The 19-year-old man, who reportedly hacked Miss Teen USA's webcam and threatened to ruin her career by publishing nude photos taken in her bedroom surrendered to FBI agents on Thursday.
Authorities said that the man, Jared James Abrahams, of the US city of Temecula, in California, knew the beauty queen, Cassidy Wolf, in real life.
Abrahams, a college freshman majoring in computer science, will face a charge of extorting nude photos and videos of not only Miss Teen USA, Cassidy Wolf, but more than a dozen other women, including victims in Ireland, Moldova and Canada, the FBI believe.
According to the criminal complaint [PDF], Abrahams allegedly hacked computers and took nude photos or videos of his victims by remotely turning on their webcams.
He would then allegedly email some of his victims, sending copies of the images and threatening to publish them on social media unless the women sent him more nude photos, sent a nude video, or logged onto Skype to do whatever he told them to do for five minutes.
The complaint reports that Abrahams threatened one victim that he'd transform her "dream of being a model … into [the victim] being a porn star" if she didn't follow his commands.
Upon a search of Abrahams' house on 4 June 2013, federal agents said they seized a computer, a laptop, a mobile phone, and thumb drives. Those devices contained evidence of hacking software and malware used to take over victims' computers, the complaint says.
Images and videos of some victims were also found on the devices, according to the criminal complaint.
FBI Special Agent Julie Patton said in the complaint that Abrahams admitted to her and another agent that he had, in fact, infected victims' computers, watched his victims change their clothes, and used photos against his victims.
The court documents refer to one victim as C.W., and Ms. Wolf has publicly acknowledged that she is that victim.
Abrahams admitted that Wolf was the first hacking victim whom he knew personally.
Abrahams also admitted to getting another victim, M.M., to take off her clothes during a Skype session, after which he pretended to delete the original photos he'd used to sextort her compliance, the complaint says.
On 21 March 2013,Wolf received an email from Facebook saying that somebody was trying to change her account password.
She later learned that somebody had changed her Twitter, Tumblr and Yahoo email passwords and had changed her Twitter profile picture to a half-nude picture.
Within 30 minutes of having received the Facebook message, Wolf received an anonymous email from someone who claimed to have nude photos of her, taken via the webcam on her computer.
Here's an excerpt from the threatening email, from the court papers:
Here's what's going to happen! Either you do one of the things listed below or I upload these pics and a lot more (I have a LOT more and those are better quality) on all your accounts for everybody to see and your dream of being a model will be transformed into a pornstar. Do one of the following and I will give you back all your accounts and delete the pictures. 1) send me good quality pics on snapchat 2) Make me a good quality video 3) Go on skype with me and do what I tell you to do for 5 minutes If you don't do those or if you simply ignore this then those pics are going up all over the internet. It's your choice :) Also I'm tracking this email so I'll know when you open it. If you don't respond then your pics are going up.
He used a smiley emoticon. Isn't that adorable? Ugh.
Further analysis turned up forum messages asking about using a fully undetectable (FUD) keylogger. Also, Abrahams allegedly asked for advice on getting victims to download it, given that he "[sucks] at social engineering."
Other messages reference infecting a schoolmate with "blackshades" and "darkcomet" - both remote-access tools (RATs) or Trojans.
Abrahams was freed on $50,000 bail, though a judge confined him to his family's home, ordered him to wear a GPS monitor, and said he could only use the home computer for schoolwork, with software to be installed that will monitor its use, the Daily Mail reports.
If found guilty, Abrahams could be sentenced to federal prison for up to two years.
The typical advice in such cases of webcam hijacking is to advise people to put a patch - black tape, a sticker or a bandage, for example - over their cameras when they're not in use, or to point external devices at the wall.
That's still good advice. But this particular case points to other threat vectors, as well.
Namely, Abrahams admitted to somehow tricking his victims into installing malware that allowed him to take over their computers.
RATs are nasty creatures. Beyond allowing attackers to remotely turn on your webcam to spy on and record you, they enable remote viewing and modification of your computer's files and functions, storage of files and programs on your computer, or even the use of your computer to attack other computers.
How do you prevent and detect RATs?
Here are some tips:
- Use security software, and keep it up to date. Any decent one should detect a variety of malware, including Trojans and keyloggers.
- Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious. How do you determine if a link is "strange"? Hover over a link without clicking on it. You'll see the full URL of the link's true destination in a lower corner of your browser.
- Don't use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don't trust the sender. Instead, navigate to the website directly.
- Don't open email attachments from someone you don't know. Heck, be careful even if you do know the sender. Such attachments could still be infected, even if coming from somebody you know.
For her part, Wolf has gone on to use her victimization to help others. After she was named Miss California, she traveled to schools to raise awareness about cybercrime among teens.
She's my hero. She's no sucker. She and other victims didn't allow themselves to be bullied. Instead, they immediately reported the extortion attempts.
So after you rig your system up to protect from RATs and other malware, perhaps the most important thing to do is to make sure that the young people in your life know what to do if they get contacted by an extortionist:
Tell somebody. Immediately.Follow @NakedSecurity