Celebgate latest: Fourth dirtbag 'fesses up to pillaging iCloud for stars' X-rated selfies

Fake tech support mails used to phish for photo album logins

By Iain Thomson in San Francisco

Posted in Cloud, 12th January 2018 20:57 GMT

A fourth man has admitted stealing Hollywood stars' private nude photos that eventually leaked online in what became known as Celebgate.

George Garofano, 26, of Northford, Connecticut, USA, pleaded guilty this week to one count of unauthorized access to a protected computer to obtain information. The FBI reckons Garofano actually ransacked more than 250 cloud accounts, however, in a plea deal he 'fessed up to just one charge.

According to the Feds, between April 2013 and October 2014, Garofano was part of a creepy crew who sent fake Apple technical support emails to celebs and those who worked for them, tricking many of their marks into handing over their iCloud passwords, either by social engineering or by directing them to a phishing website. This allowed the cyber-villains to harvest the Apple-hosted accounts for naked selfies, sex tapes, personal information, and other compromising material, which eventually made their way online.

"Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement," prosecutors in California said on Thursday.

"In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals."

As well as Garofano, three other people have since been cuffed by the Feds for their part in the hustle.

Emilio Herrera pled guilty in October to Celebgate hacking, and last January Illinois man Edward Majerczyk was jailed for nine months for his role in the affair. In October 2016, Ryan Collins got 18 months in the cooler for similar, albeit more widespread, hacking of accounts.

Garofano was charged in California, and his trial was moved to his home state as part of the plea deal. He faces a maximum of five years behind bars and a supervised release. ®

Sign up to our NewsletterGet IT in your inbox daily

17 Comments

More from The Register

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Fake login request boxes spark formal bug report

Amazon and Netflix join Hollywood to lob sueball at 'Kodi' service SetTV

No surprise really

Indian hacking gang goes on three-year Chinese phishing trip

Gang has cunning way of hiding itself by using multiple names

1 in 5 Michigan state staffers fail phishing test but that's OK apparently

IT security in America's Water Wonderland deemed so-so in tech audit

Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified

Gmail is secure. Netflix is secure. Together they're a phishing threat

Google doesn't recognise dots in email addresses, which creates an opportunity for evil

New York State is trying to ban 'deepfakes' and Hollywood isn't happy

Disney and NBCUniversal say the new bill is potentially unconstitutional

Lord of the Rings TV show shopped around Hollywood

Rights carrot dangled before Netflix, Amazon and HBO, apparently

Botched upgrade at Belgian bank Argenta sparks phishing frenzy

Fraudsters seize advantage as transfers, balances grind to halt

Seven in ten UK unis admit being duped by phishing attacks

Not so smart now, eh?