A California man impersonated an Apple customer support technician in a socially engineered email campaign that stole people’s iCloud passwords to break into accounts and collected upwards of 620,000 private photos and videos.
Hao Kuo Chi, 40, of La Puente, has agreed to plead guilty to four felonies, including conspiracy to gain unauthorized access to a computer, in a scam that ultimately aimed to steal and share nude images of young women, according to court records and a report by the Los Angeles Times.
Chi admitted to marketing himself as a hacker-for-hire that could break into iCloud accounts using the moniker “icloudripper4you.” He then would dupe people into giving up their Apple IDs and passwords so he could steal photos from where they were stored in the cloud on Apple servers.
“I don’t even know who was involved,” Chi told the LA Times, according to the report.
Numerous Privacy Risks
The case underscores the increased privacy risk people face when using cloud-based services from trusted partners like Apple to store personal images and other info online. With criminals socially-engineering phishing campaigns that seem more and more convincing, it’s becoming increasingly easy for clever threat actors to fool people into giving up credentials that put their hosted data at risk.
The case also raises new questions about a recent disclosure by Apple of its planned rollout of a feature aimed at detecting child sexual abuse material (CSAM) images stored in iCloud Photos, which already is being criticized by privacy groups like the Electronic Frontier Foundation for the security hole it opens up.
The foundation warned that the process of flagging CSAM images essentially narrows the definition of end-to-end encryption to allow client-side access — which essentially means Apple is building a backdoor into its data storage, the foundation said. This could open iCloud for more potential security risks, experts said.
Chi did not use any security flaws in his criminal activity, sources said. Instead, he used two Gmail addresses that seemed legitimate enough to victims to get them to give up their iCloud sign-on info–“applebackupicloud” and “backupagenticloud,” the FBI disclosed in court papers.
Combined, the two accounts included 500,000 emails, 4,700 of which contained iCloud user IDs and passwords that victims willingly sent to Chi, according to the FBI.
Once he had the credentials, Chi would break into the iCloud account of a particular account holder at the request of whoever hired him for the job. The parties used Dropbox to exchange photos, with Chi’s Dropbox account including about 620,000 photos and 9,000 videos that were organized based on whether they contained nude images, according to FBI agent Anthony Bossone, the LA Times reported.
Federal authorities became wise to Chi’s activity in March 2018 after a California company that specializes in removing celebrity photos from the internet notified an unidentified public figure in Tampa, Fla., that nude photos of the person had been posted on pornographic websites, according to Bossone. It was later discovered that the victim had stored the stolen photos on an iPhone and backed them up to iCloud.
Eventually, investigators tracked the log-in to the victim’s iCloud account to an internet address at Chi’s house in La Puente, Calif., according to the FBI. The bureau built a case against Chi by using records obtained from Dropbox, Google, Apple, Facebook and Charter Communications, according to the report.
Eventually, the FIB obtained a search warrant to raid Chi’s house, where they found incriminating evidence that led to his arrest.
Chi agreed to plead guilty to one count of conspiracy and three counts of gaining unauthorized access to a protected computer earlier this month, according to the report. He faces up to five years in prison for each of the four crimes.