Site icon Sophos News

US State Dept. cyberstalker pleads guilty to sextortion

While he was tucked away in the US Embassy in London, a US State Department employee reached around the globe to torment hundreds of young women, running a sextortion scheme that involved email phishing, breaking into email accounts, and cyberstalking hundreds of victims in the US and abroad.

Now, he’s a former employee.

The US Department of Justice last week announced that Michael C. Ford, 36, of Atlanta, has pleaded guilty to nine counts of cyberstalking, seven counts of computer hacking to extort, and one count of wire fraud.

Ford admitted that between January 2013 and May 2015, he used aliases including “David Anderson” and “John Parsons” in a scheme to force victims to give him personal information and sexually explicit videos of others.

His preference was young females, some of whom were students at US colleges and universities, with a particular focus on members of sororities and aspiring models.

Ford, posing as a member of the fictitious “account deletion team” for a well-known email service provider, would send phishing emails to thousands of targets, warning them that their accounts were due to be deleted unless they gave him their passwords.

Using the phished passwords, he got into hundreds of email and social media accounts.

Then, he looked for sexually explicit photos.

Once he found them, he went looking for personal identifying information (PII) about his victims, including their home and work addresses, school and employment information, and names and contact information of family members, among other things.

With the stolen photos and PII, Ford commenced a cyberstalking campaign in which he demanded more sexually explicit material and personal information, emailing victims the photos he’d stolen and threatening to publish them if they didn’t give him what he demanded.

Specifically, Ford demanded that his victims record and send to him videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores.

If the women didn’t comply, threatened to report him to police or begged him to leave them alone, Ford would issue more threats.

For example, in one email, he wrote “don’t worry, it’s not like I know where you live.”

Then, he followed up with an email containing the victim’s home address and threatened to post her photos to an “escort/hooker website” along with her phone number and home address.

Next, Ford described the victim’s home to her, dropping in this threatening detail:

I like your red fire escape ladder, easy to climb.

He wasn’t bluffing. The DOJ says that Ford followed through with his threats on several occasions, sending explicit photos to his victims’ family and friends.

Before he was caught, he managed to send thousands of phishing emails to potential victims, successfully broke into at least 450 online accounts belonging to at least 200 victims, and forwarded to himself at least 1300 stolen emails containing thousands of sexually explicit photographs.

He sent threatening and sextortionate messages to at least 75 victims.

Ford was working at the London embassy throughout this reign of terror, and he did most of it from his work computer.

Did he think that his vicious crimes were cloaked in some way by that gig?

If so, he was as wrong as a three-dollar bill.

FBI Special Agent in Charge J. Britt Johnson:

The allegations contained in this federal indictment portray an individual consumed with sexually themed cyber-stalking and exploitation as well as an individual who felt he was beyond detection and grasp of authorities.

Ford’s sentencing hearing is scheduled for 16 February 2016.

US Attorney John A. Horn of the Northern District of Georgia said that this case underscores the need to safeguard personal information and passwords, especially in response to suspicious emails.

It also points to how vitally important it is to avoid password reuse.

Giving a predator like Ford the passwords he demands is bad enough, but giving him a password that also unlocks a Facebook, Instagram or other social media account gives him ever more access to PII, to friends and contacts, and to ever more personal photos.

So don’t give them the keys to the kingdom. Instead, use one, unique, strong password for each account.

Here are more tips for protecting ourselves:

How to avoid becoming a victim of sextortion

Image of US state department website courtesy of Gil C / Shutterstock.com

Exit mobile version