Sophos Cloud Optix
The 19-year-old man, who reportedly hacked Miss Teen USA’s webcam and threatened to ruin her career by publishing nude photos taken in her bedroom surrendered to FBI agents on Thursday.
Authorities said that the man, Jared James Abrahams, of the US city of Temecula, in California, knew the beauty queen, Cassidy Wolf, in real life.
Abrahams, a college freshman majoring in computer science, will face a charge of extorting nude photos and videos of not only Miss Teen USA, Cassidy Wolf, but more than a dozen other women, including victims in Ireland, Moldova and Canada, the FBI believe.
According to the criminal complaint [PDF], Abrahams allegedly hacked computers and took nude photos or videos of his victims by remotely turning on their webcams.
He would then allegedly email some of his victims, sending copies of the images and threatening to publish them on social media unless the women sent him more nude photos, sent a nude video, or logged onto Skype to do whatever he told them to do for five minutes.
The complaint reports that Abrahams threatened one victim that he’d transform her “dream of being a model … into [the victim] being a porn star” if she didn’t follow his commands.
Upon a search of Abrahams’ house on 4 June 2013, federal agents said they seized a computer, a laptop, a mobile phone, and thumb drives. Those devices contained evidence of hacking software and malware used to take over victims’ computers, the complaint says.
Images and videos of some victims were also found on the devices, according to the criminal complaint.
FBI Special Agent Julie Patton said in the complaint that Abrahams admitted to her and another agent that he had, in fact, infected victims’ computers, watched his victims change their clothes, and used photos against his victims.
The court documents refer to one victim as C.W., and Ms. Wolf has publicly acknowledged that she is that victim.
Abrahams admitted that Wolf was the first hacking victim whom he knew personally.
Abrahams also admitted to getting another victim, M.M., to take off her clothes during a Skype session, after which he pretended to delete the original photos he’d used to sextort her compliance, the complaint says.
On 21 March 2013,Wolf received an email from Facebook saying that somebody was trying to change her account password.
She later learned that somebody had changed her Twitter, Tumblr and Yahoo email passwords and had changed her Twitter profile picture to a half-nude picture.
Within 30 minutes of having received the Facebook message, Wolf received an anonymous email from someone who claimed to have nude photos of her, taken via the webcam on her computer.
Here’s an excerpt from the threatening email, from the court papers:
Here's what's going to happen! Either you do one of the things listed below or I upload these pics and a lot more (I have a LOT more and those are better quality) on all your accounts for everybody to see and your dream of being a model will be transformed into a pornstar. Do one of the following and I will give you back all your accounts and delete the pictures. 1) send me good quality pics on snapchat 2) Make me a good quality video 3) Go on skype with me and do what I tell you to do for 5 minutes If you don't do those or if you simply ignore this then those pics are going up all over the internet. It's your choice 🙂 Also I'm tracking this email so I'll know when you open it. If you don't respond then your pics are going up.
He used a smiley emoticon. Isn’t that adorable? Ugh.
Further analysis turned up forum messages asking about using a fully undetectable (FUD) keylogger. Also, Abrahams allegedly asked for advice on getting victims to download it, given that he “[sucks] at social engineering.”
Other messages reference infecting a schoolmate with “blackshades” and “darkcomet” – both remote-access tools (RATs) or Trojans.
Abrahams was freed on $50,000 bail, though a judge confined him to his family’s home, ordered him to wear a GPS monitor, and said he could only use the home computer for schoolwork, with software to be installed that will monitor its use, the Daily Mail reports.
If found guilty, Abrahams could be sentenced to federal prison for up to two years.
The typical advice in such cases of webcam hijacking is to advise people to put a patch – black tape, a sticker or a bandage, for example – over their cameras when they’re not in use, or to point external devices at the wall.
That’s still good advice. But this particular case points to other threat vectors, as well.
Namely, Abrahams admitted to somehow tricking his victims into installing malware that allowed him to take over their computers.
RATs are nasty creatures. Beyond allowing attackers to remotely turn on your webcam to spy on and record you, they enable remote viewing and modification of your computer’s files and functions, storage of files and programs on your computer, or even the use of your computer to attack other computers.
How do you prevent and detect RATs?
Here are some tips:
- Use security software, and keep it up to date. Any decent one should detect a variety of malware, including Trojans and keyloggers.
- Don’t click on strange links, even if they’re from friends, and notify the person if you see something suspicious. How do you determine if a link is “strange”? Hover over a link without clicking on it. You’ll see the full URL of the link’s true destination in a lower corner of your browser.
- Don’t use the links in an email, instant message, or chat to get to any web page if you suspect the message might not be authentic or you don’t trust the sender. Instead, navigate to the website directly.
- Don’t open email attachments from someone you don’t know. Heck, be careful even if you do know the sender. Such attachments could still be infected, even if coming from somebody you know.
For her part, Wolf has gone on to use her victimization to help others. After she was named Miss California, she traveled to schools to raise awareness about cybercrime among teens.
She’s my hero. She’s no sucker. She and other victims didn’t allow themselves to be bullied. Instead, they immediately reported the extortion attempts.
So after you rig your system up to protect from RATs and other malware, perhaps the most important thing to do is to make sure that the young people in your life know what to do if they get contacted by an extortionist:
Tell somebody. Immediately.
Images of yellow ribbon, rat, tiara and webcam courtesy of Shutterstock.
Image of Cassidy Wolf © Glenn Francis, www.PacificProDigital.com.
It's good that the extortionst turned himself in. However, that being said, I'm afraid I have no sympathy for poor Little Miss Teen Idiot USA who took pictures of herself with a device that is connected to the Internet.
NOTHING is secure if it can be connected to remotely. People seem to think that just because they don't publish texts or images on the web that they are safe. Nothing cold be further from the truth.
The Great and Powerful "Cloud" that everyone is all excited about for their data and such is like storing your valuables in a cupboard open to the outside except for a screen. All it takes is the right kind of snips to open it and take all your precious stuff.
But I guess hype and advertising sales pitches are more important than reality.
is that what happened? I go the impression that he hacked into her webcam which is different from stealing already taken photos. Meaning that he used it to watch and record her activity in front the camera. So, for example, if her computer was open and she was changing her clothes he could snap that. Meaning she didn't take these pictures herself. This could happen to anyone
Right, her webcam was hacked. She didn't take the photos herself.
Perhaps I'm misunderstanding the article, or don't know enough about the case, but…How do you know she took pictures of herself? Didn't the hacker remotely turn on her webcam? Two different things.
Either way, your lack of sympathy, personal remarks and condemnation of someone you don't know is a reflection on your personality I suppose.
Working on the assumption that nothing is private is sensible these days, but not everyone is as discerning as you assert to be, are they.
RTFA. The extortionist infected her computer and took the pictures himself using her webcam.
I guess blaming the victim and calling women names is more important than reality.
Did you not read it?
*HE* took the pictures of her by remotely accessing her webcam. She didn't take them.
See? It was HIM! NOT HER!
"According to the criminal complaint [PDF], Abrahams allegedly hacked computers and took nude photos or videos of his victims by remotely turning on their webcams."
I have no sympathy for you Mr. Poor Uninformed Idiot Wolf_Star. She did not take pictures of herself; she was the victim of someone hacking into her computer and taking pictures of her while she lived a day-to-day life, including changing, showering, etc.
Um – she didn't take pictures of herself – the sicko who did this accesses her computer remotely, waited for her to be naked *in the comfort and what she thought was the security of her own bedroom* then *he* took the pictures. Way to victim-blame.
I think if you read it properly you will find the photos were unknowingly taken by her webcam (Probably after she had a shower and was getting dressed in her room, like most teenagers do) and she did not already have these naked photos on her computer, god, have a little faith in people!
As long as it is possible for webcams to be turned on remotely,anyone can take any kind of photo of you without your knowledge or permission.Until webcams are built to be turned on through physical access only (like computers themselves are now ) this type of crime will continue.
A piece of paper over the webcam always work. Simple solutions to complex problems. Also not being nude in front of the webcam also helps.
Lisa, when cyber crimes such as this occur, where should they be reported? (Here in the U.S.) Is there a unit that deals with that here at this point?
Beth, I'd suggested reporting it to the FBI. They're the ones who nailed this guy. From personal experience alone, I'd have to say local police departments fall on a very wide spectrum with regards to their knowledge of computer crime.
From a more official standpoint, I'll point you to the Justice Department's take on it. The DoJ says: "Internet-related crime, like any other crime, should be reported to appropriate law enforcement investigative authorities at the local, state, federal, or international levels, depending on the scope of the crime. Citizens who are aware of federal crimes should report them to local offices of federal law enforcement."
They have links that drill down into where to report specific types of Internet crime.
See: http://www.justice.gov/criminal/cybercrime/report….
I'll be sure to include those resources in future reporting on these issues, so thanks for asking the question.
Were those tips recycled from 10 years ago? Anti-spyware as a concept is so 2005 – spyware's just another kind of malware that any decent "antivirus" should detect. Same goes for Trojans and keyloggers.
If I'm sick I go see the doctor -anyone who tells me I should check in with an elbow doctor and a kidney doctor too is trying to scam me. Maybe try scanning occasionally with a secondary product, but don't install a double dose of real time protection.
Thanks for the feedback Jake. The tips are now updated.