According to federal authorities, a Los Angeles resident broke into thousands of iCloud accounts in a plot to steal nude photos of women and share them online. The perpetrator Hao Kuo Chi, aged 40, pleaded guilty to four felonies.
Chi, who went by the moniker “David,” reportedly impersonated Apple customer support staff to phish Apple IDs and passwords from his victims. He did this to gain unauthorized access to the cloud storage of over 300 victims in the United States.
“David” wasn’t alone. He admitted to breaking into 200 accounts at the request of other internet users. He and his co-conspirators used a foreign encrypted email service to communicate with each other.
The surprising thing about this story is that, aside from using an encrypted email service to communicate with co-conspirators, Chi didn’t do anything in-depth from a technical standpoint.
Luckily for the authorities and victims, he didn’t even bother covering his tracks with a VPN. Investigators caught him by tracing a login to one of his victim’s accounts back to his home.
He didn’t exploit any vulnerabilities in Apple’s cloud storage. Instead, he was able to get all these passwords through phishing—by tricking his victims into thinking he was a representative of Apple.
People need to be aware that company representatives will never ask users for their passwords in correspondence. These should only ever be entered into official login portals.
Good password managers can help ensure that a portal is legit. They do so by detecting whether the domain is the same as the one the person signed up with. They can also allow for secure sharing to minimize the risk of compromise.
Chi used Gmail accounts to impersonate Apple employees. Whereas real Apple emails only come from Apple addresses, not Google or any other email services. All these small details can be indicators that something suspicious is afoot. ID theft protection tools can reduce the risk of theft, but users also need to be constantly on their guard for suspicious activity.