Third man charged in celebrity iCloud, Gmail hacking investigation

Posted:
in General Discussion
An Illinois man was on Monday charged with a felony computer hacking offense for his role in a phishing scheme that targeted more than 550 Apple iCloud and Google Gmail accounts, some of which belonged to prominent Hollywood celebrities.




The U.S. Attorney for the Central District of California said Emilio Herrera, 32, of Chicago, signed a plea agreement detailing a wide-ranging phishing operation that granted unauthorized access to sensitive user property.

According to the document, Herrera sent email messages resembling legitimate correspondence from internet service providers in a bid to dupe victims into furnishing account usernames and passwords. During the operation, conducted from April 2013 through August 2014, more than 550 people fell for the gambit, allowing the hacker access to their iCloud and Gmail accounts.

With username and password data in hand, Herrera was able to steal personal information and data, which in some cases included private photographs and video.

In 2014, a cache of nude photos and video belonging to prominent entertainment industry figures circulated through the dark web before wide circulation via file sharing protocols like BitTorrent.

Dubbed "Celebgate," the incident was initially blamed on an iCloud security breach, claims Apple denied at the time. Further investigation, namely the testimony of two indicted hackers, revealed the images were procured through simple social engineering.

Though Herrera engaged in the phishing scheme, investigators have found no evidence that he shared or uploaded the compromising data, nor has he been linked to the 2014 leak.

The Herrera case is a product of an ongoing FBI investigation into "Celebgate" and its perpetrators. In January, another Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Before that, a Pennsylvania man last October was sentenced to 18 month in prison for accessing 50 iCloud accounts and 72 Gmail accounts.

Herrera's case is being transferred to the Northern District of Illinois, where he is expected to enter a guilty plea. He faces up to five years in prison for his crimes.
Gwnefyr

Comments

  • Reply 1 of 20
    calicali Posts: 3,495member
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    MacProjbdragonwatto_cobrajony0
  • Reply 2 of 20
    sflocalsflocal Posts: 4,013member
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    caliSpamSandwichwatto_cobra
  • Reply 3 of 20
    SoliSoli Posts: 6,682member
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    I don't care for the sensationalist headlines but these were targeted hacks that mostly included social engineering to gain unauthorized access to a computer.
  • Reply 4 of 20
    This leak is almost no tech involved. The only tech is write a short email with 1 or 2 logos then just press send. 

    the guy might had checked the victims’ Facebook, Twitter and Instagram account. That is all he need to do. 

    It is sad that people still fall for this oldest email scam. 
    jbdragonwatto_cobra
  • Reply 5 of 20
    calicali Posts: 3,495member
    sflocal said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    I’m not dissing AI because they actually included Gmail. Most articles only mention Apple and conveniently dismiss other services but using the word “hacked” doesn’t help since iCloud wasn’t hacked.
    jbdragonwatto_cobra
  • Reply 6 of 20
    SoliSoli Posts: 6,682member
    cali said:
    sflocal said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    I’m not dissing AI because they actually included Gmail. Most articles only mention Apple and conveniently dismiss other services but using the word “hacked” doesn’t help since iCloud wasn’t hacked.
    hacked ≠ iCloud.
    hacked = use a computer to gain unauthorized access to data in a system.

    That includes using social engineering, phishing and/or the nature of human laziness to obtain access to personal accounts.
    edited October 2017
  • Reply 7 of 20
  • Reply 8 of 20
    JFC_PAJFC_PA Posts: 146member
    Phishing is NOT “hacking”. For a tech website to get that wrong is embarrassing. People will point and laugh. Sad. 

    OTOH maybe we ARE on the road where everything is behind a two factor authentication wall. My university is about to do just that. Three choices: a security app on my iPhone (fat chance), a verification code text message or a dongle. 
    edited October 2017 calimacxpressjbdragonanton zuykovSpamSandwichwatto_cobra
  • Reply 9 of 20
    An Illinois man was on Monday charged with a felony computer hacking offense for his role in a phishing scheme that targeted more than 550 Apple iCloud and Google Gmail accounts, some of which belonged to prominent Hollywood celebrities.




    The U.S. Attorney for the Central District of California said Emilio Herrera, 32, of Chicago, signed a plea agreement detailing a wide-ranging phishing operation that granted unauthorized access to sensitive user property.

    According to the document, Herrera sent email messages resembling legitimate correspondence from internet service providers in a bid to dupe victims into furnishing account usernames and passwords. During the operation, conducted from April 2013 through August 2014, more than 550 people fell for the gambit, allowing the hacker access to their iCloud and Gmail accounts.

    With username and password data in hand, Herrera was able to steal personal information and data, which in some cases included private photographs and video.

    In 2014, a cache of nude photos and video belonging to prominent entertainment industry figures circulated through the dark web before wide circulation via file sharing protocols like BitTorrent.

    Dubbed "Celebgate," the incident was initially blamed on an iCloud security breach, claims Apple denied at the time. Further investigation, namely the testimony of two indicted hackers, revealed the images were procured through simple social engineering.

    Though Herrera engaged in the phishing scheme, investigators have found no evidence that he shared or uploaded the compromising data, nor has he been linked to the 2014 leak.

    The Herrera case is a product of an ongoing FBI investigation into "Celebgate" and its perpetrators. In January, another Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Before that, a Pennsylvania man last October was sentenced to 18 month in prison for accessing 50 iCloud accounts and 72 Gmail accounts.

    Herrera's case is being transferred to the Northern District of Illinois, where he is expected to enter a guilty plea. He faces up to five years in prison for his crimes.

  • Reply 10 of 20
    MacProMacPro Posts: 17,066member
    Soli said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    I don't care for the sensationalist headlines but these were targeted hacks that mostly included social engineering to gain unauthorized access to a computer.
    JFC_PA said:
    Phishing is NOT “hacking”. For a tech website to get that wrong is embarrassing. People will point and laugh. Sad. 

    OTOH maybe we ARE on the road where everything is behind a two factor authentication wall. My university is about to do just that. Three choices: a security app on my iPhone (fat chance), a verification code text message or a dongle. 
    Soli said:
    cali said:
    sflocal said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    I’m not dissing AI because they actually included Gmail. Most articles only mention Apple and conveniently dismiss other services but using the word “hacked” doesn’t help since iCloud wasn’t hacked.
    hacked ≠ iCloud.
    hacked = use a computer to gain unauthorized access to data in a system.

    That includes using social engineering, phishing and/or the nature of human laziness to obtain access to personal accounts.
    Ok first off, I can't imagine too many at the annual Pwn2Own contest use phishing! /trying to keep a straight face here

    Sadly, as illustrated by Soli's response to others here, using the term 'hack' or 'hacking' when describing the elementary con known as phishing is so prevalent  now it's beyond saving as the term most of us knew and understood  i.e. 'hack' referring to a skilled process requiring a high level of knowledge by either white or or black hats. 

    Asking for someones user name and password with a fake web page or email has now risen to being called hacking by the regular media and sadly the tech media to such an extent and now even a pedantic contributor to AI defends it.  

    We have to move on accept that however stupid it sounds to anyone with a technical background the term hacking no longer means what it did.  That's what happens to language, it devolves through misuse by the ignorant.  As an aside, I can well image genuine hackers are really pissed off to be equated with phishing.  lol

    The answer is that we need new terminology to described skilled cyber crimes.  The one we have just isn't hacking it!  ;)


    edited October 2017 jbdragon
  • Reply 11 of 20
    Every account that requires a password to log in should send a text to the smartphone of the account owner each time the account is accessed. That should be mandated by law, partly to protect the account holder but also to help authorities catch criminals who are simultaneously perpetrating crimes against other innocent people — possibly thousands of them. These are not petty crimes, but potentially pose risks to the public infrastructure, major financial institutions and markets, and national security. Any hacker may find things he never expected, so harsh penalties should be levied against breaches that seem not so important after the fact. An armed robber who gets away with only $10 should not be given a short sentence.

    Since Apple has big plans for artificial intelligence, it should teach Siri to watch our responses to requests for account names, passwords and other sensitive data, and issue a mild warning to the iPhone user to minimize the risk of being tricked by a phishing campaign. Bogus requests are not always easy to identify, and especially not by casual users. Every few months we read about highly sensitive data being released by people who should know better, and the main response of the major tech companies, FBI and journalists is to tell users to be careful. That is not good enough, by a long shot.
    edited October 2017
  • Reply 12 of 20
    Sadly, as illustrated by Soli's response to others here, using the term 'hack' or 'hacking' when describing the elementary con known as phishing is so prevalent  now it's beyond saving as the term most of us knew and understood  i.e. 'hack' referring to a skilled process requiring a high level of knowledge by either white or or black hats. 

    "Hacking", going a step back, had to do with creation of really cool things in hardware/software. Then it took on a "security hacking" concept, that can be called "cracking". Not it seems people are incorporating phishing in "hacking". Well, word usages change, usually towards less precision, or stated another way, to become more encompassing.
  • Reply 13 of 20
    jbdragonjbdragon Posts: 1,662member
    So this is why you need to have 2-factor authorization turned on everywhere!!! That way if you're dumb enough to fall for a phishing scam. SCAM being the key word, it's not hacking, you would still be protected as they wouldn't have your second factor authorization.
  • Reply 14 of 20
    SoliSoli Posts: 6,682member
    jbdragon said:
    So this is why you need to have 2-factor authorization turned on everywhere!!! That way if you're dumb enough to fall for a phishing scam. SCAM being the key word, it's not hacking, you would still be protected as they wouldn't have your second factor authorization.
    My first rule of internet use is to never click on an email to access an account. With bookmarks and auto-fulling history it's easy to go into Safari(or a mobile app) to load a known website in which to input your credentials. If you get into this habit then you're much less likely to be caught off guard. Obvious exceptions are if you receive a password reset email which you just requested as the likelihood of being scammed within that short timeframe for that particular website for that particular service is exceedingly improbable. (This is more a rule I use for those who are less tech savvy and are more likely to miss signing of a phishing scam, but it applies to everyone)

    But, yes, 2FA/MFA is something I'd recommend for every internet-facing account that has any access to sensitive personal data. That said, I'm pretty sure I'm part of this Equifax breach because 1) the chances are about 50/50 based on current numbers, 2) I just always assume nothing is secure so if Equifax says about half their accounts were accessed I assume it's all of them (see Yahoo). That's much scarier since all that information is effectively permanent, so these thieves can easily sit on the info until people stop wanting to pay for credit freezes and let their guard up with the unfortunate mindset that "nothing has happened, so nothing will happen." This is known as risk perception, which is the major driver of the asinine anti-vaxxer movement.
    edited October 2017
  • Reply 15 of 20
    zoetmbzoetmb Posts: 2,257member
    Fingerprint ID's could have solved a lot of this, but unfortunately, Apple is getting away from that on the iPhone and few MacOS apps use it except for the OS itself, when you try and install new software.    In fact, many of the sites I use don't even use the OS functionality to remember passwords.  

    I really don't like logging onto a site and having to input a security code which was sent to my iPhone.   I find that really inconvenient.   And lately I'm getting a lot of "we don't recognize this computer, it must be a new device - do you wish to register this device?" messages, which repeats every time I log in from that same computer. 

    I simply follow the rule that I never input any security data based on an email.  I always go directly to the site.   

    I did get a pretty sophisticated phishing attempt recently.   I forget all the details, but after the Equifax breach and also after a repair at Apple for which they wanted my password, I changed all my passwords.  I almost immediately (probably a coincidence) got an email which really did look official, supposedly from Apple, claiming they saw questionable activity on my iCloud account.   I called the phone number listed and the company I called implied they were Apple, then changed their line to "we're doing work for Apple".   Once they wanted me to go to some website which definitely wasn't Apple's, I knew it had to be phony and I hung up.   I called Apple and they said they had received lots of inquiries that day about this scam.   

    But most Phishing scams use emails that are so poorly constructed and written, they should be obvious to anyone that they're a scam.   Most make me laugh because they're so bad.   Then there are the ones that "come from" banks or credit card companies where I don't have any accounts.   But I guess there's still a lot of dumb people out there - how is it possible that anyone falls for those ridiculous "we're going to share $15 million with you if we can use your account" scams. 
  • Reply 16 of 20
    MacProMacPro Posts: 17,066member
    cwingrav said:
    Sadly, as illustrated by Soli's response to others here, using the term 'hack' or 'hacking' when describing the elementary con known as phishing is so prevalent  now it's beyond saving as the term most of us knew and understood  i.e. 'hack' referring to a skilled process requiring a high level of knowledge by either white or or black hats. 

    "Hacking", going a step back, had to do with creation of really cool things in hardware/software. Then it took on a "security hacking" concept, that can be called "cracking". Not it seems people are incorporating phishing in "hacking". Well, word usages change, usually towards less precision, or stated another way, to become more encompassing.
    True, I was at it on Apple ][s in 1978 lol.  But I think we are on the same page. The internet as we know it now, wasn't around then, I thought a telex was ground breaking! /slaps forehead in shock how time flies.

    I suspect the current term used by most of here is related to software security and network protocols that are to a greater extent internet related.  Now with phishing being included it's a useless term IMHO.
  • Reply 17 of 20
    Every account that requires a password to log in should send a text to the smartphone of the account owner each time the account is accessed. That should be mandated by law,
    That would be incredibly stupid. 
  • Reply 18 of 20

    zoetmb said:
    Fingerprint ID's could have solved a lot of this, but unfortunately, Apple is getting away from that on the iPhone
    Not sure you know what you’re referring to here...The apps don’t know anything about fingerprints. They know only whether you have successfully authenticated, in some cases with a biometric (Touch ID). That doesn’t change whatsoever with Face ID. 
    watto_cobra
  • Reply 19 of 20
    Soli said:
    cali said:
    sflocal said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    I’m not dissing AI because they actually included Gmail. Most articles only mention Apple and conveniently dismiss other services but using the word “hacked” doesn’t help since iCloud wasn’t hacked.
    hacked ≠ iCloud.
    hacked = use a computer to gain unauthorized access to data in a system.

    That includes using social engineering, phishing and/or the nature of human laziness to obtain access to personal accounts.
    Nope. Hacking would require knowledge of the system and some way to circumvent existing defenses of that system. Knowing the password is not considered hacking, because that hacker logs in the same way the owner of that account would. The path is the same in both cases. That is why it is not hacking, but rather a proper use of the system (system was meant to let you in when you enter a correct user name and password).
    edited October 2017
  • Reply 20 of 20
    SoliSoli Posts: 6,682member
    Soli said:
    cali said:
    sflocal said:
    cali said:
    “Celebrate”? Is this different from “The Fappening”?

    It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:

    1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords. 

    2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.

    Complete Anti-Apple propaganda. 
    More AI clickbait.  Sure, they'll blame the media and are simply copy/pasting what everyone else is doing but that doesn't make it any better.

    Phishing has nothing to do with "hacking" iCould, Gmail, or whatever else.  It's the equivalent of trying to get my name and address by going through mailbox bolted to the side of my house.

    Seriously... this is getting old.  "I don't have to read it" is how they will respond.  Watch..
    I’m not dissing AI because they actually included Gmail. Most articles only mention Apple and conveniently dismiss other services but using the word “hacked” doesn’t help since iCloud wasn’t hacked.
    hacked ≠ iCloud.
    hacked = use a computer to gain unauthorized access to data in a system.

    That includes using social engineering, phishing and/or the nature of human laziness to obtain access to personal accounts.
    Nope. Hacking would require knowledge of the system and some way to circumvent existing defenses of that system. Knowing the password is not considered hacking, because that hacker logs in the same way the owner of that account would. The path is the same in both cases. That is why it is not hacking, but rather a proper use of the system (system was meant to let you in when you enter a correct user name and password).
    Sure it is. If I I obtain a user's personal information to input key words into a password cracker that will generate the most likely password possibilities "using a computer to gain unauthorized access to data in a system." This notion that it's all about clever animations and speaking techno jargon while mashing a keyboard for a few seconds is just stupid Holywood bullshit. Don't fall for the silly stereotype. You don't even need to be a coder yourself to use these passwords as they're available to anyone, although most hackers will have coding experience.




    Another method is about exploiting policies and protocols, like we've seen with Mat Honan because of 2 seemingly small decisions by Amazon and Apple on how data can be distributed without verification.



    edited October 2017
Sign In or Register to comment.