They would just get an email saying that icloudbackupsupport@gmail.com (his phony address) accessed the account immediately after giving their info to icloudbackupsupport@gmail.com. He could even have told them to expect and ignore such an email.

There should be a request for approving the login attempt, and if you say yes, you get a six digit code to enter on the device trying to connect. Then when that succeeds, you get another push notification about it succeeding.

And thats what happens on any iOS with 2FA enabled.

Perhaps something in that 2FA request saying "Apple will only ask for your password in-person in a store or other authorized repair provider. Only allow this request if you know who requested it"?

You need to spend more time around non technologists. Many folks just dismiss computer prompts without reading, ignore emails, or any number of other similar behaviors that would likely drive you and I crazy by their lack of attention to detail.

Adding detailed prompts won’t solve the problem.

> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house

If the attacker was really not covering his tracks, perhaps Apple may have flagged hundreds of different iCloud account logins originating from the same location as something to look into?

That's not really a reliable/actionable signal overall - my previous employer had like 20,000 employees NATed behind a single IP.

> my previous employer had like 20,000 employees NATed behind a single IP.

If so, it’s incredibly unlikely that all 20k were online simultaneously. If they were, each person could only open ~3 TCP sockets to the internet (even if via a proxy if dealing with individual login sessions) at a time before you’ve run out of ports.

even though you're probably right on the first part, the second part is false. while most NAT implementations operate as you describe, called "port-restricted cone NAT", some implementations allocate the external port only for a specific destination address, called "symmetric NAT".

TIL, thanks!

IP NATing is a common thing done by most isps, you can literally have 100s or even thousands of users using the same ip.

There isn’t enough information in the linked article to reveal the attacker’s methods. Do you have further information or are you speculating?

It’s better than nothing but still not great because the login area they present is too broad. For example, if you live in a large city and the phisher is somebody you know, seeing “New login from Your City” is not going to make you think twice.