An interesting in-depth report takes a look into how hackers are using password-phishing kits and fake receipts to remove Apple’s Activation Lock protection on stolen iPhones.

Activation Lock and Find My iPhone are two crucial features that have been very effective in reducing iPhone theft by rendering iCloud-locked devices useless.

Enabling the Find My iPhone feature on your iOS device automatically turns on Activation Lock protection. Activation Lock is designed to prevent anyone else from using your iPhone, iPad, iPod touch or Apple Watch if it’s ever lost or stolen.

Activation Lock requires a user’s iCloud password, even if the device has been wiped clean or restored as new. While some hacks are rather complex and require using a computer that masquerades as an iCloud server, hackers and scammers have gone creative.

Motherboard has the story:

So-called ‘iCloud unlock’ involves a complex supply chain of different scams and cybercriminals. These include using fake receipts and invoices to trick Apple into believing they’re the legitimate owner of the phone, using databases that look up information on iPhones, and social engineering at Apple Stores.

There are even custom phishing kits for sale online designed to steal iCloud passwords from a phone’s original owner.

Tell me more about the phishing kits!

Whereas more generic phishing kits may be used by a hacker for a number of different purposes, perhaps for stealing banking details, email credentials or online accounts in general, these kits are specifically designed to phish iCloud accounts.

The iCloud phishing kits come with templates designed to trick a victim that their iPhone was found. These kits allow a hacker to send SMS messages that appear to come from Apple that could trick a victim into giving up their iCloud credentials.

The kits can even generate fake maps of where the victim’s phone has apparently been discovered to further entice them. The kits keep track of a hacker’s list of targets, provide notifications on successful phishes and some require next to no technical setup, according to tutorial videos on how to use them.

Once an unsuspecting user’s iCloud password has been stolen using the methods described above, the password can be entered when prompted to remove Activation Lock.

The iCloud phishing kits start at just $75.

Another method involves a trip to an Apple Store, where a Genius can override iCloud provided you trick them into unlocking a device you don’t own.

Mick Ventocilla, owner of Lakeshore Tech Repair:

You formulate a fake receipt, take it to the Apple Store, and say ‘Hey, I forgot my Apple ID information, but here’s a receipt.’

Ventocilla says he does not try to unlock iCloud but knows many in the repair industry who do. “They remove it. That’s one of the most common ways.” For those wondering, these scammers charge around $150 for a single fake invoice, or a discount if you buy two.

Armed with a legitimate-looking Apple invoice filed with accurate information about the phone such as its IMEI number—a unique, per device identifier code—and its estimated date of purchase, scammers can ask Apple customer support to remove iCloud from the device.

You could even have Apple Support remove Activation Lock via email!

Scammers don’t always need to go into an Apple store to do this—screenshots shared in the invoice chat room show successful iCloud removals by just conversing with Apple support over email. This likely only works with phones that have not been marked as stolen, however.

And then, there’s this method:

The iPhone’s CPU can be removed from the logic board and reprogrammed to create what is essentially a ‘new’ device.

This is very labor intensive and rare.

It is generally done in Chinese refurbishing labs and involves stealing a ‘clean’ phone identification number, called an IMEI.

And here’s that method in action.

Bypassing Activation Lock by reprogramming the iPhone’s CPU

Not all iCloud-locked iPhones are stolen though.

There are many listings on eBay, Craigslist, and wholesale sites for phones billed as ‘iCloud-locked’ or ‘for parts’ or something similar. While some of these phones are almost certainly stolen, many of them are not.

According to three professionals in the independent repair and iPhone refurbishing businesses, used iPhones—including some iCloud-locked devices—are sold in bulk at private ‘carrier auctions’ where companies like T-Mobile, Verizon, Sprint, AT&T, and cell phone insurance providers sell their excess inventory (often through third-party processing companies.)

Because some customers who return their Apple smartphone to a carrier as part of their upgrade or insurance claim don’t always remove Activation Lock from the device, carriers and insurance companies can often get stuck with iCloud-locked phones.

Motherboard could not determine whether any carriers currently have the ability to independently remove iCloud lock from iPhones, or whether Apple ever helps carriers remove iCloud at scale.

That’s where the hackers come in.

“The carriers sell a ton of locked devices,” one refurbisher who buys phones from private auctions told the publication.

Once iCloud-locked devices are back on the market—whether they are legally obtained or stolen—they either need to be stripped for parts, or somehow unlocked.

Carriers certainly want and need the ability to unlock iCloud-locked iPhones but Apple, on the other hand, probably has very little incentive to encourage the secondary market for iPhones.

Be sure to read the full report at Motherboard, it’s an interesting read.