One of our affiliates recently had an iPhone stolen while on vacation. It goes without saying, once the phone has been turned off and you can't see it in Apple's Find My, best of luck getting it back. One of the issues with stealing an iPhone is the iCloud Activation Lock. When you enable Find My, the device is linked to your iCloud account and you must manually disable it before the phone can be transferred to another person. A few days after the phone was stolen, the new phone received an SMS phishing message with the following URL: hxxps://lcoud.com-1pr7[.]us/?id=XXXXX In our instance, we had a five-digit ID number that started with the number 8. We began to attempt iterations of the 5-digit ID and sure enough, we got a valid HTTP 200 response on the first attempt: When navigating to the resolving IP, we noted there was a wildcard certificate in place for a bunch of other domains: Stepping back, let’s look at the root domain of the original phishing page, com-1pr7.us . The