Stolen apple id phishing

lkovacic · July 4, 2020, 7:58pm

Hello,

Someone stole my iphone and now they are phishing for my apple-id.
They are using SSL generated by letsencrypt and my question is can I get any info on them, here’s the URL: https://apple.com-il.space

Thanks

Rip · July 4, 2020, 8:09pm

I suggest you get on iCloud and disable your account. EDIT: unless someone has already changed your credentials.

The link you provided does a 302 temporary redirect to https://icloud.com. Use apple’s “locate my” features if enabled and notify the authorities.

Rip

lkovacic · July 4, 2020, 8:12pm

No,
It will redirect when you go from other browser than safari.

I’ve done all the stuff regarding iPhone, my question was just, have they left any information about themselves when they have generated SSL certificate.

Usually you have name, first name address etc.

Osiris · July 4, 2020, 8:21pm

No, Let's Encrypt doesn't require that information to get a domain validation certificate. It doesn't even require an e-mail address, that's optional.

BenSjoberg · July 4, 2020, 8:32pm

Let’s Encrypt only requires proof that the user controls the domain in question. It’s totally automated and free. The better people to contact would be the web host or the domain registrar, since those usually at least require payment.

lkovacic · July 4, 2020, 8:37pm

Thanks,
I’ve contacted them already, just was curious about certificate.

Here’s the ssl btw:

openssl s_client -connect apple.com-il.space:443 -showcerts
CONNECTED(00000005)
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 CN = .perevozka-lezhachih-bolnyh.ru
verify return:1
—
Certificate chain
0 s:/CN=.perevozka-lezhachih-bolnyh.ru
i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
-----BEGIN CERTIFICATE-----
MIIG9TCCBd2gAwIBAgIMOvFueWtJ86cFdHfiMA0GCSqGSIb3DQEBCwUAMEwxCzAJ
BgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYDVQQDExlB
bHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTIwMDcwMjA4MDMzNloXDTIxMDcw
MzA4MDMzNlowKjEoMCYGA1UEAwwfKi5wZXJldm96a2EtbGV6aGFjaGloLWJvbG55
aC5ydTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAM6LW/zyqtUtaxJd
nYIFXa/1gGwT2IoacBaqdUqyedOn4mxf++Q2Tbj3S1UUI6om5VJSaT5QtDIhl1QL
Du+TR7p6XsumPI/abCInuH5iZWP0XGhvQFj7ar8/qY8+I/MmdsH+1+WzGiP8/r95
/KZUIRihZYE/s9QlSJcyDk69iX7mjJGt/hcYmBHLl2Ky6oU0WxSIZ432KMM3fZbr
Tz+AnH3p++/HDYXU2Pr8wvMxEDrgvzZTgnY+rPmcquVHErhH1aMYjL5c3ky4N4u/
FDtsGaJsUMkS+QiL/wix1dzCEacE/NKuS/W1ShmGF8YaQyqmYuy/hBh+MDUP1wMU
C/1cAFNR9xhu9tmRu9lCuAvLgY05BVQ7ihKZicmFGkvqgkW5e20oX2O1zNOt5pPm
hw9/RQhsa/8OLtakBVQeKlCe+0rOExEBnGu5UNgmjhzQkDBBWy6ZpXslF8RjouHT
rDO1cho1/Rxo2hyicAF+p0DR8k/qZ5nYmuAZnXoBNPcMkkewzT5Vz1FYapsXr7Yy
LwgT/uNJEehU9KVItz7bTHC+9dviIwUIkxE5wUNZgEivlPeL6H61xYWXy9E3+Tx1
9T1JWzj1cSzUYHOr9AxLvXAoUfahozvTKjzFIEK+5IrG9IlGK11c7fiYDXMDTwIA
V7H/mPYedNHRI8jNH3CiUSYldwg3AgMBAAGjggL3MIIC8zAOBgNVHQ8BAf8EBAMC
BaAwgYkGCCsGAQUFBwEBBH0wezBCBggrBgEFBQcwAoY2aHR0cDovL3NlY3VyZTIu
YWxwaGFzc2wuY29tL2NhY2VydC9nc2FscGhhc2hhMmcycjEuY3J0MDUGCCsGAQUF
BzABhilodHRwOi8vb2NzcDIuZ2xvYmFsc2lnbi5jb20vZ3NhbHBoYXNoYTJnMjBX
BgNVHSAEUDBOMEIGCisGAQQBoDIBCgowNDAyBggrBgEFBQcCARYmaHR0cHM6Ly93
d3cuZ2xvYmFsc2lnbi5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMAkGA1UdEwQC
MAAwPgYDVR0fBDcwNTAzoDGgL4YtaHR0cDovL2NybDIuYWxwaGFzc2wuY29tL2dz
L2dzYWxwaGFzaGEyZzIuY3JsMEkGA1UdEQRCMECCHyoucGVyZXZvemthLWxlemhh
Y2hpaC1ib2xueWgucnWCHXBlcmV2b3prYS1sZXpoYWNoaWgtYm9sbnloLnJ1MB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAWgBT1zdU8CFD5
ak86t5faVoPmadJo9zAdBgNVHQ4EFgQUpqREBpsrt/l8wj3i1uLu47ARY/IwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdgDuwJXujXJkD5Ljw7kbxxKjaWoJe0tqGhQ4
5keyy+3F+QAAAXMOjXtgAAAEAwBHMEUCIQCum6fVcAidaVVrufH/vbGD3lfONfj4
5+FkDoo3FruP9wIgK5usWtO+TiMzh0W3TEGLP497f35c1zKl4XVknx9qci0AdwD2
XJQv0XcwIhRUGAgwlFaO400TGTO/3wwvIAvMTvFk4wAAAXMOjXzQAAAEAwBIMEYC
IQDBWp47ldNmnTSE6MScTiP4dFKPRLxctPPWi09hmJoiQgIhAOplc+22sjUqhg7D
nEvKQtu0TRcjE8vT26nE9dC7qqgQMA0GCSqGSIb3DQEBCwUAA4IBAQA2Fjw5cMJH
xcQ4M5oo+kuSjTljxLhDnnbEg3Dl3ugQrJ0aMBoMW3ATvdYX57A6+V2rMdtmdxSM
WvS6HpXDwZipP1i68vF0xnlIxu1tliDDS1r5c9MeCHoNsAlzR0XoH1pySNylYVB7
7DuO9BPtAFXQwL2E2NIfzrzzPJhgZvu3WydC13jweLQILUxjlWdGnK68srpUQIq7
s1hiRDVxsxTQqLG5asQ4Me/Q8INKJGvWGjrdNjm+e1T437breFD8bD4DMPq+lyeQ
dkOvkjDg6F47KfrG1/bnc2fU5+BSCl6bf1BBJQ9NkRNMkdVwJxTNBfKPmWXvTX5S
bFxI3Z5wY5Qa
-----END CERTIFICATE-----
1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
-----BEGIN CERTIFICATE-----
MIIETTCCAzWgAwIBAgILBAAAAAABRE7wNjEwDQYJKoZIhvcNAQELBQAwVzELMAkG
A1UEBhMCQkUxGTAXBgNVBAoTEEdsb2JhbFNpZ24gbnYtc2ExEDAOBgNVBAsTB1Jv
b3QgQ0ExGzAZBgNVBAMTEkdsb2JhbFNpZ24gUm9vdCBDQTAeFw0xNDAyMjAxMDAw
MDBaFw0yNDAyMjAxMDAwMDBaMEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9i
YWxTaWduIG52LXNhMSIwIAYDVQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcy
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2gHs5OxzYPt+j2q3xhfj
kmQy1KwA2aIPue3ua4qGypJn2XTXXUcCPI9A1p5tFM3D2ik5pw8FCmiiZhoexLKL
dljlq10dj0CzOYvvHoN9ItDjqQAu7FPPYhmFRChMwCfLew7sEGQAEKQFzKByvkFs
MVtI5LHsuSPrVU3QfWJKpbSlpFmFxSWRpv6mCZ8GEG2PgQxkQF5zAJrgLmWYVBAA
cJjI4e00X9icxw3A1iNZRfz+VXqG7pRgIvGu0eZVRvaZxRsIdF+ssGSEj4k4HKGn
kCFPAm694GFn1PhChw8K98kEbSqpL+9Cpd/do1PbmB6B+Zpye1reTz5/olig4het
ZwIDAQABo4IBIzCCAR8wDgYDVR0PAQH/BAQDAgEGMBIGA1UdEwEB/wQIMAYBAf8C
AQAwHQYDVR0OBBYEFPXN1TwIUPlqTzq3l9pWg+Zp0mj3MEUGA1UdIAQ+MDwwOgYE
VR0gADAyMDAGCCsGAQUFBwIBFiRodHRwczovL3d3dy5hbHBoYXNzbC5jb20vcmVw
b3NpdG9yeS8wMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC5nbG9iYWxzaWdu
Lm5ldC9yb290LmNybDA9BggrBgEFBQcBAQQxMC8wLQYIKwYBBQUHMAGGIWh0dHA6
Ly9vY3NwLmdsb2JhbHNpZ24uY29tL3Jvb3RyMTAfBgNVHSMEGDAWgBRge2YaRQ2X
yolQL30EzTSo//z9SzANBgkqhkiG9w0BAQsFAAOCAQEAYEBoFkfnFo3bXKFWKsv0
XJuwHqJL9csCP/gLofKnQtS3TOvjZoDzJUN4LhsXVgdSGMvRqOzm+3M+pGKMgLTS
xRJzo9P6Aji+Yz2EuJnB8br3n8NA0VgYU8Fi3a8YQn80TsVD1XGwMADH45CuP1eG
l87qDBKOInDjZqdUfy4oy9RU0LMeYmcI+Sfhy+NmuCQbiWqJRGXy2UzSWByMTsCV
odTvZy84IOgu/5ZR8LrYPZJwR2UcnnNytGAMXOLRc3bgr07i5TelRS+KIz6HxzDm
MTh89N1SyvNTBCVXVmaU6Avu5gMUTu79bZRknl7OedSyps9AsUSoPocZXun4IRZZ
Uw==
-----END CERTIFICATE-----
—
Server certificate
subject=/CN=.perevozka-lezhachih-bolnyh.ru
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
—
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
—
SSL handshake has read 3778 bytes and written 285 bytes
—
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-CHACHA20-POLY1305
Session-ID: A5FCA2F023B3AAF1F8761C1D7D16C3E008DA12BB361737DE36B8329F20C673EB
Session-ID-ctx:
Master-Key: 97588585E85377372E43C905800EAB50B71CC57682A167E115729302D92F2A2BCCE119F67A047C52C043610EBCD5B424
TLS session ticket lifetime hint: 600 (seconds)
TLS session ticket:
0000 - e3 0e 13 00 2e 82 59 72-9e 25 b7 78 a5 98 96 eb …Yr.%.x…
0010 - 8b 00 6f 6c 18 88 90 ab-85 64 ec 76 1f ac 08 a7 …ol…d.v…
0020 - 40 80 2c 12 42 74 82 48-f6 d2 98 10 d1 49 0c eb @.,.Bt.H…I…
0030 - e9 61 3c fe 8b da 45 e8-e3 b5 a3 2c b9 cf 2a 26 .a<…E…,…&
0040 - ca 45 4c c0 c6 61 10 a2-cb 89 01 60 f3 13 b3 70 .EL…a…...p 0050 - 46 bb 4b 19 d4 5a ba 93-a4 f8 d1 74 4a de 4d f5 F.K..Z.....tJ.M. 0060 - 7c 60 dd 7e 46 65 cf c6-eb 4b 56 cb ed 5e 7e fb |.~Fe…KV…^~.
0070 - 66 c6 67 f9 8e 29 a9 13-61 3b f5 b7 db 70 6a 44 f.g…)…a;…pjD
0080 - 18 25 7b 62 38 28 83 1c-f7 cf b4 ea 51 f7 9e 6f .%{b8(…Q…o
0090 - 9d 54 b5 2d 8b 96 b3 3c-75 df 57 f2 f2 1e 7e ce .T.-…<u.W…~.
00a0 - 02 75 0e d6 76 25 98 2f-72 e0 25 2e e2 52 39 48 .u…v%./r.%…R9H

    Start Time: 1593894955
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---
closed

Osiris · July 4, 2020, 9:20pm

It's not even a Let's Encrypt certificate what you're showing here?

lkovacic · July 4, 2020, 9:29pm

I don’t know why they are diffrent when I ping for SSL via open ssl, but here you can see the phishing webiste certificate.

Osiris · July 4, 2020, 9:38pm

Even so, nothing to do here. Please also see this FAQ question and answer: FAQ - Let's Encrypt

system · August 3, 2020, 9:38pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.