Celebgate latest: Fourth dirtbag 'fesses up to pillaging iCloud for stars' X-rated selfies

Fake tech support mails used to phish for photo album logins

By Iain Thomson in San Francisco

Posted in Cloud, 12th January 2018 20:57 GMT

A fourth man has admitted stealing Hollywood stars' private nude photos that eventually leaked online in what became known as Celebgate.

George Garofano, 26, of Northford, Connecticut, USA, pleaded guilty this week to one count of unauthorized access to a protected computer to obtain information. The FBI reckons Garofano actually ransacked more than 250 cloud accounts, however, in a plea deal he 'fessed up to just one charge.

According to the Feds, between April 2013 and October 2014, Garofano was part of a creepy crew who sent fake Apple technical support emails to celebs and those who worked for them, tricking many of their marks into handing over their iCloud passwords, either by social engineering or by directing them to a phishing website. This allowed the cyber-villains to harvest the Apple-hosted accounts for naked selfies, sex tapes, personal information, and other compromising material, which eventually made their way online.

"Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement," prosecutors in California said on Thursday.

"In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals."

As well as Garofano, three other people have since been cuffed by the Feds for their part in the hustle.

Emilio Herrera pled guilty in October to Celebgate hacking, and last January Illinois man Edward Majerczyk was jailed for nine months for his role in the affair. In October 2016, Ryan Collins got 18 months in the cooler for similar, albeit more widespread, hacking of accounts.

Garofano was charged in California, and his trial was moved to his home state as part of the plea deal. He faces a maximum of five years behind bars and a supervised release. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Fake login request boxes spark formal bug report

Indian hacking gang goes on three-year Chinese phishing trip

Gang has cunning way of hiding itself by using multiple names

Phishing scum going legit to beat browser warnings

Now that Chrome and Firefox call out HTTP, phisherpholk are getting certified

Seven in ten UK unis admit being duped by phishing attacks

Not so smart now, eh?

Canadian! fella! admits! hacking! Gmail! inboxes! amid! Yahoo! megahack!

Karim Baratov pleads guilty to ransacking web accounts for 'mystery' paymasters

How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

If you run a website with user accounts, take a look at this research, ta

New phishing campaign uses 30-year-old Microsoft mess as bait

Necurs botnet spreads ransomware carried in Office documents

Phishing: Another thing we can blame on Brexit

Attacks up 33 per cent across the five most-targeted industries

Fappening celeb nudes hacking outrage: Third scumbag cops to charge

Phisher faces up to five years in the clink for raiding 550 accounts for private snaps

DMARC anti-phishing standard adoption is lagging even in big firms

We could cut down on e-mail spoofing, but we don't