Remember last summer’s prolonged Celebgate scandal, also known as The Fappening, in which (mostly female) celebrities were cyber-mugged for their nude images?
The FBI remembers. It’s been working steadily on tracking down the responsible e-thugs ever since.
Now, a federal search warrant and related affidavit have been unsealed, and they point to some celebrity photo thieves having been very busy little phishing/password-resetting beavers.
The papers detail the FBI’s investigation into what turns out to be a ring of attackers who launched phishing and password-reset scams on the celebrities’ iCloud and email accounts.
Gawker posted the search warrant application affidavit.
The FBI redacts the female celebrities’ names in the documents and instead lists them by initials only: A.S., C.H., H.S., J.M., O.W., A.K., E.B., and A.H.
One presumes that the initials refer to Celebgate victims Abigail Spencer, Christina Hendricks, Hope Solo, Jennette McCurdy, Olivia Wilde, Anna Kendrick, Emily Browning, and Amber Heard.
The Chicago Sun-Times obtained a still-sealed affidavit that refers to a J.L. – presumably Jennifer Lawrence, who’s arguably the highest-profile celebrity to get digitally mugged.
According to the unsealed affidavit, filed by Special Agent Josh Sadowsky of the FBI’s Cybercrimes Unit, the Feds had discovered that someone on the South Side of Chicago was working out of a modest brick house to launch an iCloud-attacking spree between May 2013 and August 2014.
On 16 October 2014, federal agents entered the home of Emilio Herrera, who showed up as the registrant for the home’s suspected IP address.
The agents seized several computers, cellphones, a Kindle, floppy disks, hard drives and thumb drives.
The feds said in the affidavit that Apple had tipped them off to an IP address at the house that had been pawing at celebrities’ email and iCloud accounts:
Based on victim account records obtained from Apple, one or more computers used at [Herrera's house] access or attempted to access without authorization multiple celebrities’ e-mail and iCloud accounts over the course of several months.
This was a persistent attack.
The IP address registered to Herrera was allegedly used to access about 572 unique iCloud accounts.
It went after some of those accounts numerous times: in total, somebody using that IP address allegedly tried to access those 572 iCloud accounts 3263 times.
Besides accessing the iCloud accounts, somebody at that IP address also allegedly tried to reset 1987 unique iCloud account passwords, approximately 4980 times.
According to the affidavit, the victim A.S. told agents that she “recalled getting locked out of her online accounts” between April and May 2014 – a time that predates the photo and video leak by a few months.
A.S. first learned she may have been a victim of the photo leaks on or about August 31, 2014, when the media was reporting her as a victim. Although she could not find any photos of herself initially, several weeks later several photos and two videos were posted online. Some of the photos were taken between October and November 2013, and the others between April and May 2014. All photos were taken with her iPhone and sent through Message to her boyfriend. The two videos were also taken with her phone during the same time frame. At the time of the leaks, the videos were still stored in her phone. The morning after her private information was leaked, the media contacted her for a statement.
c. Between April and May 2014, A.S. recalled getting locked out of her online accounts, and her password wasn't working. A.S. used iCloud on her phone, as well as Gmail for her e-mail.
According to Special Agent Sadowsky, at least two suspects he’s investigated in the past have used a password breaker tool to crack celebrity iCloud accounts.
That tool doesn’t require special tech skills to use, he said. In fact, anybody can purchase it online and use it to download a victim’s iCloud account if they know his or her login credentials.
Besides buying a tool like that, another common way to break into a target’s iCloud account is by phishing, be it by email, text message or iMessage.
All of which point to how scams that seem as old as the hills – like phishing – are still very much a viable threat.
Anybody who owns an email account and a body they don’t want to see parading around the internet without their permission should be on the lookout, though telling the difference between legitimate and illegitimate messages can be tough.
No charges have yet been filed, either against Herrera or the party at the other Chicago address, an FBI spokesperson told Gawker.
Image of Jennifer Lawrence licensed under Creative Commons, courtesy of Flickr user Red Carpet Report on Mingle Media TV. (CC BY-SA 2.0)