Brute-force and phishing used to learn iCloud passwords

Jun 10, 2015 17:49 GMT  ·  By

Last year’s massive photo leak from the iCloud accounts of multiple celebrities (most of them females) resulted in the FBI raiding two homes in Chicago last October, but none led to criminal charges, according to an affidavit from law enforcement.

Dubbed Celeb Gate, the incident occurred in August 2014, when anonymous imageboards (4Chan in particular) became flooded with explicit images and videos of more than 100 celebrities.

Among the victims were actresses Jennifer Lawrence, Mary Elizabeth Winstead, singer Ariana Grande, model Kate Upton, and many others.

Hundreds of iCloud account accessed illegally

The FBI documents are dated October 15, 2014, but they were recently unsealed and contain details from interviews with celebrity victims (named only by their initials) and the FBI investigation.

It appears that the perpetrators relied on phishing to gain access to the victims’ accounts for iCloud (Apple’s cloud storage service), where copies of media content on iPhones were automatically stored for backup and synchronization purposes. In some cases, the intruders managed to extract content as old as 2012.

The FBI tracked an IP address involved in the incident and found that, between May 14, 2013, and October 10, 2014, it was assigned to Emilio Herrera. Since May 31, 2013, and until August 31, 2014, the IP was used to access about 572 unique iCloud accounts 3,263 times, some of them belonging to Celeb Gate victims.

It appears that password reset attempts were also made, on 1,987 accounts, indicating a brute-force attack with an automatic tool that runs various text strings from a predefined dictionary file in search of the correct password for an account.

From a second IP address found by the agents, 330 iCloud accounts were accessed, 291 of them were accessed more than 600 times. 11 of the accounts belonged to victims of the Celeb Gate incident.

No arrests made, investigation continues

Based on these findings, FBI agents requested a search warrant for the locations tracked by the two IP addresses, Herrera’s house in South Washtenaw, and an apartment on South Narragansett in the Clearing neighborhood, Chicago.

According to a report from Chicago Sun-Times, the FBI raided two residencies and seized electronic equipment to search for clear evidence involving the owners in the photo leak incident, but no criminal charges were formulated.

Although the IP addresses tie the illegal access to the systems, other individuals, operating from a distant location may be the real culprits, while the owners of the equipment could themselves be victims of a cyber intrusion acting as a proxy for the criminal activity.