Creep signs plea deal for celebrity nudes hack

Jennifer Lawrence

A third creep has pleaded guilty to phishing passwords for people’s Apple iCloud and Gmail accounts and then ransacking them for nude photos in the 2014 Celebgate photo thefts.

On Monday, the Chicago US Attorney’s Office said that 32-year-old Emilio Herrera, of Chicago, has signed a plea agreement and is expected to plead guilty to a felony violation of the Computer Fraud and Abuse Act (CFAA).

Herrera agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

It was only one count for the purpose of the plea deal, but Herrera was suspected of pawing at people’s photos a bit more persistently than that: the FBI has claimed that Herrera’s IP address was allegedly used to access about 572 unique iCloud accounts.

The IP address went after some of those accounts numerous times: in total, somebody using it allegedly tried to access 572 iCloud accounts on 3,263 occasions. Somebody at that IP address also allegedly tried to reset 1,987 unique iCloud account passwords approximately 4,980 times.

Prosecutors alleged that Herrera was particularly keen to get his hands on a neighbor’s sensitive photographs, videos and other private information: he accessed the neighbor’s Gmail account 495 times, they claimed.

According to the FBI, the original Celebgate thefts (there have been several go-rounds, showing that some thieves must think that the FBI can only catch other low-lifes) were carried out by a ring of attackers who launched phishing and password-reset scams on celebrities’ iCloud and email accounts.

One of them, Edward Majerczyk, was sentenced to nine months in jail in January 2017. He got to his victims by sending messages doctored to look like security notices from ISPs.

Another Celebgate convict, Ryan Collins, chose to make his phishing messages look like they came from Apple or Google. He got 18 months jail time in October 2016.

According to the plea agreement, Herrera ran his phishing scheme from 27 April 2013 until the end of August 2014. He too whipped up emails that looked like they were coming from the security departments of ISPs that said they needed the victims to send their usernames and passwords.

Once they responded – and hundreds did, including approximately 40 celebrities – he’d use the logins to waltz into his victims’ accounts.

Had it not been for the plea deal, Herrera would have been looking at a maximum prison sentence of 5 years in federal prison (granted, maximum sentences are rarely handed out). But according to the Los Angeles Times, the plea agreement, which was lodged on Monday in federal court in Los Angeles, shaved it down to 18 months. The case was transferred from Los Angeles to the Northern District of Illinois for the entry of Herrera’s guilty plea and sentencing.

Like the investigations into the other two men convicted in Celebgate, investigators couldn’t find evidence that Herrera was the one who leaked the photos online, shared the material or uploaded anything he’d ripped off.

Was it all for his personal viewing pleasure, then? The thrill of getting away with something valuable to somebody else? Both?

The response I assume many of his victims have: Who cares? Their privacy was treated like birdcage liner, regardless of whether a given thief shared or published their photos. Multiple thieves wanted to invade people’s privacy, and multiple thieves are now paying for it.

Mind you, there’s no saying that the investigation is over: there’s still Celebgate 2.0 and 3.0 to keep the FBI busy.

We’ll keep reporting on the convictions, and hopefully we’ll all take this chance to renew our caution with regards to protecting our login credentials. To get those credentials, crooks break into a target’s iCloud and/or Gmail accounts by phishing, be it by email, text message or iMessage.

All of which points to how scams that seem as old as the hills – like phishing – are still very much a viable threat.

Granted, it can be tough to tell the difference between legitimate and illegitimate messages.

So here are some ways to keep your private images from winding up in the thieves’ sweaty palms:

  • Don’t click on links in emails and thus get your login credentials phished away. If you really think your ISP, for example, is trying to contact you get in touch by typing in the URL for its website and contacting it via a phone number or contact form you find there.
  • Lock down privacy settings on social media (here’s how to do it on Facebook, for example), don’t share photos with people you don’t know and trust, and be careful of who you consider your “friends”. One example of creeps posing as friends can be found on the creepshot sharing site Anon-IB, where users have posted images they say they took from Instagram feeds of “a friend”.
  • Use multifactor authentication (MFA) whenever possible. MFA means you need a one-time login code, as well as your username and password, every time you log in. That’s one more thing the scumbags need to figure out every time they try to phish you.
  • Use strong passwords.