- Registrant Phone Ext:
- Registrant Fax:
- Registrant Fax Ext:
- Registrant Email: privacidad@rulerhost.net
- Admin ID: pp904129mx3798
- Admin Name: Proteccion Privacidad
- Admin Organization: RulerHost
- Admin Street: Calle Gema No 32 U. Habitac
- Admin City: Tizayuca
- Admin State/Province: Hidalgo
- Admin Postal Code: 43800
- Admin Country: MX
- Admin Phone: +52.5514642471
- Admin Phone Ext:
- Admin Fax:
- Admin Fax Ext:
- Admin Email: privacidad@rulerhost.net
- Tech ID: pp904129mx3798
- Tech Name: Proteccion Privacidad
- Tech Organization: RulerHost
- Tech Street: Calle Gema No 32 U. Habitac
- Tech City: Tizayuca
- Tech State/Province: Hidalgo
- Tech Postal Code: 43800
- Tech Country: MX
- Tech Phone: +52.5514642471
- Tech Phone Ext:
- Tech Fax:
- Tech Fax Ext:
- Tech Email: privacidad@rulerhost.net
- Name Server: cns49293.hostwindsdns.com
- Name Server: cns49292.hostwindsdns.com
- DNSSEC: unsigned
- >>> Last update of WHOIS database: 2016-01-07T22:35:42Z <<<
- --------------------
- Whois for rulerhost.net
- --------------------
- Domain Name: rulerhost.net
- Registry Domain ID:
- Registrar WHOIS Server: whois.registrar.eu
- Registrar URL: http://www.registrar.eu
- Updated Date: 2015-11-08T08:29:28Z
- Creation Date: 2013-12-17T17:37:56Z
- Registrar Registration Expiration Date: 2016-12-17T17:37:56Z
- Registrar: Hosting Concepts B.V. d/b/a Openprovider
- Registrar IANA ID: 1647
- Registrar Abuse Contact Email: abuse@registrar.eu
- Registrar Abuse Contact Phone: - (use e-mail)
- Registry Registrant ID: EG905005-MX
- Registrant Name: Edgar Alan Guerrero Montejo
- Registrant Organization: RulerHost
- Registrant Street: Calle Gema No 32
- Registrant City: Tizayuca
- Registrant State/Province:
- Registrant Postal Code: 43800
- Registrant Country: MX
- Registrant Phone: +52.5569535187
- Registrant Phone Ext:
- Registrant Fax:
- Registrant Fax Ext:
- Registrant Email: alan@rulerhost.net
- Registry Admin ID: EG905005-MX
- Admin Name: Edgar Alan Guerrero Montejo
- Admin Organization: RulerHost
- Admin Street: Calle Gema No 32
- Admin City: Tizayuca
- Admin State/Province:
- Admin Postal Code: 43800
- Admin Country: MX
- Admin Phone: +52.5569535187
- Admin Phone Ext:
- Admin Fax:
- Admin Fax Ext:
- Admin Email: alan@rulerhost.net
- Registry Tech ID: EG905005-MX
- Tech Name: Edgar Alan Guerrero Montejo
- Tech Organization: RulerHost
- Tech Street: Calle Gema No 32
- Tech City: Tizayuca
- Tech State/Province:
- Tech Postal Code: 43800
- Tech Country: MX
- Tech Phone: +52.5569535187
- Tech Phone Ext:
- Tech Fax:
- Tech Fax Ext:
- Tech Email: alan@rulerhost.net
- Name Server: ruler02.rulerhost.net
- Name Server: ruler01.rulerhost.net
- DNSSEC: unsigned
- --------------------
- Pseudo information of fraudster
- --------------------
- Edgar Alan Guerrero Montejo
- alan@rulerhost.net
- Calle Gema No 32
- Tizayuca, Mexico, 43800
- +52.5569535187
- --------------------
- Takeaways
- --------------------
- - Don't let random people touch you
- - Don't show messages on locked screen (Settings > Notifications > Show on Lock Screen > Off)
- - Auto delete phone after 10 failed passcode attempts (Settings > Touch ID & Passcode > Erase Data > On)
- - Require 2 factor everywhere possible
- - Use authenticators when possible, not SMS
- - Use a PIN at least 6 digits/characters long
- - Both mark phone as lost with Apple and your carrier (ex. Verizon)
- - Have backup codes and store in a secure location
- - Check that your email accounts don't have forwarding addresses afterwards
- - Use PixelBlock https://chrome.google.com/webstore/detail/pixelblock/jmpmfcjnflbcoidlgapblgpgbilinlem?hl=en
- - Generally don't click on most links :)
- --------------------
- Closing
- --------------------
- Hope this is helpful. If anyone wants to continue the digging, please be my guest!
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement