Third man charged in celebrity iCloud, Gmail hacking investigation
An Illinois man was on Monday charged with a felony computer hacking offense for his role in a phishing scheme that targeted more than 550 Apple iCloud and Google Gmail accounts, some of which belonged to prominent Hollywood celebrities.
The U.S. Attorney for the Central District of California said Emilio Herrera, 32, of Chicago, signed a plea agreement detailing a wide-ranging phishing operation that granted unauthorized access to sensitive user property.
According to the document, Herrera sent email messages resembling legitimate correspondence from internet service providers in a bid to dupe victims into furnishing account usernames and passwords. During the operation, conducted from April 2013 through August 2014, more than 550 people fell for the gambit, allowing the hacker access to their iCloud and Gmail accounts.
With username and password data in hand, Herrera was able to steal personal information and data, which in some cases included private photographs and video.
In 2014, a cache of nude photos and video belonging to prominent entertainment industry figures circulated through the dark web before wide circulation via file sharing protocols like BitTorrent.
Dubbed "Celebgate," the incident was initially blamed on an iCloud security breach, claims Apple denied at the time. Further investigation, namely the testimony of two indicted hackers, revealed the images were procured through simple social engineering.
Though Herrera engaged in the phishing scheme, investigators have found no evidence that he shared or uploaded the compromising data, nor has he been linked to the 2014 leak.
The Herrera case is a product of an ongoing FBI investigation into "Celebgate" and its perpetrators. In January, another Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Before that, a Pennsylvania man last October was sentenced to 18 month in prison for accessing 50 iCloud accounts and 72 Gmail accounts.
Herrera's case is being transferred to the Northern District of Illinois, where he is expected to enter a guilty plea. He faces up to five years in prison for his crimes.
The U.S. Attorney for the Central District of California said Emilio Herrera, 32, of Chicago, signed a plea agreement detailing a wide-ranging phishing operation that granted unauthorized access to sensitive user property.
According to the document, Herrera sent email messages resembling legitimate correspondence from internet service providers in a bid to dupe victims into furnishing account usernames and passwords. During the operation, conducted from April 2013 through August 2014, more than 550 people fell for the gambit, allowing the hacker access to their iCloud and Gmail accounts.
With username and password data in hand, Herrera was able to steal personal information and data, which in some cases included private photographs and video.
In 2014, a cache of nude photos and video belonging to prominent entertainment industry figures circulated through the dark web before wide circulation via file sharing protocols like BitTorrent.
Dubbed "Celebgate," the incident was initially blamed on an iCloud security breach, claims Apple denied at the time. Further investigation, namely the testimony of two indicted hackers, revealed the images were procured through simple social engineering.
Though Herrera engaged in the phishing scheme, investigators have found no evidence that he shared or uploaded the compromising data, nor has he been linked to the 2014 leak.
The Herrera case is a product of an ongoing FBI investigation into "Celebgate" and its perpetrators. In January, another Illinois man was sentenced to 9 months in prison for a related phishing attack targeting more than 300 iCloud and Gmail accounts. Before that, a Pennsylvania man last October was sentenced to 18 month in prison for accessing 50 iCloud accounts and 72 Gmail accounts.
Herrera's case is being transferred to the Northern District of Illinois, where he is expected to enter a guilty plea. He faces up to five years in prison for his crimes.
Comments
It pisses me off that to this day iPhoney fans still bring up “iCloud was hacked lol!!” As an argument against Apple security when:
1. It WAS NOT HACKED. (This headline doesn’t help.) The guy had passwords.
2. The “hack” included Microsoft SkyDrive and Gmail/Google Drive which articles conveniently left out.
Complete Anti-Apple propaganda.
the guy might had checked the victims’ Facebook, Twitter and Instagram account. That is all he need to do.
It is sad that people still fall for this oldest email scam.
hacked = use a computer to gain unauthorized access to data in a system.
That includes using social engineering, phishing and/or the nature of human laziness to obtain access to personal accounts.
OTOH maybe we ARE on the road where everything is behind a two factor authentication wall. My university is about to do just that. Three choices: a security app on my iPhone (fat chance), a verification code text message or a dongle.
Sadly, as illustrated by Soli's response to others here, using the term 'hack' or 'hacking' when describing the elementary con known as phishing is so prevalent now it's beyond saving as the term most of us knew and understood i.e. 'hack' referring to a skilled process requiring a high level of knowledge by either white or or black hats.
Asking for someones user name and password with a fake web page or email has now risen to being called hacking by the regular media and sadly the tech media to such an extent and now even a pedantic contributor to AI defends it.
We have to move on accept that however stupid it sounds to anyone with a technical background the term hacking no longer means what it did. That's what happens to language, it devolves through misuse by the ignorant. As an aside, I can well image genuine hackers are really pissed off to be equated with phishing. lol
The answer is that we need new terminology to described skilled cyber crimes. The one we have just isn't hacking it!
Since Apple has big plans for artificial intelligence, it should teach Siri to watch our responses to requests for account names, passwords and other sensitive data, and issue a mild warning to the iPhone user to minimize the risk of being tricked by a phishing campaign. Bogus requests are not always easy to identify, and especially not by casual users. Every few months we read about highly sensitive data being released by people who should know better, and the main response of the major tech companies, FBI and journalists is to tell users to be careful. That is not good enough, by a long shot.
"Hacking", going a step back, had to do with creation of really cool things in hardware/software. Then it took on a "security hacking" concept, that can be called "cracking". Not it seems people are incorporating phishing in "hacking". Well, word usages change, usually towards less precision, or stated another way, to become more encompassing.
I really don't like logging onto a site and having to input a security code which was sent to my iPhone. I find that really inconvenient. And lately I'm getting a lot of "we don't recognize this computer, it must be a new device - do you wish to register this device?" messages, which repeats every time I log in from that same computer.
I simply follow the rule that I never input any security data based on an email. I always go directly to the site.
I did get a pretty sophisticated phishing attempt recently. I forget all the details, but after the Equifax breach and also after a repair at Apple for which they wanted my password, I changed all my passwords. I almost immediately (probably a coincidence) got an email which really did look official, supposedly from Apple, claiming they saw questionable activity on my iCloud account. I called the phone number listed and the company I called implied they were Apple, then changed their line to "we're doing work for Apple". Once they wanted me to go to some website which definitely wasn't Apple's, I knew it had to be phony and I hung up. I called Apple and they said they had received lots of inquiries that day about this scam.
But most Phishing scams use emails that are so poorly constructed and written, they should be obvious to anyone that they're a scam. Most make me laugh because they're so bad. Then there are the ones that "come from" banks or credit card companies where I don't have any accounts. But I guess there's still a lot of dumb people out there - how is it possible that anyone falls for those ridiculous "we're going to share $15 million with you if we can use your account" scams.
I suspect the current term used by most of here is related to software security and network protocols that are to a greater extent internet related. Now with phishing being included it's a useless term IMHO.
Not sure you know what you’re referring to here...The apps don’t know anything about fingerprints. They know only whether you have successfully authenticated, in some cases with a biometric (Touch ID). That doesn’t change whatsoever with Face ID.
Another method is about exploiting policies and protocols, like we've seen with Mat Honan because of 2 seemingly small decisions by Amazon and Apple on how data can be distributed without verification.