A Southern California man social-engineered his way into thousands of Apple iCloud accounts searching for nude pictures of young women.
A 40-year-old Hao Kuo Chi admitted to authorities he was impersonating Apple customer support staff in emails that tricked victims into providing him with their Apple IDs and passwords, the Los Angeles Times reports.
After breaking into accounts, he collected over 620,000 private photos and 9,000 videos. It’s not yet clear how many victims were scammed of their personal images, but estimates range from a few hundred to few thousand.
Authorities know of at least 306 victims. However, the FBI found that over 4.5 thousand emails out of half a million in Chi’s fake email accounts contained Apple IDs.
Chi told the court he hacked into the accounts of 200 victims at the request of people he met online. He could not identify his clients used foreign encrypted email service for communication, keeping the interactions anonymous.
The said clients would send Chi a specific account they want to steal pictures from, prompting him to carry out the attack.
The threat actor used Gmail addresses, ‘applebackupicloud’ and ‘backupagenticloud’ to trick victims into revealing their account data. The attack appears to have relied entirely on victims’ willingness to provide data to an email account, posing as a legitimate Apple employee.
Chi accessed the accounts from his own home in La Puente, California. Interestingly enough, Apple did not notice a single person likely accessing thousands of accounts from a single location since March 2018.
Authorities took an interest in an attacker after a California-based company notified one of their clients that someone posted their nudes on a pornographic site. According to the Los Angeles Times, the victim stored nude photos on an iPhone with a backup on the iCloud.
Investigators soon discovered where the unauthorized login attempt was made from and entered Chi’s house with a warrant. He pleaded guilty in court and currently faces up to five years in prison.
Don’t get duped: how to spot social engineering attacks
Even though it appears that most of the accounts Chi accessed were password-protected, he employed social engineering tactics to trick victims. Knowing how to spot a social engineering attempt is still vital for keeping personal information and money safe. Here’s how:
- Think before you act. Attackers create a sense of urgency because they want their victims to recklessly make snap decisions. You should always stop and verify. If your friend is suddenly asking you for money, call him on the phone, ask if he really sent the message.
- Check the message for legitimacy. If you received an email and something about it seems off, it probably is. Verify the domain names, they could end in .co or .con rather than .com. Typos, other spelling errors will be a clear giveaway that it’s an attempt at a phishing scam.
- Don’t trust senders you don’t know. If you’re not expecting anything, don’t open any files you’ve received. Especially if they are marked with urgent flares.
- If you didn’t participate but have won in the lottery, or a Nigerian prince is offering you money, then chances are you’re being scammed. Trust that if something seems too good to be true, it probably is.
- If you’re unsure whether a website is genuine or not, look for CA certificates, especially if you’re connecting to banking sites.
- Use 2FA authentication as a measure, should your password end up out in the open. You can periodically check your account for the latest security breaches and learn whether you’re affected. Scammers can use credential stuffing to take over your accounts, which can be used for contact spamming.
More from CyberNews:
Subscribe to our newsletter