An Oregon man has admitted to tricking hundreds of people into handing over their Apple and Gmail passwords, to breaking into their accounts, and to stealing their X-rated pictures.
Yes, some of his victims were celebrities, according to a press release put out by the US Attorney’s office in Los Angeles.
No, he wasn’t one of the Celebgate guys.
Andrew Helton, 29, of Portland, Oregon, pleaded guilty last Thursday – 18 February – to a felony violation of the Computer Fraud and Abuse Act (CFAA): specifically, to a charge of unauthorized access to a protected computer to obtain information.
The US Attorney’s office said that Helton phished logins from 363 Apple and Google email accounts by sending “email verification” messages that looked like they were from Apple or Google.
The emails asked users to “verify” their accounts by clicking on a link that took them to a site rigged to look like a real Apple or Google login page.
There, the victims entered their usernames and passwords, and then away those credentials went to Helton.
He got his hands on about 448 logins for around 363 email accounts. Once he logged into those accounts, he was free to poke around and grab whatever he wanted.
Grab he did: he filched 161 sexually explicit, nude and/or partially nude images of about 13 victims, some of whom were celebrities.
FBI spokeswoman Laura Eimiller told CBS News that Helton’s case is separate from Celebgate, though that also involved phishing and the publishing of nude images stolen from celebrities, such as Jennifer Lawrence.
She also said that authorities don’t believe that the images Helton stole were leaked online.
That belief was echoed by police spokesman Thom Mrozek. The Express quotes what he told reporters:
We have no evidence that these photos were posted online. We also have no evidence that he attempted to sell them.
At any rate, Helton was busy e-mugging people a year before Celebgate unfolded: the US Attorney’s office said he was stealing photos between March 2011 and May 2013.
So what’s going on with the investigation into the creeps who did post celebs’ nudies online in Celebgate, trading them like so many baseball cards?
Last June, the FBI raided the Chicago home of Emilio Herrera, alleging that he had breached thousands of private iCloud accounts.
Last month, Gawker reported that the feds had raided yet another Chicago home.
Gawker reports that in October of 2014, the FBI had fingered Ed Majerczyk, another Chicago man with a similar laundry list of cloud-based invasions.
Charges hadn’t been filed against either of the Chicago men as of 15 January.
Helton, though, is now facing sentencing for his pre-Celebgate, photo-nabbing phishing caper.
He’ll be sentenced on 2 June, with a maximum penalty of 5 years in jail, though courts rarely dole out maximum allowed sentences.
Image of Password Phishing courtesy of Shutterstock.com
Stoat
It would be interesting to know how many messages were sent out to get those 363 logins.
Experience here is that 97% of people don’t respond to phishes. Whilst not wanting to sound like “blaming the victim”, it’s clear some people are incredibly naive about their security and personal information and many of them believe they “know it all”, so are impossible to educate on the matter.
We’ve had staff here _disable_ antivirus software in order to open infected email attachments, “because it might be important” – this is despite explicit instructions not to do so. The usual mentality is “I’m not going to let a computer tell me what I can’t do”