In 2014 someone leaked nude photos of celebrities on the Internet which apparently were stolen from Apple iCloud accounts. Not much has been heard about the police investigation since, but several news sites are today reporting that the FBI quickly had an idea who might have been behind them and their techniques.
According to affidavits filed by the FBI in support of a search warrant several months after the incidents, several of the victims were tricked by a person or persons in a phishing scam.
The incident again re-enforces the urgency of CISOs warning employees of their organizations to only use email, messaging and social media services that have two-factor authentication.
According to the documents, the scam worked like this: One victim discovered her iTunes password wasn’t working, there were problems with her iCloud services and she lost access to her email account. Somehow — the affidavit doesn’t explain how — her password had been reset. A week later she received a phishing message through iMessage on her iPhone sent from “email@example.com” that said “Your Apple ID was used to login to iCloud from an unrecognized devices on Wednesday August 20, 3014” from Russia. “If this was you please disregard this message. If it wasn’t you, for your protection we recommend you change your password immediately.” It gave a one-time passcode to use when resetting at the address “applesecurity.serveruser.com”
The victim (an actress) couldn’t recall if she clicked on the link, but forwarded it here assistant, who did recognize it wasn’t legitimate.
Similarly an athlete received an iMessage phishing message on his iPhone which he forwarded to his manager that his apple ID was used to login to his iCloud from an unrecognized device, given a link and told to change his password. The athlete told his manager to verify he message. Still, the athlete thought the message was legit and followed the instructions. Minutes later he realized it was a phishing message and reset his iCloud password and changed his email address.
Because of these and other events the FBI investigated computer records and found an Apple iPad at a Chicago address had created an iCloud account “firstname.lastname@example.org.” It also discovered the IP address at that location accessed the iCloud account of several victims and attempted to reset the password by answering security questions.
According to the affidavit supporting a request for a search warrant, between May 2014 and August approximately 330 unique iCloud accounts were accessed from the IP address at that location over 600 times. The agency also found that 22 Gmail accounts were accessed or attempted to access from the IP address. Google couldn’t determine how the passwords were obtained, but the affidavit said several were high profile actresses.
According to Gawker, another Chicago man’s residence was raided that had a computer that allegedly accessed or attempted to access the iCloud and email accounts of celebrities.
Despite the 2014 raids on these residences no one has been charged.