The Los Angeles Times reported that after attempting to hack into thousands of iCloud accounts to retrieve nude photos of women, a local criminal had pleaded guilty to a felony. MacRumors pointed out that by impersonating Apple’s customer support staff and sending emails, the suspect named Hao Kuo Chi successfully defrauded thousands of victims’ Apple IDs and passwords.
The investigation found that the suspect did not breach Apple’s preset protection measures for iCloud. But using social work and phishing methods, he eventually collected more than 620,000 private photos and videos. It is reported that Hao Kuo Chi visited the photos and videos of at least 306 victims in the United States, and most of them were young women.
After swaggering on the Internet in the name of icloudripper4you, some victims were also targeted by others. After an unknown co-conspirator asks him to hack into a particular iCloud account, the successful suspect will report it with a Dropbox network disk link.
In addition, the FBI found more than 500,000 emails in the two Gmail addresses it manipulated (applebackupicloud and backupagenticloud), which contained about 4,700 deceived Apple IDs and passwords.
In March 2018, Hao Kuo Chi also hacked into the iCloud account of a public figure, causing his photos to eventually appear on certain pornographic websites. The FBI then launched an investigation into the case and eventually traced it back to the suspect.
At present, Hao Kuo Chi has pleaded guilty to one count of conspiracy and three counts of unauthorized access to protected computer systems, and each count will face up to five years in prison. During a telephone interview with the Los Angeles Times, the suspect expressed his deep regrets for what he had done, and he cited the reason for the need to support his family. If the crime is revealed to the world, his life will also be ruined.
Finally, before Hao Kuo Chi, foreign media also reported a similar attack in 2014. After that, Apple has strictly strengthened the security of iCloud accounts and provided a protection scheme based on two-factor authentication (2FA).
However, at a time when social workers and phishing emails are raging, it is more important to help users develop sufficient awareness of security risks, including carefully identifying the true identity of the sender, and not easily revealing private information such as their account names and passwords.