Naked Security Naked Security

Teen music hacker arrested in UK for stealing bands’ unreleased music

"If he's guilty, he'll face the music." Heh.

A 19-year-old UK man has been arrested for allegedly stealing unreleased songs from world-famous musicians’ websites and cloud-based accounts and selling the music for cryptocurrency, authorities in London and New York announced on Friday.

The City of London Police’s Intellectual Property Crime Unit (PIPCU) searched two properties that an investigation had suggested were involved: one in North London, and one in Ipswich, where they arrested the alleged hacker on suspicion of copyright and computer misuse act offenses.

The Manhattan District Attorney’s Office launched the investigation after getting complaints from the managers of ripped-off victims. The DA’s office identified one of the suspects, whom it concluded was living in the UK, and reached out to London police with the information.

Detective Inspector Nick Court, from PIPCU, said that the suspected hackers stole the music and sold it on illegal streaming sites worldwide, ripping a hole in victims’ livelihoods:

This sort of crime causes significant financial loss to those who work so incredibly hard to produce, write and make music for their fans to enjoy.

Due to UK privacy laws, the name of the detained suspect wasn’t released. Nor were the names of the musicians who were preyed on.

Therefore, we don’t know if the suspect(s), if they turn out to be guilty of stealing music, are in fact the one(s) who did this to Radiohead in June.

As you might recall, Radiohead responded to the theft of 18 hours of unheard music by politely declining the extortionist’s offer to pay $150,000 for it. Instead, in one of those fist-pumping, in-your-FACE! moves that we occasionally see, the band instead released the music on Bandcamp, with all proceeds going to the climate advocacy group Extinction Rebellion.

Just one week after that, the forces of extortionist scumbaggery had the rug pulled out from them yet again when American actress Bella Thorne did pretty much the same thing, with ripped-off nude images. Her approach: Oh, so you’re threatening to publish nude pics you hacked out of my accounts? Too late – I did it myself.

But for all (two, at least) of the thunder-stealing stories, there must be countless artists who just suffer through the loss of income when hackers steal their creative work or their images, without any sweet smell of revenge.

So for their sake, let’s hope that this bust leads to justice served. Or, in the pun-ificent words of Manhattan District Attorney Cyrus Vance Jr.:

As one of the world’s leading creative capitals, New York City is dedicated to protecting artists’ intellectual property and ensuring that those who steal it face the music.

When we hear that artists’ cloud accounts have been ripped off, Celebgate comes to mind.

You’ll recall that starting in 2015 and coming in waves up until 2017, celebrities were getting mugged left and right for their intimate photos. It doesn’t matter whether the content is nude images or unreleased music: plenty of content that we store in the cloud is worth something to somebody, and that means we need to protect it from the crooks’ well-known but quite effective tricks.

According to the FBI, the original Celebgate thefts were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, got to his victims by sending messages doctored to look like security notices from ISPs. Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google.

These guys’ pawing was persistent: the IP address of one of the Celebgate suspects, Emilio Herrera, was allegedly used to access about 572 unique iCloud accounts. The IP address went after some of those accounts numerous times: in total, somebody using it allegedly tried to access 572 iCloud accounts 3,263 times. Somebody at that IP address also allegedly tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Some of the suspects used a password breaker tool to crack the account: a tool that doesn’t require special tech skills to use. In fact, anybody can purchase one of them online and use it to download a victim’s iCloud account if they know his or her login credentials.

To get those credentials, crooks break into a target’s iCloud account by phishing, be it by email, text message or iMessage.

All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Anybody who owns an email account, and a body they don’t want to see parading around the internet without their permission, and/or unreleased music that they don’t want scooped out from under them, should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.

What to do-be-do-be-do

Here are some ways to keep your private images, and your music, from winding up in the thieves’ sweaty palms:

  • Don’t click on links in emails and thus get your login credentials phished away. If you really think your ISP, for example, might be trying to contact you, instead of clicking on the email link, get in touch by typing in the URL for its website and contacting it via a phone number or email you find there.
  • Use strong passwords.
  • Lock down privacy settings on social media (here’s how to do it on Facebook, for example).
  • Don’t friend people you haven’t met on Facebook, and don’t share photos with people you don’t know and trust. For that matter, be careful of those who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
  • Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.

(Watch directly on YouTube if the video won’t play here.)