A California man has pled guilty to impersonating iCloud customer support over email in order to gain access to thousands of accounts.
He stole more than 620,000 photos and 9,000 videos, stopping in mid-2018 after an FBI investigation raided his house. His motive: Stealing and sharing images of nude women, hosted on his Dropbox account.
The upsetting incident is a reminder that Apple security can't account for phishing attempts.
How the Scam Worked
Notably, this was not a hack or a data breach. Apple's security never failed, and Apple didn't know their customers' private information was being stolen. Instead, it was a phishing scheme: The man, 40-year-old Hao Kuo Chi, worked with his still-unnamed co-conspirators to send emails intended to lure victims into revealing their Apple ID login passwords.
The Los Angeles Times broke the story, working with information from federal authorities, court documents, and the FBI investigation. Chi created Gmail addresses to pretend to be an Apple customer support representative: Two examples from the FBI were “applebackupicloud” and “backupagenticloud.”
These two accounts held more than 500,000 emails, according to the FBI, 4,700 of which included iCloud user IDs and passwords.
Chi has pled guilty to four federal charges: One count of conspiracy and three counts of gaining unauthorized access to a protected computer. Each count could add five years to his sentence.
He fears public exposure of his crimes would “ruin my whole life,” as he told the LA Times, saying, “I’m remorseful for what I did, but I have a family.” Most people would argue that committing federal crimes is what would ruin his life, rather than the exposure of them.
While Chi is facing justice, the rest of his co-conspirators aren't, and other phishers remain out there. This entire story is a reminder of how misogyny overlaps with cybercrime to stomach-churning results. How can you stay safe from phishing attacks?
There are a few general pointers that anyone can watch out for when trying to dodge phishing attempts from their email inbox, the internet, or even a phone call.
- Check for spelling errors — Email addresses are tough to fake (you'll never get an Apple support email with a Gmail address, for example), and many phishers rely on users not reading very closely. They'll substitute a 1 for an I or a “rn” for an “m.”
- Check your email history — if it's really an email from Apple support, you'll likely have dozens of earlier emails about routine check-ins. If it's a phisher, you won't have that history.
- Consider if the phisher is trying to scare you — People can fall for a scam when they're in a heightened emotional state. That's part of why the pandemic has seen a rise in scammers, and it's why those automated phone calls are constantly telling you that your car warranty is expiring. They don't want you to think twice about verifying them before you act.
- Get a good password manager — Many top password management tools will flag a suspicious website, and if it's a fake site masquerading as one you've already used, the password manager won't auto-load your password for it. We've ranked the top options over here, as well as the best picks for Macs or iPhones.
As always, stay on guard if you ever get an email asking for your login information to anything. No one wants to wind up losing data over an email they could have sent straight to their spam folder instead.