Second hacker pleads guilty to role in celebrity iCloud, Gmail phishing scheme

Posted:
in General Discussion
A Chicago man implicated in a phishing scheme targeting more than 300 iCloud and Google Gmail users, including the personal accounts of numerous Hollywood celebrities, faces up to five years in federal prison after signing a plea deal last week.




According to a statement from the U.S. Attorney's Office in California, Edward Majerczyk, 28, will plead guilty to violating the Computer Fraud and Abuse Act for his role in 2014's "Celebgate" phishing scheme. Majerczyk of Chicago and Orland Park, Ill., is charged with one count of unauthorized access to a protected computer, which carries a statutory maximum sentence of five years in prison.

In the phishing scheme, Majerczyk sent phony emails to victims requesting confirmation of user credentials. Appearing to be from legitimate security accounts operated by companies like Apple and Google, the messages instructed users to visit a nefarious website designed to gather logins and passwords.

Majerczyk used this information to illegally access victims' accounts, from which he harvested photographs, videos and other sensitive data, the plea agreement said. The assets circulated through the dark web before wide distribution via BitTorrent and other file sharing protocols.

"Hacking of online accounts to steal personal information is not merely an intrusion of an individual's privacy but is a serious violation of federal law," said U.S. Attorney Eileen M. Decker. "Defendant's conduct was a profound intrusion into the privacy of his victims and created vulnerabilities at multiple online service providers."

While phishing scams are a common occurrence, "Celebgate" gained notoriety for successfully targeting numerous A-list celebrities including Jennifer Lawrence and Kate Upton. When news of the leak first hit, reports incorrectly blamed the intrusion on a hack of Apple's iCloud, not clever social engineering. At the time, Apple denied those claims, saying its cloud services were safe and secure.

Majerczyk is the second person to enter a plea deal in connection with the scandal. In March, Ryan Collins, 36, pleaded guilty to illegally gaining access to at least 50 iCloud accounts and 72 Gmail accounts. Collins' crime carries an identical five-year maximum penalty, though prosecutors planned to recommend a term of 18 months.

Majerczyk's plea agreement was lodged in California District Court and will be executed when the case is transferred to the Northern District of Illinois.

Comments

  • Reply 1 of 18
    Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.
    nolamacguyai46tallest skilmacseekerlatifbpRosynalostkiwimacguijony0
  • Reply 2 of 18
    nolamacguynolamacguy Posts: 4,758member
    nonsense. this was routine, standard, run of the mill phishing. Apple carries no blame for it; there is no perception that Apple's customers are immune from phishing attacks as you dubiously claim. put that back in your FUD locker, dear sir. 
    zeus423ai46mac_dogericthehalfbeelatifbpRosynajony0SpamSandwich
  • Reply 3 of 18
    foggyhillfoggyhill Posts: 4,767member
    poffin77 said:
    Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.
    While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. And after this scandal broke, Apple quickly pivoted to the position that it was the user's responsibility - not Apple's' - to protect user data and privacy by using the same two-factor authentication and other measures and precautions recommended for the competing, less secure and less user-friendly platforms. Before this incident, the it was commonly thought that the average (meaning someone not skilled or interested in tech) could just buy an Apple product, use it as is and be protected. Apple didn't create this misconception ... but they were perfectly happy to benefit from it, including but not limited through their own advertising campaigns. Which is why fans of the competing platforms were more than willing to do some finger-pointing of their own when this happened, even as they acknowledged that Apple was never actually at fault here.
    Total bullshit. Seriously, read on posts. It's a phishing expedition and people gave up their own passwords.
    Next thing you'll be doing is claiming someone responding to nigerian scams on Iphones are somehow's Apple fault too.

    In fact, most of the Icloud account that were compromised were NOT ICLOUD ACCOUNTS,
    even those that were compromised through phishing were often done by compromising a second account that's even less secure (that's why you should not reuse passwords). They didn't talk about that here,  but that is used very often.

    The only way to mitigate it is to use two factor and that's an inconvenience to many and they STILL won't do it after this hack on Android or IOS.


    mac_dogericthehalfbeeRosynalostkiwijony0
  • Reply 4 of 18
    apple ][apple ][ Posts: 8,360member
    Hopefully the criminals and hackers will get sodomized in prison, at least a few times a week, so that they too will know how it feels to be "violated". :#
    latifbp
  • Reply 5 of 18
    dasanman69dasanman69 Posts: 12,973member
    poffin77 said:
    Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.
    While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. And after this scandal broke, Apple quickly pivoted to the position that it was the user's responsibility - not Apple's' - to protect user data and privacy by using the same two-factor authentication and other measures and precautions recommended for the competing, less secure and less user-friendly platforms. Before this incident, the it was commonly thought that the average (meaning someone not skilled or interested in tech) could just buy an Apple product, use it as is and be protected. Apple didn't create this misconception ... but they were perfectly happy to benefit from it, including but not limited through their own advertising campaigns. Which is why fans of the competing platforms were more than willing to do some finger-pointing of their own when this happened, even as they acknowledged that Apple was never actually at fault here.
    Of course Apple created that misconception, what did you think those advertising campaigns accomplished? For the most part celebrities aren't tech savvy and have no idea what a phishing scheme is, not ever heard of social engineering. 
  • Reply 6 of 18
    kevin keekevin kee Posts: 965member
    poffin77 said:
    Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.
    While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. 
    When a "stranger" you knowingly invited into your house (just because he said he was from phone company) stole your stuffs, did you blame the house security system that was working perfectly, the stranger or yourself?
    Rosynalostkiwinolamacguyjony0
  • Reply 7 of 18
    why-why- Posts: 305member
    I turned on two step verification a while ago and honestly I don't know why I didn't do it sooner
    latifbplostkiwi
  • Reply 8 of 18
    dasanman69dasanman69 Posts: 12,973member
    kevin kee said:
    poffin77 said:
    While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. 
    When a "stranger" you knowingly invited into your house (just because he said he was from phone company) stole your stuffs, did you blame the house security system that was working perfectly, the stranger or yourself?
    That's a bad comparison on so many levels. 
    latifbp
  • Reply 9 of 18
    ericthehalfbeeericthehalfbee Posts: 3,999member
    I still remember way back when Apple released a statement saying these accounts were accessed via social engineering. And reading all the idiots (usual suspects) comment about brute force password attacks and that they didn't believe Apple.

    Not surprising that many of them are still members here (and have recently posted), but aren't saying anything in this thread. I guess it's touch to have such a hard stance on a topic (and waste so much time on your bullshit theories) and find out you were completely and utterly wrong.
    latifbpRosynalostkiwinolamacguyjony0
  • Reply 10 of 18
    bestkeptsecretbestkeptsecret Posts: 3,175member
    apple ][ said:
    Hopefully the criminals and hackers will get sodomized in prison, at least a few times a week, so that they too will know how it feels to be "violated". :#

    I'm in a pretty bad mood today, so I'll agree with you.
    latifbpJanNL
  • Reply 11 of 18
    badmonkbadmonk Posts: 754member
    I loved how this Celebrity phishing scandal became Apple's fault even though some of the users (Kate Upton) were android users.

    Though I am happy these guys got caught, can't the justice department pursue Wall Street criminals with the same vigor they go after doping athletes and these losers?
    lostkiwi
  • Reply 12 of 18
    BittySonBittySon Posts: 48member
    Does it seem like the FBI tried harder in this case because celebrities were involved?
    tallest skilSpamSandwich
  • Reply 13 of 18
    maestro64maestro64 Posts: 4,453member
    poffin77 said:
    Yes, let's not forget that this attack also compromised Gmail accounts. And that iCloud has never been hacked and this was just a routine phishing expedition.
    While true it does not mean a whole lot. It was Apple who marketed the combination of security, privacy and ease of use a key differentiator between its products/services and those offered by such competitors as Google, Microsoft, Samsung etc. And after this scandal broke, Apple quickly pivoted to the position that it was the user's responsibility - not Apple's' - to protect user data and privacy by using the same two-factor authentication and other measures and precautions recommended for the competing, less secure and less user-friendly platforms. Before this incident, the it was commonly thought that the average (meaning someone not skilled or interested in tech) could just buy an Apple product, use it as is and be protected. Apple didn't create this misconception ... but they were perfectly happy to benefit from it, including but not limited through their own advertising campaigns. Which is why fans of the competing platforms were more than willing to do some finger-pointing of their own when this happened, even as they acknowledged that Apple was never actually at fault here.
    Of course Apple created that misconception, what did you think those advertising campaigns accomplished? For the most part celebrities aren't tech savvy and have no idea what a phishing scheme is, not ever heard of social engineering. 


    I said this when it happen and will say it again, you can not fix stupid. The people who got hacked deserve what they got.

    It is not the job of any company or the government to protect people from themselves. I am not sure why people think people are not suppose to be responsible for their own actions, If they were not taking naked picture of themselves there would have been nothing to find. You know ignorance of law is not defense of breaking a law ignorance the technology you use does not relive someone of their own responsibilities to protect their own privacy.

    Notice how DA pleaded these two people out, they really did not want others to see what these two people actually did to get the information. I suspect it was probably pretty easy, and the reason they caught these two so quickly.

  • Reply 14 of 18
    apple ][apple ][ Posts: 8,360member
    apple ][ said:
    Hopefully the criminals and hackers will get sodomized in prison, at least a few times a week, so that they too will know how it feels to be "violated". :#

    I'm in a pretty bad mood today, so I'll agree with you.
    I'm not sure that I understand the connection.

    I was actually in a good mood yesterday, when I wrote my post. :#
  • Reply 15 of 18
    macbootxmacbootx Posts: 35member
    apple ][ said:
    Hopefully the criminals and hackers will get sodomized in prison, at least a few times a week, so that they too will know how it feels to be "violated". :#
    Time to open the Kevin Mitnick wing at federal prison.
  • Reply 16 of 18
    mcdavemcdave Posts: 1,094member
    badmonk said:
    I loved how this Celebrity phishing scandal became Apple's fault even though some of the users (Kate Upton) were android users.

    Though I am happy these guys got caught, can't the justice department pursue Wall Street criminals with the same vigor they go after doping athletes and these losers?
    I'd like to see disclosure of the browser used by the victims. No doubt this is social engineering rather than a lack of security but I've seen some disturbing design traits in Chrome which could be a source.
  • Reply 17 of 18
    zoetmbzoetmb Posts: 2,398member
    badmonk said:
    I loved how this Celebrity phishing scandal became Apple's fault even though some of the users (Kate Upton) were android users.

    Though I am happy these guys got caught, can't the justice department pursue Wall Street criminals with the same vigor they go after doping athletes and these losers?
    It's more than that:  would the Justice Department have gone after these losers if they had only hacked the accounts of "ordinary" people and not celebrities?   I get tons of phishing emails every day, including a few good enough to actually look like they came from Amazon.   I wasn't fooled (yet), but plenty of other people would have been, including my elderly mother.   Does the Justice Department ever attempt to go after the other scammers?

    I must have a few hundred of this one:
    Your payments are on hold until
    you complete your account setup.
     
    ==> Complete your registration here 
     
    You can't get paid unless you
    activate your account. 
     
    Thank you.  

    - Michael C.
    Quantom Code Founder
    And even aside from emails designed to steal your identity, has anyone ever calculated how much SPAM costs everyone in storage space and time wasted deleting them?   At just 10 minutes a day, that's over 60 hours per year, per person.   I bet the productivity cost alone is in the $ billions.  

    And I really hate the phrase, "social engineering", because it sounds like something positive or something harmless instead of a con that can ruin one's life. 

    And for the record, most of what happens on Wall Street is legal.  It shouldn't be, but it is.   So there's little the Justice Department can do to go after Wall Street execs who we might consider to be criminals, like those who brought down the economy in 2008.   The laws need to be changed and that's not going to happen:  many Republican politicians feel that even the current laws are too restrictive on what banks and Wall Street firms can do.   Wall Street is like gambling in a casino, except there's fewer rules:  the odds are in favor of the house, they charge you to get in, but the small guy can still occasionally win something.   I've done pretty well with my investments, but that's not to say that the playing field is fair and that I'm not getting screwed.   And of course, the house can come tumbling down again at any time.    Brexit was a perfect example of how panic-stricken and irrational Wall Street is:  big tumble for a few days and then quickly back up to near-peaks.  None of that makes any sense - U.S. companies aren't worth more or less this week than they were last week, unless they happened to put out an earnings report, with the possible exception of those who sell largely to the UK.
  • Reply 18 of 18
    tallest skiltallest skil Posts: 43,399member
    zoetmb said:
    And I really hate the phrase, "social engineering", because it sounds like something positive or something harmless instead of a con that can ruin one's life.
    What a terrifying is that you think it sounds positive.
    And for the record, most of what happens on Wall Street is legal.  It shouldn't be, but it is.
    Oh, that's okay. The Federal Reserve is illegal and yet it exists. It all balances out.
    None of that makes any sense
    The only course of action is education. People have to be told what's going on so that when it crashes next they don't immediately buy in to what the people who crashed it want (fully digital fiat currency).
Sign In or Register to comment.