In the cooler for the next three years: Hacker of iCloud accounts used by athletes and rappers

Phishing led to shopping spree with victims' credit cards

A man from the US state of Georgia who pleaded guilty in March to breaking into the Apple iCloud accounts of sports and entertainment figures was sentenced on Thursday to three years and one month in federal prison – and ordered to pay almost $700,000 in restitution.

Kwamaine Jerell Ford was indicted in April, 2018, at the age of 27, for six counts each of wire fraud, computer fraud, access device fraud, and aggravated identity theft. He pleaded guilty earlier this year to a single count of computer fraud and a single count of aggravated identity theft.

Ford faced charges for hacking into more than 100 Apple iCloud accounts of professional athletes and rappers using a phishing scheme.

'More creative and more devious'

"In today’s high tech world, citizens entrust their personal information to a number of service providers and expect that information to be protected,” said Chris Hacker, the aptly named Special Agent in Charge of FBI Atlanta, in a statement. "Unfortunately, identity thieves are becoming more creative and more devious."

Ford's scheme, which spanned the period from March 2015 to March 2018, was not particularly creative nor devious, but it worked well enough. It involved duping the people into believing that he was an Apple support representative so they would reveal their iCloud account passwords and the answers to their security questions.

According to the indictment filed against him, Ford conducted his phishing attack using email addresses like applememberservices@usa.com and apple_customer@usa.com to fool people into thinking his messages had been sent from a legitimate Apple address.

Scam

USA.com is an insecure (HTTP) website that offers a search engine for local business information. The site, however, does not control email affiliated with the domain, which is administered by email service provider Mail.com, as USA.com notes on its scam warning page.

Though this warning pre-dates Ford's scheme, the indictment against him makes clear that Ford's victims failed to see anything wrong with messages from the USA.com domain.

"Using these spoof email accounts, Ford sent emails to victims containing misrepresentations about the status of their iCloud accounts, including false claims that the account had been locked or that a user was attempting to share a video file, and requested that the victims provide login credentials, including the account password or the answers to iForgot security questions," the complaint.

It notes that Ford also sometimes called victims on the phone pretending to be an Apple employee in order to obtain personal information.

Jaylaw

Celebgate latest: Fourth dirtbag 'fesses up to pillaging iCloud for stars' X-rated selfies

READ MORE

Once he had obtained the login credentials of victims' iCloud accounts, Ford would access them and reset the passwords so he would have sole control. Thereafter, he was able to use credit cards associated with the accounts to make purchases and transfer funds to other accounts under his control.

The court documents do not make clear whether the credit card numbers obtained were stored in files accessible through iCloud or were stored by Apple as an iCloud payment method. Nor do the documents, at least those available to the public, specify the names of the victims, characterized by US Attorney Byung Pak as "celebrities" involved in sports and music.

In any event, Ford used the stolen credit card numbers to spend $322,567 over a three-year period, on flights, car travel, hotels, retail goods, restaurants, and cash transfers to his online financial accounts, according to the US Attorney's Office of the Northern District of Georgia.

In a similar case dating back to 2014 that involved computer abuse but not identity theft charges, four hackers broke into the iCloud accounts of celebrities and obtained nude pictures that they then posted on Reddit and 4Chan, an incident referred to as Celebgate. Between 2016 and 2018, the four men involved – Ryan Collins, Edward Majerczyk, Emilio Herrera, and George Garofano – pleaded guilty and received sentences ranging from 8 months to 18 months. ®

Sponsored: Balancing consumerization and corporate control




Biting the hand that feeds IT © 1998–2019