Data Centre


Celebgate latest: Fourth dirtbag 'fesses up to pillaging iCloud for stars' X-rated selfies

Fake tech support mails used to phish for photo album logins

By Iain Thomson in San Francisco


A fourth man has admitted stealing Hollywood stars' private nude photos that eventually leaked online in what became known as Celebgate.

George Garofano, 26, of Northford, Connecticut, USA, pleaded guilty this week to one count of unauthorized access to a protected computer to obtain information. The FBI reckons Garofano actually ransacked more than 250 cloud accounts, however, in a plea deal he 'fessed up to just one charge.

According to the Feds, between April 2013 and October 2014, Garofano was part of a creepy crew who sent fake Apple technical support emails to celebs and those who worked for them, tricking many of their marks into handing over their iCloud passwords, either by social engineering or by directing them to a phishing website. This allowed the cyber-villains to harvest the Apple-hosted accounts for naked selfies, sex tapes, personal information, and other compromising material, which eventually made their way online.

"Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement," prosecutors in California said on Thursday.

"In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals."

As well as Garofano, three other people have since been cuffed by the Feds for their part in the hustle.

Emilio Herrera pled guilty in October to Celebgate hacking, and last January Illinois man Edward Majerczyk was jailed for nine months for his role in the affair. In October 2016, Ryan Collins got 18 months in the cooler for similar, albeit more widespread, hacking of accounts.

Garofano was charged in California, and his trial was moved to his home state as part of the plea deal. He faces a maximum of five years behind bars and a supervised release. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Sueball claims Apple broke hacking laws with iOS batt throttling code

30 per cent error fix was a violation of CFAA, claim scores of angry fans

Cobalt cybercrooks phry up phishing campaign to phling at phinance orgs

Emails hiding dodgy scripts designed to plant backdoors

A little phishing knowledge may be a dangerous thing

Boffins find those who know about phishing more likely to be duped than the less informed

Baddies just need one email account with clout to unleash phishing hell

Outsiders realised uni was hacked before uni did

Former NSA top hacker names the filthy four of nation-state hacking

DEF CON Carefully omits to mention the Land of the Free

If you have to simulate a phishing attack on your org, at least try to get something useful from it

Step 1: let the higher-ups know

Apple's iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Fake login request boxes spark formal bug report

Don't fear 1337 exploits. Sloppy mobile, phishing defenses a much bigger corp IT security threat

AppSec EU DARPA-funded white hat emits timeless advice

Amazon and Netflix join Hollywood to lob sueball at 'Kodi' service SetTV

No surprise really

Here's some phish-AI research: Machine-learning code crafts phishing URLs that dodge auto-detection

Humans, keep your eyes out for dodgy web links