Thieves Busted After Stealing a Cellphone from a Security Expert's Wife (elpais.com) 41
They stole a woman's phone in Barcelona. Unfortunately, her husband was security consultant/penetration tester Martin Vigo, reports Spain's newspaper El Pais.
"His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru...." In Vigo's case, the phone was locked and the "Find my iPhone" feature was activated... Once stolen, the phones are likely wrapped in aluminum foil to prevent the GPS from tracking their movements. "Then they go to a safe house where they are gathered together and shipped on pallets outside of Spain, to Morocco or China." This international step is vital to prevent the phone from being blocked if the thieves try to use it again. Carriers in several European countries share lists of the IMEIs (unique numbers for each device) of stolen devices so they can't be used. But Morocco, for example, doesn't share these lists. There, the phone can be reconnected...
With hundreds or thousands of stored phones, another path begins: "They try to get the PIN," says Vigo. Why the PIN? Because with the PIN, you can change the Apple password and access the device's content. The gang had created a system to send thousands of text messages like the one Vigo received. To know who to target with the bait message, the police say, "the organization performed social profiling of the victims, since, in many cases, in addition to the phone, they also had the victim's personal belongings, such as their ID." This is how they obtained the phone numbers to send the malicious SMS...
Each victim received a unique link, and the server knew which victim clicked it... With the first click, the attackers would redirect the user to a website they believed was credible, such as Apple's real iCloud site... [T]he next day you receive another text message, and you click on it, more confidently. However, that link no longer redirects you to the real Apple website, but to a flawless copy created by the criminals: that's where they ask for your PIN, and without thinking, full of hope, you enter it... "The PIN is more powerful than your fingerprint or face. With it, you can delete the victim's biometric information and add your own to access banking apps that are validated this way," says Vigo. Apple Wallet asks you to re-authenticate, and then everything is accessible...
In the press release on the case, the police explained that the gang allegedly used a total of 5,300 fake websites and illegally unlocked around 1.3 million high-end devices, about 30,000 of them in Spain.
Vigo tells El Pais that if the PIN doesn't unlock the device, the criminal gang then sends it to China to be "dismantled and then sent back to Europe for resale. The devices are increasingly valuable because they have more advanced chips, better cameras, and more expensive materials."
To render the phone untraceable in China, "they change certain components and the IMEI. It requires a certain level of sophistication: opening the phone, changing the chip..."
"His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru...." In Vigo's case, the phone was locked and the "Find my iPhone" feature was activated... Once stolen, the phones are likely wrapped in aluminum foil to prevent the GPS from tracking their movements. "Then they go to a safe house where they are gathered together and shipped on pallets outside of Spain, to Morocco or China." This international step is vital to prevent the phone from being blocked if the thieves try to use it again. Carriers in several European countries share lists of the IMEIs (unique numbers for each device) of stolen devices so they can't be used. But Morocco, for example, doesn't share these lists. There, the phone can be reconnected...
With hundreds or thousands of stored phones, another path begins: "They try to get the PIN," says Vigo. Why the PIN? Because with the PIN, you can change the Apple password and access the device's content. The gang had created a system to send thousands of text messages like the one Vigo received. To know who to target with the bait message, the police say, "the organization performed social profiling of the victims, since, in many cases, in addition to the phone, they also had the victim's personal belongings, such as their ID." This is how they obtained the phone numbers to send the malicious SMS...
Each victim received a unique link, and the server knew which victim clicked it... With the first click, the attackers would redirect the user to a website they believed was credible, such as Apple's real iCloud site... [T]he next day you receive another text message, and you click on it, more confidently. However, that link no longer redirects you to the real Apple website, but to a flawless copy created by the criminals: that's where they ask for your PIN, and without thinking, full of hope, you enter it... "The PIN is more powerful than your fingerprint or face. With it, you can delete the victim's biometric information and add your own to access banking apps that are validated this way," says Vigo. Apple Wallet asks you to re-authenticate, and then everything is accessible...
In the press release on the case, the police explained that the gang allegedly used a total of 5,300 fake websites and illegally unlocked around 1.3 million high-end devices, about 30,000 of them in Spain.
Vigo tells El Pais that if the PIN doesn't unlock the device, the criminal gang then sends it to China to be "dismantled and then sent back to Europe for resale. The devices are increasingly valuable because they have more advanced chips, better cameras, and more expensive materials."
To render the phone untraceable in China, "they change certain components and the IMEI. It requires a certain level of sophistication: opening the phone, changing the chip..."
Ambiguous wording... (Score:5, Interesting)
However the article does not make it clear at all that the arrestations were actually the result of the security researcher actions.
Re: (Score:3)
It doesn't look like he actually did anything.
Vigo tried to find out who was behind [the PIN-stealing system], but he only got as far as a woman he believed to be Ukrainian, and he didn’t know if she was another victim or part of the gang.
Re: (Score:1, Troll)
if it's good enough for a fluff article in the "technology" section of msm, it's good enough for /. in 2025.
Re: (Score:3)
Re: (Score:2)
social engineering is way cheaper than state of the art cybersecurity, these guys can make good money with the low hanging fruit but don't have the huge amount of money and insider information that intelligence services have. given enough of that all phones can be hacked, and are actually being hacked.
Re:Ambiguous wording... (Score:4, Informative)
That tweet also links to a podcast episode where he discusses it in more detail - but it's in Spanish.
Interesting...but.... (Score:3)
It seems like an awful lot of work to make a used, stolen phone usable. I understand it is more if they actually get some' spin.
In any event, these are some hardworking thieves. Imagine if they could be bothered to put their intellect and work ethic into more legal activities! They could really do some nice work.
Re:Interesting...but.... (Score:5, Informative)
I'm all for tariff-bashing but the police investigation took place between 2022 and 2024 ...
Re: (Score:2)
It's relevant because while tariffs will probably make the problem worse they did not cause the problem seeing as it existed before the tariffs.
Re: (Score:2)
I'm all for tariff-bashing but the police investigation took place between 2022 and 2024 ...
It's called presentism. Applying whatever a person is pissed off today, to all time.
The belief that only current phenomena are relevant.
Interpreting past phenomena in terms of current beliefs and knowledge.
It's weird, but it's a real thing.
Re: Interesting...but.... (Score:2, Funny)
Does presentism piss you off, today?
Re: (Score:3)
Does presentism piss you off, today?
No, but I'm really angry about next week! And 10 months ago.
Re: (Score:1)
Prostitution.
Re: (Score:2)
Re: (Score:3)
Re: (Score:2)
That's fair, I get that. But those people are hard working too.
Re: (Score:2)
Some folks would rather work harder at not having to work than to just get a regular job. For some it seems to be the thrill of doing nefarious things. For others I guess they make their own hours and just get by.
Re: (Score:2)
Some folks would rather work harder at not having to work than to just get a regular job. For some it seems to be the thrill of doing nefarious things. For others I guess they make their own hours and just get by.
It does seem like a royal pain in the backside to go to all that trouble. I guess it is modeled after the thieves who break into people's houses and steal the copper wires and pipe.
Re: (Score:2)
Except going through so many intermediaries has the same problem as it does in legitimate life - everyone wants their cut. Stolen phones have to get sent to China which costs money, the people doing the programming and disassembly want their cut and in the end the margins get thinner and thinner.
If you think the App Store fees a
Re: (Score:2)
I sport an iPhone 12 Mini - if these thieves steal my phone I may just get it back. They'll just probably toss it in a dumpster.
Re: (Score:2)
Re: (Score:2)
For one phone, yes, 'tis a lot of work. For 30,000+ in Spain and many more elsewhere, it pays.
Re: (Score:2)
Well, I was referring to the whole enterprises as a business, not just The ones doing the physical work.
Original in Spanish (Score:2)
https://elpais.com/tecnologia/... [elpais.com]
Where's the story (Score:5, Informative)
Thieves Busted After Stealing a Cellphone from a Security Expert's Wife
and
His weeks-long investigation coincided with a massive two-year police operation between 2022 and 2024 in six countries where 17 people were arrested: Spain, Argentina, Colombia, Chile, Ecuador, and Peru...
There is apparently nothing about what Martin Vigo did that had an impact on the police investigation or anything about what the police investigation comprised. His investigation and the police bust were totally coincidental (as stated in the submission), whereas the headline implies a causation. There is really no good reason to involve the police investigation in this at all, although that is not the Slashdot editor's fault.
The article should rightfully have a headline along the lines of "Security expert investigates how stolen phones are prepared for resale" instead.
Re: Where's the story (Score:2)
Heh. Headline is true in the same way as "Woman gets pregnant after eating at Arby's."
Re: (Score:2)
Post hoc ergo propter hoc. It's what's for breakfast, kids.
Once upon a time, journalists learned not to fall for that kind of fallacy, and took pride in not perpetrating it. Now, it's an indispensable part of writing clickbait.
Re: (Score:2)
Damn! If I would have known she was that easy, I wouldn't have taken her out to Canlis.
Block the IMEI number .. (Score:3)
Re: (Score:2)
“Here you can read how to report your device as lost / stolen on IMEI.info BLACKLIST [imei.info].”
Because someone who steals a phone will never lower themselves to selling something they know doesn't work.
Plus this little nugget:
As a result, your device wonâ(TM)t operate in the country in which it was registered
That means they can just send the stolen phones overseas... That's where most of the UK's stolen cars go, no point in chopping them up here when someone in Bulgaria will buy them whole no questions asked. Phones are a lot easier to move. Maybe this might stretch between the US and Canada or UK and EU but as mentioned, phones are easy to move and crims have no compunction sel
Try the common PINs first (Score:2)
Focus on industrial harvesters in China (Score:4, Interesting)
If the thieves don't have industrial scale partners to "launder" the phones, they become worthless.
It's very difficult to do anything at that scale in China without the government being complicit. That trail shouldn't be particularly hard to follow, but nobody seems willing to confront the obvious corruption problem and government complicity in the criminal behavior.
Re:Focus on industrial harvesters in China (Score:4, Insightful)
More powerful ... (Score:1)
Wonder if this can make more secure phones... (Score:3)
What would be interesting is the ability to consider adding more functions to combat this. For example, the option where if a phone is not used in "x" amount of time, it auto-erases itself, and won't allow unlocking until it gets a GPS signal with time and date. Maybe even add geoblocking, where if the phone is turned on and notices it is in Lower Elbonia, it erases itself. Of course, GPS can be spoofed, but this is a way to further add another roadblock.
The ultimate would be e-Fuses. Get to a level of certainty that a device is definitely stolen, start popping those to ensure that critical components cannot and will not be able to be used again. It also wouldn't hurt to have e-fuses on the SSD controller to guarentee that there will be no way to ever pull the encryption key out, combined with voltage doing a TRIM on the SSD, ensuring all data has been overwritten.
Re: (Score:2)
I was thinking along similar lines. Apple needs to implement "remote brick" that pops internal fuses and wipes the storage. Make it a valueless slab of silicon and metal.
Re: (Score:2)
Maybe take it up one more step... have it intermittently working? Good enough to part out and sell... but then have it fail shortly after it winds up in other hardware. This way, whomever resold the components is on the hook for selling faulty hardware. For the SSD, just have it quietly go into read-only mode, where the user can get their data, but the effective usefulness of the hardware is zero.
Not a Security expert then. (Score:2)
Can you call a person a security expert who fails to secure their devices from theives?