Sextortionist government worker gets nearly 5 years in the slammer

A former US Embassy worker who sextorted, phished, broke into email accounts, stole explicit images and cyberstalked hundreds of women around the world from his London office has been sentenced to nearly 5 years in jail.

Michael C. Ford, of Atlanta, pleaded guilty in December to nine counts of cyberstalking, seven counts of computer hacking to extort, and one count of wire fraud.

He ran his predatory scams from his official, government-issued computer for more than two years, posing as a member of the fictional Google “Account Deletion Team.”

He used aliases including “David Anderson” and “John Parsons”, telling victims that their email accounts would be deleted if they didn’t respond.

Once he’d gained access to their Gmail accounts, he used the details to hijack at least 450 Google, Facebook, Twitter and iCloud profiles belonging to 200 individuals. He ransacked their personal information and photos, then he’d start extorting them.

His preferred prey was young females, some of whom were students at US colleges and universities, with a particular focus on members of sororities and aspiring models.

Having stolen photos and personally identifying information (PII) that included their home and work addresses, school and employment information, and names and contact information of family members, Ford went on to demand more sexually explicit material and personal information, emailing victims the photos he’d stolen and threatening to publish them if they didn’t give him what he demanded.

Specifically, Ford demanded that his victims record and send to him videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores.

He was a busy guy.

Ars Technica’s Cyrus Farivar posted a sentencing memorandum filed by prosecutors prior to the sentencing hearing on Monday.

In it, they expressed shock at the scale of Ford’s activities:

The sheer number of phishing emails that Ford sent is astounding.

According to the memorandum, on one day alone – 8 April, 2015 – Ford sent phishing emails to about 800 unique email addresses.

That’s not all. On the same date, he sent 180 followups to targets who hadn’t yet responded to his original email, plus 15 emails to potential targets who’d provided the wrong passwords.

Jamie Perry, a prosecutor, wrote this in the filing:

Considering Ford’s daily volume, repeated over the course of several months, the number of Ford’s potential phishing victims is staggering.

At Monday’s hearing, the government also provided evidence about Ford having been up to this same type of scheme beginning in 2009.

Back then, he posed as a model scout and convinced young women to send him their personal information, including dates of birth, their measurements, and topless photos for consideration for bogus modeling opportunities.

He managed to get nude photos of hundreds of women, some of whom were minors. He also tried to get one young girl to take videos of her schoolmates in the locker room.

US Attorney John A. Horn, of the US Attorney’s Office for the Northern District of Georgia, said in a statement that Ford’s case shows how cyber-stalkers can reach into any corner of the globe to torment victims.

The government suggested that people should be extremely careful about disclosing their logins and passwords to others, even when somebody on the other end of a communication seems legitimate.

Other steps that can help us to limit our vulnerability to these kinds of creeps include avoiding password reuse.

Giving a predator like Ford the passwords he demands is bad enough, but giving him a password that also unlocks a Facebook, Instagram or other social media account gives him ever more access to PII, to friends and contacts, and to ever more personal photos.

So don’t give them the keys to the kingdom. Instead, use one, unique, strong password for each account.

We gave more tips on protecting ourselves back when Ford pleaded guilty a few months ago. They’re worth repeating:

How to avoid becoming a victim of sextortion

• Carefully consider the people with whom you share explicit videos and pictures
• Watch out for messages from strangers via email or social networking sites. Never click on any links in such messages
• Cover your webcam – or any other internet-connected camera, be it on your phone, your tablet, or baby monitor – when you’re not using it. No need to get fancy: a sticky note will do fine
• Protect your devices with appropriate security software
• Keep all your software and applications up to date with the latest patches
• If you think you’ve been victimized by a hacker, a cyberstalker, or a sextortionist, contact law enforcement.
• Don’t give the cretins what they want. It will only make matters worse. The guy who extorted Miss Teen USA is a case in point: Jared James Abrahams told his victims he’d delete nude photos and videos if they did what he said. He did nothing of the kind, even if his victims gave him what he wanted – which was, of course, more explicit material.

Image of US Embassy sign courtesy of Kevin Hellon / Shutterstock.com