A look inside the FBI's 2018 IC3 online crime report

Nude photo theft offers lessons in selfie security

Two former college graduates are in a lot of trouble after breaking into other students’ accounts and stealing sensitive personal data. They’re facing some serious charges with restitution payments of $35,430, potential jail time, and the threat of very big fines thrown into the mix.

What happened?

A man from New York has pleaded guilty to one count of aggravated identity theft, and one count of computer intrusion causing damage. Working with another former graduate, he accessed the school email accounts of dozens of college students and stole private nude photographs. Many of the images were then shared.

The maximum term of imprisonment for one count of computer intrusion causing damage is 10 years, and a fine of $250,000. The maximum term and fine for one count of aggravated identity theft is 2 years and $250,000.

As we said, big trouble and bigger fines.

How did they do it?

The prosecution documents [PDF] make for some eye-opening reading. The defendant targeted accounts belonging to both random students and students he’d known personally. He requested that other people break into the accounts and accessed a number himself without permission. With those, he broke into social media profiles / web storage and stole nude images and movies, and traded them with others.

To gain access to the email accounts, he appears to have reset account passwords by correctly guessing password reset questions. He also used lists of compromised passwords to break into one account, and discussed social engineering tricks related to Snapchat. This involved sending texts from fake numbers to potential victims claiming to have accidentally signed up with their number. They then offered to “fix” it for the potential victim by asking for the “code to reset the password”.

The more you read, the worse it gets. For example, collages featuring students in private, intimate situations were placed next to images of them at graduation time and then distributed. This is clearly going to have a severe impact on those involved, especially as graduation photos would likely contain identifiable information. A college robe or identifiable badge / name / anything else would tie individuals to images in no uncertain terms.

This Register article also mentions falsification of “good character” documents in relation to the second person involved, and they seem to be in quite the pickle generally.

Anything is a target

Talking about security threats and people’s threat models is a tricky business. When a big story hits the news like a nation state attack, people worry they’re in the firing line. The reality is that incredibly expensive and complicated compromises target very specific people for a reason. It quickly becomes a waste of money if your tailor-made targeted attack is randomly spammed out to a cast of millions. A well known finance journalist faces some different threats and challenges than a primary school teacher, and that teacher faces some different issues to someone running a digital payment method in a store. Not every threat is out to get everyone, in other words.

The flipside is that when people don’t stagger into a blitzkrieg of high-level corporate espionage, complacency can set in. People can assume “my data is nothing special, I won’t be targeted”. As we can see here, that’s not the case. You just end up with threats more attuned to your personal situation and lifestyle.

The story above is a really nasty, insidious and sustained attack on people where the defendant knows some of them personally. Such familiarity may have helped the perpetrator in their social engineering efforts, and it may also have made guessing passwords and security questions easier.

Defending yourself

Nothing is 100% foolproof, but basic measures work wonders when it comes to keeping email accounts secure. The first thing to keep in mind is that every password you use should be unique. At least one of the victims in this case was undone because they protected their email using a password they’d used elsewhere. The easiest way to do this is by letting a password manager do it for you.

If your mail service has two-factor authentication (2FA) available, enable it. If you have the choice of 2FA codes sent by text or generated by an authenticator app, use the app. Scammers can use SIM swap fraud to compromise accounts protected by SMS codes. Apps also have the advantage of working offline, so it won’t matter if you have no mobile signal.

Some other tips for keeping data safe

With enough time and effort a determined attacker can potentially bypass any security. The idea is to present them with enough obstacles that their time is better spent elsewhere. If enough of us do the same thing, hopefully they’ll abandon all plans of compromise and do something more productive.

Until then, remember that awful people are happy to do terrible things with your most personal data. While a few of them run into the full force of the law, a more sizeable portion likely never feel any consequences whatsoever. Whatever you’re doing with your files, we wish both them and your good self many compromise-free years to come.