Scammer Infiltrated Thousands of iCloud Accounts to Find Nude Photos

[JMacHack]

First rule of a free society: if what you do only affects yourself, you should be free to do it.

All of the people blaming the victims for either the types of pictures they keep or their susceptibility to a scam are missing the point. No one should be shamed for whatever personal photos they have and, while there are practical steps we should probably take to protect ourselves from the criminally minded, it's not a crime to not follow those steps and it is still a crime to violate people who don't.

If I leave a gold bar on my front porch and someone takes it without my permission, that is theft. It is not my fault, it is the thief's.

I didn’t say it should be illegal, and legally yes, someone who steals your gold bar in that scenario would be a thief. But that doesn’t mean that you aren’t stupid for leaving something valuable in a place where it’s easily stolen.

Hmmm looks like someone from the Amish People found a lost iPhone.

”get with the times boomer! Everyone makes dumb decisions anymore!”

 

[MacCheetah3]

Naiveté is different from fault. I specifically made the point:



Violating the law is criminal. Criminals exist. We should save ourselves some hassle and unpleasant experiences by recognizing that fact. But the rule of law is predicated on equal protection and blaming the victim means you don't believe they deserve to be protected equally and thus don't believe in the rule of law.

Sure, but… Saying something is a dumb idea isn’t equal to claiming a person deserved that action to be held against them. Some commenters may intend it that way, though not all.

 

[God of Biscuits]

uploading nudies to iCloud has got to be the most moronic computer activity a person can do

Wow, Microsoft Windows in there 90s and 00s really did a number on everyone. STOP BLAMING THE VICTIMS.

 

[God of Biscuits]

At least 620,000 photos/videos of people having sex have been uploaded to iCloud? Come on people!

That's none of your business. The ENTIRE point of the crime, of Privacy and account protection.

 

[DeepIn2U]

A criminal from Los Angeles has pled guilty to felony charges after breaking into thousands of iCloud accounts to hunt down nude photos of women, reports The Los Angeles Times.

Hao Kuo Chi collected more than 620,000 private photos and videos by impersonating Apple customer support staff and sending out emails to trick his victims into providing Apple IDs and passwords. Chi used social engineering and phishing schemes to coerce his victims, and he did not breach Apple's iCloud protections.

Chi accessed photos and videos from at least 306 victims across the United States, and most of them were young women. Some of the victims were attacked at the request of people that Chi met online after he marketed himself as "icloudripper4you," a service that could break into iCloud accounts to steal photos and videos.

His unknown co-conspirators would ask Chi to hack a specific iCloud account, and he would respond with a Dropbox link. Chi operated two Gmail addresses "applebackupicloud" and "backupagenticloud," where the FBI found more than 500,000 emails with approximately 4,700 iCloud user IDs and passwords that he had been sent from his victims.

Chi's scam fell apart after he hacked the iCloud account of an unnamed public figure in March 2018 and the photos ended up on pornographic websites. The FBI launched an investigation, and found that a log-in to the victim's iCloud account had come from Chi's home.

Chi has pled guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer, and he now faces up to five years in prison for each crime. In a phone call with The Los Angeles Times, Chi said that he was "remorseful" for what he did, but claimed he had a family to support. He said that he was afraid public exposure of his crimes would "ruin [his] whole life."

The unauthorized iCloud access perpetrated by Chi is similar to a 2014 attack that saw hackers gain access to celebrity iCloud accounts through their username and password.

After that incident, Apple bolstered iCloud account security, offering two-factor authentication and sending emails whenever there's a new login to an iCloud account. The people involved in Chi's attack likely did not have two-factor authentication enabled.

Apple recommends two-factor authentication for all Apple IDs to add extra security, and it offers a support document on how to avoid phishing schemes like the one used by Chi.

Article Link: Scammer Infiltrated Thousands of iCloud Accounts to Find Nude Photos

Very curious if some unknown person in Florida having major issues with a similar investigative case with his best buddy cooperating while in jail?? Hmmm

 

[FaceChart2]

Only a little more than 100,000 photos? What an amateur. Apple can scan through a billion of their customers photos a day.

 

[Lee_Bo]

And how many nude photos are on the web?

 

[visualseed]

You've never met my parents, they're 72 and have trouble working a mobile phone, let alone understand the concept of security on a computer. The last time I tried explaining what the password was (and why she shouldn't just tell other people about it) I ended up having to use one of my younger sisters teddy bears as part of the demonstration to show how an attack works... Then my mum said she understood, wrote the password down with a big chunky permanent marker down on the inside of her phone case and wondered off thinking she was ready to beat the world.

After an hour of exhaustive explanation I have only confirmed you should never work with children, animals... or family.

My father is a pretty bright guy. He was a software developer in the '80s. Worked on Macs and various platforms through the mid 2000s. Generally has a pretty good grasp on technology. Even so, every so often, he gets fouled up by the continual security paradigm shifts.

You don't use a service for a few months and you forget if it was 2FA, just email and password for login? Was it email or sms for verification? What address or number? Am I legitimately having to reset my password or is this a phishing attempt? You are in a hurry. You are frustrated because something you thought was going to be seamless, suddenly isn't. It's hard to argue something doesn't pass the sniff test because with no standard way of securing our credentials everything smells different now.

 

[Analog Kid]

No, "I lost it because I was a complete Muppet and left it unattended on my porch" is victim mentality. Unfortunately the world is rife with this pathetic mentality anymore. Besides, "I took it because you couldn't keep it" doesn't make sense.

Having something stolen from your home is not "victim mentality", it's being a victim. Calling the victim a Muppet rather than the thief a criminal is bizarre.

 

[Krazykev]

This kind of social engineering hack takes on a whole new twist when Apple starts scanning for hashes. This person was downloading files but someone more savvy at cloaking and with nefarious intent could just as easily upload files - unwitting to that user.

 

[Analog Kid]

Sure, but… Saying something is a dumb idea isn’t equal to claiming a person deserved that action to be held against them. Some commenters may intend it that way, though not all.

The one I replied to did:

People who take obscene pics of themselves get what they deserve.

I didn’t say it should be illegal

No, you said they deserved to have their personal images stolen and distributed. You didn’t say it should be illegal, but you implied they shouldn’t be protected by the law.

 

[SpotOnT]

I am not sure who is dumber - someone who hacks others using their own IP address, or someone who uploads nudes to the cloud/sends nudes to others.

 

[pdaholic]

If I leave a gold bar on my front porch and someone takes it without my permission, that is theft. It is not my fault, it is the thief's.

Where do you live, and where on your front porch did you leave the gold brick?

Oh, and my anonymous internet persona will take full responsibility if said brick goes missing. 😂

 

[LeadingHeat]

Chi accessed photos and videos from at least 306 victims across the United States, and most of them were young women.

and he now faces up to five years in prison for each crime.

😰😅🤣

 

[TheDailyApple]

Where do you live, and where on your front porch did you leave the gold brick?

I too would like to know where this brick is. And also whether replacing it with a prettier doorstop would be appreciated.

 

[bluespark]

you do know that Apple employees can open those files and will hand them over to any goverment entity when they request them, right? You also know that if someone can break into it by however means including just guessing the password those images will also leak.

imo, there is zero reasons to take nude pictures of yourself and store them on a far away hard drive (the cloud).

Your first sentence is incorrect. Apple has never been known to open personal photos uploaded to iCloud, and it has been known (repeatedly) to resist government requests for such photos. You might be thinking of the recent news articles about Apple's proposed new hash-matching system, but that system has not yet been implemented and, from what we know, targets only those photos that match hashes associated with known child pornography. The e-mail I responded to was about uploading nude personal photos generally, and called it the "most moronic" thing a person could do on a computer. I simply disagree. iCloud is intended for photos, including personal photos.

Although your second sentence is correct, it is something many people address by using a secure password, two-factor authentication, etc. That obviously didn't work here, but these are the measures that are generally used to protect personal documents and information stored remotely.

As to your view that "there is zero reasons to take nude pictures of yourself and store them" in the cloud, I would suggest that the reasons are the same reasons people would use to store any photos in the cloud -- convenience being the main one. Simply put, people who take photos tend to want easy access to those photos. Perhaps your real point wasn't that "there is zero reasons," since there obviously are reasons, but rather that those reasons are outweighed by countervailing factors?

 

[DEMinSoCAL]

First rule of a free society: if what you do only affects yourself, you should be free to do it.

All of the people blaming the victims for either the types of pictures they keep or their susceptibility to a scam are missing the point. No one should be shamed for whatever personal photos they have and, while there are practical steps we should probably take to protect ourselves from the criminally minded, it's not a crime to not follow those steps and it is still a crime to violate people who don't.

If I leave a gold bar on my front porch and someone takes it without my permission, that is theft. It is not my fault, it is the thief's.

I guess my generation was raised differently. We were taught to think before we act -- think about what could happen and make a choice whether you want to do it. I have the right to jump off a cliff, but is it the smart thing to do?

People's actions have consequences. Just because you can doesn't mean you should.

In the case of nude pics, I think about what would happen if someone got a hold of them. Would that embarrass me? Ruin me? Is it worth it? Today, people don't take responsibility for not thinking first. Not matter what, it's not their fault. That gold bar...if left on your front porch and stolen, you think your homeowners insurance would cover it or would it be negligence on your part?

 

[Analog Kid]

I too would like to know where this brick is. And also whether replacing it with a prettier doorstop would be appreciated.

I always found palladium quite pretty…

 

[Analog Kid]

I guess my generation was raised differently. We were taught to think before we act -- think about what could happen and make a choice whether you want to do it. I have the right to jump off a cliff, but is it the smart thing to do?

People's actions have consequences. Just because you can doesn't mean you should.

In the case of nude pics, I think about what would happen if someone got a hold of them. Would that embarrass me? Ruin me? Is it worth it? Today, people don't take responsibility for not thinking first. Not matter what, it's not their fault. That gold bar...if left on your front porch and stolen, you think your homeowners insurance would cover it or would it be negligence on your part?

People’s actions have consequences, but the consequences here are due to someone else’s actions.

Why should people live their lives according to the most risk averse scenarios? Why should they be faulted when someone else attacks them? Why blame the harmed party, and not the party doing the harm?

It’s not a matter of never being at fault. If you jump off that cliff, it’s your fault. Gravity did nothing wrong.

 

[amartinez1660]

For every dumb hacker like this one, how many are just a little smarter and manage to get away?

Police generally don't catch physical criminals, because criminals don't normally leave DNA or show their face, tattoos, or license plates on camera.

I figure digital criminals are the same...

Not only that: hundreds of victims, thousand of iCloud accounts IDs targeted, it took one of them to be a public figure for the FBI to launch an investigation.

That should be its own second part news headlines for all these crimes… it looks to me that when it is an everyday law abiding citizen they don’t move their butts, but a celebrity? It gets the machine running.

Source: personal experience as a victim of a car related felony that included quite the important (for me) paperworks too. Minutes later the incident I was already at the closest police station but was treated like crap and nothing came out of it… where I to be someone like Billie Eilish (to follow the Apple incessant name dropping everywhere) and I’m pretty sure complete forces would have been mobilized to help Her Honor save face.

 

[SpotOnT]

People’s actions have consequences, but the consequences here are due to someone else’s actions.

Why should people live their lives according to the most risk averse scenarios? Why should they be faulted when someone else attacks them? Why blame the harmed party, and not the party doing the harm?

It’s not a matter of never being at fault. If you jump off that cliff, it’s your fault. Gravity did nothing wrong.

If I forgot to lockup my store after closing and it got robbed I would feel stupid. I would blame myself and be extremely mad at myself. If I parked my car in a bad neighborhood, left valuables in plain site and left the doors unlocked, I would feel like a total idiot and be incredibly angry with myself.

i would of course, also be incredibly mad at whoever robbed my store or entered my car. I would also file a police report and do anything reasonable to bring the culprit to justice.

Those feelings are not exclusive. Both my actions and the criminal’s actions were contributing factors in the crime.

You don’t blame gravity when someone jumps off a cliff. Human nature isn’t much different - how can you blame a hungery person for taking a brick of gold that is left out in plain sight.

 

[Bandaman]

If I forgot to lockup my store after closing and it got robbed I would feel stupid. I would blame myself and be extremely mad at myself. If I parked my car in a bad neighborhood, left valuables in plain site and left the doors unlocked, I would feel like a total idiot and be incredibly angry with myself.

i would of course, also be incredibly mad at whoever robbed my store or entered my car. I would also file a police report and do anything reasonable to bring the culprit to justice.

Those feelings are not exclusive. Both my actions and the criminal’s actions were contributing factors in the crime.

You don’t blame gravity when someone jumps off a cliff. Human nature isn’t much different - how can you blame a hungery person for taking a brick of gold that is left out in plain sight.

It would be more like giving the keys to your store or your car to the person wanting to rob you.

 

[Psychicbob]

Does the iPhone ML recognize variable noses?

Good question! You’ll need to provide multiple nude photos.

 

[skitidetdu]

I've been getting tones of emails alerting me that my Apple ID is hacked and I need to log in with a certain link. Doesn't surprise me that some fall for these scams.

 

[skitidetdu]

That's nothing, Apple will be doing this next IOS.

I don't think Apple has any interest in your dick pics on your iCloud account like this guy had.