[codeecan]

> he impersonated Apple customer support staff in emails that tricked unsuspecting victims into providing him with their Apple IDs and passwords

> He gained unauthorized access to photos and videos of at least 306 victims across the nation

> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house

Not very sophisticated, but very effective, glad they shut him down but we really need to teach basic internet security in schools.

[fooqux]

> Not very sophisticated, but very effective, glad they shut him down but we really need to teach basic internet security in schools.

They could start by following basic security. My kid's school sets everyone's passwords to various forms of "temp123" (same password for every kid) and often talks about them in cleartext. It sets a very bad example, and it occasionally gives me hives just thinking about it.

[throenabout]

A friend worked at a UK government site that one week complained about an increase in "Russian" attempted intrusions and literally the next week issued an instruction in an unsigned email to all staff to change their password to a new password given in plaintext in the email.

The instruction, they thought, had to be a poor phishing attempt - but no, it was a genuine email from the IT department and the friend was punished (!!) for questioning the instruction and not immediately complying.

It may not have been the same password across the organisation but their's was reportedly word based and quite short.

[pier25]

I worked at an ed tech company that provided services for schools and this was very common in my experience.

Schools wanted to store the students' passwords in clear text in an excel basically to get less complaints from parents.

Students didn't store their password after logging in. If they needed to log in again they did not know (or did not care) how to reset their passwords. Then the problem would fall unto the parents which would then complain to the school.

[eli]

This is a failure of the software community, not the users. I don’t think it’s reasonable to ask users to detect a halfway decent phishing attempt.

[glitcher]

I agree that better education around Internet security is needed, especially for basic phishing attacks like this.

OTOH, I believe Apple could be doing more to deter and/or detect this type of broad access, especially with the lack of sophistication behind this scheme! I feel like even Netflix does a better job at alerting me to access from a new device, and they aren't storing any of my personal photos.

[shuckles]

If you have two factor enabled, which is required for many iCloud features, every single Apple device you own will receive an alert with the location of login before you can reveal the 2FA code, even for iCloud logins. What more would you like to see?

[not2b]

They would just get an email saying that icloudbackupsupport@gmail.com (his phony address) accessed the account immediately after giving their info to icloudbackupsupport@gmail.com. He could even have told them to expect and ignore such an email.

[rootusrootus]

There should be a request for approving the login attempt, and if you say yes, you get a six digit code to enter on the device trying to connect. Then when that succeeds, you get another push notification about it succeeding.

[anaganisk]

And thats what happens on any iOS with 2FA enabled.

[enricopulatzo]

Perhaps something in that 2FA request saying "Apple will only ask for your password in-person in a store or other authorized repair provider. Only allow this request if you know who requested it"?

[josho]

You need to spend more time around non technologists. Many folks just dismiss computer prompts without reading, ignore emails, or any number of other similar behaviors that would likely drive you and I crazy by their lack of attention to detail.

Adding detailed prompts won’t solve the problem.

[glitcher]

> Investigators soon discovered that a log-in to the victim’s iCloud account had come from an internet address at Chi’s house

If the attacker was really not covering his tracks, perhaps Apple may have flagged hundreds of different iCloud account logins originating from the same location as something to look into?

[missingcolours]

That's not really a reliable/actionable signal overall - my previous employer had like 20,000 employees NATed behind a single IP.

[oarsinsync]

> my previous employer had like 20,000 employees NATed behind a single IP.

If so, it’s incredibly unlikely that all 20k were online simultaneously. If they were, each person could only open ~3 TCP sockets to the internet (even if via a proxy if dealing with individual login sessions) at a time before you’ve run out of ports.

[Hello71]

even though you're probably right on the first part, the second part is false. while most NAT implementations operate as you describe, called "port-restricted cone NAT", some implementations allocate the external port only for a specific destination address, called "symmetric NAT".

[pavs]

IP NATing is a common thing done by most isps, you can literally have 100s or even thousands of users using the same ip.

[shuckles]

There isn’t enough information in the linked article to reveal the attacker’s methods. Do you have further information or are you speculating?

[makecheck]

It’s better than nothing but still not great because the login area they present is too broad. For example, if you live in a large city and the phisher is somebody you know, seeing “New login from Your City” is not going to make you think twice.

[gowld]

If you refuse to think, even when prompted, that's on you. You should think about whether you logged in from the city and device/OS named in the alert.

[ryandrake]

Not just better education around security practices, but better understanding around control of your content, where it's stored, what happens to content when you press that button in an app. I don't want to victim blame here, and this guy is a total creep, but the victims uploaded their nudes to the Internet. At that point, the cat was out of the bag.

Part safely using the Internet is having the knowledge and being aware of where (in your apps) the boundary is between your local device and the global network that everyone has access to. People need to understand: When you sync to a cloud service, you're sending your content to someone's computer unknown to you. Yes, in this case, it's Apple's computer, but that didn't stop this guy. Once you sync something online, it's out of your hands, and on the Internet now.

I personally treat all cloud services as if they were accessible publicly and anonymously, and will inevitably be printed in my local newspaper, and only upload content to those services where I am comfortable with that level of exposure.

EDIT: To clarify, I wish applications would stop blurring the line between "on my device" and "on the Internet". I've used applications where, to an unsophisticated user, the save dialog looks like it's saving to their computer but it's actually in the cloud. Add to it all these apps that try to be helpful by seamlessly (and invisibly) keeping local content in sync with the cloud versions and you have a recipe for disasters like this. Have an explicit "upload this thing to the Internet" button, please!

[Tabular-Iceberg]

It boggles my mind that people have nudes of themselves on any digital medium. I say if you want to dabble in that, get a film camera and develop the pictures in your own basement.

[LinuxBender]

Or get a non-wifi digital camera and manage your photos on a non cloudy computer. Maybe even take it a step further and use tools to remove EXIF data that has your camera's serial number and other metadata in the images. Photos taken from cell phones often give away GPS coordinates.

[arsome]

Yeah, Netflix is actually annoying with it - I was using my "ultra low security" password which is in... probably every public password dump around for years, got dozens of logins, just ignored them til someone finally tried to change it and I had to reset it.

[pbhjpbhj]

I can't believe Facebook haven't stopped the "your mother's maiden name and your first pets name is your pornstar name, post yours below" posts on Facebook. These companies clearly don't care their platforms are used to enable scammers so long as they're getting their cut of the money.

[pier25]

Seems so naive that you'd do such a thing from your home without any type of security like a VPN.

The guy probably was the only one in the group doing this and was led to believe by the others that it was completely safe.

[legohead]

So all he needed do to avoid being caught was use a VPN?