New Web Order > Nik Cubrilovic - - » Notes on the Celebrity Data Theft
Phishing template provided by one user for use by other users.
4. The frequent source of new leads for targets seems to be newcomers who know somebody they want to hack and have stumbled onto one of the networks offering services via search terms or a forum they frequent. The new contributor will offer up a Facebook profile link, plus as much information as is required by the hacker to break the account, plus possible assistance in getting a RAT installed if required. In exchange the hacker and ripped will supply the person providing the lead with a copy of the extracted data, which they will also keep for themselves. This was one of the most unsettling aspects of these networks to me – knowing there are people out there who are turning over data on friends in their social networks in exchange for getting a dump of their private data.
5. In reviewing months worth of forum posts, image board posts, private emails, replies for requests for services, etc. nowhere was the FindMyPhone API brute force technique (revealed publicly and exploited in iBrute) mentioned. This doesn’t mean that it wasn’t used privately by the hackers – but judging by the skill levels involved, the mentions and tutorials around other techniques and some of the bragged about success rates with social engineering, recovery, resets, rats and phishing – it appears that such techniques were not necessary or never discovered.
6. iCloud is the most popular target because Picture Roll backups are enabled by default and iPhone is a popular platform. Windows Phone backups are available on all devices but are disabled by default (it is frequently enabled, although I couldn’t find a statistic) while Android backup is provided by third party applications (some of which are targets).
7. Apple accounts seem particularly vulnerable because of the recovery process, password requirements and ability to detect if an email address has an associated iCloud account. The recovery process is broken up into steps and will fail at each point. While Apple do not reveal if an email address is a valid iCloud address as part of the recover process, they do reveal if it is valid or not if you attempt to sign up a new account using the same email – so verification (or brute force attempts) are simple. The second step is verifying the date of birth and it will pass or fail based on that data alone so can be guessed, while the last step are the two security questions. It would be a good idea for Apple to kill the interface on signup that shows new users if their email account is available to use as an iCloud account or not. It would also be a good idea to make the recovery process one big step where all data is validated at once and the user is not given a specific error message. It would also be wise to attach rate limits and strict lockout on this process on a per-account basis.
Being able to POST an email address to https://appleid.apple.com/account/validation/appleid and getting back a response indicating if it is a valid account or not, with little to no rate limiting, is a bug.
7. a)edit To reiterate what the main bugs are that are being exploited here, roughly in order of popularity / effectiveness:
- Password reset (secret questions / answers)
- Phishing email
- Password recovery (email account hacked)
- Social engineering / RAT install / authentication keys
7. b) Once they have access to the account they have access to everything – they can locate the phone, retrieve SMS and MMS messages, recover deleted files and photos, remote wipe the device and more. The hackers here happen to focus on private pictures, but they had complete control of these accounts for a period.
8. Authentication tokens can be stolen by a trojan (or social engineered) from a computer with iTunes installed easily. Elcomsoft provide a tool called atex which does this. On OS X the token is installed in the keychain. The authentication token is as good as a password.
9. Two-factor authentication for iCloud is useless in preventing passwords or authentication tokens being used to extract online backups. 2fa is used to protect account details and updates.
10. There is an insane amount of hacking going on. On any day there are dozens of forum and image board users offering their services. While many of those offering to rip alone based on being provided a username and password are scammers, they will still steal the data and sell it or trade it.
11. OPSEC level of the average user in these networks is low. 98% of email addresses provided in forums as part of advertising or promoting services are with the usual popular providers (gmail, outlook, yahoo) who are not Tor friendly. Most users speak of using VPNs when breaking into accounts and suggest which VPNs are best, fastest and “most anonymous.” It was also increadibly easy for some of those involved in distribution of the latest leaks to be publicly identified (more on that later) and for servers with dumps to be found, etc.
12. The darknet forums provide a lot of tips in terms of the hacking steps and also provide databases of passwords, users and dox but in terms of distributing content are usually a step behind the publicly available image boards. They are definitely more resilient in terms of keeping content up once it is published, and might become more popular with users if more data is leaked. Overchan and Torchan have in the past day or longer been full of new users requesting darknet links to the leaked content, and they receive them.
13. The different file name formats, data inconsistencies and remnants such as Dropbox files being found in the dumps can be explained by the different recovery software used (some which restores original filenames, some doesn’t) and the dumpers and distributors frequently using Dropbox to share files. It is unknown how many hackers were involved in retrieving all the data, but the suggestion is that the list of celebrities was the internal list of one of the trading networks. Timestamps, forum posts and other data suggests that the collection was built up over a long period of time.
14. On the topic of OPSEC. Tracking down one of the distributors who was posting ransomed private images to 4chan and reddit was simple. He posted a screenshot as part of pitching the sale of 60 or more images and videos for a single celebrity but didn’t black out his machine name or the machine names of the other computers on his local network. A user on reddit did a Google search and tracked down the company he worked for (although they picked the wrong employee). Tracking each of those names linked one of them back to a reddit account that had posted a screenshot of the exact same explorer interface (the guy had a bad habit of taking screenshots of his own machine). He has denied being the source of the images, but he is definitely a distributor who purchased them from within the network since the ransomed set he posted were all images that did not and have not yet leaked.
Screenshot posted to 4chan as part of attempting to sell this set of images and videos. The posted was initially asking for $100 per image.
edit: Turns out Maroney was underage when these pictures were taken, which means this screenshot is an admission of posesssion of child pornography. Reddit mods on the fappening sub are desperately asking users to remove any images of her and other underage celebrities.
Screenshot posted by redditor who had his real identity linked back to the ransom screenshot above.
15. I personally don’t distinguish between somebody who stole the data directly and somebody else who “only” bought that data with the intention of selling it for a profit to the public.
16. It seems to have gone wrong for not only our identified friend but a lot of other members of this network over the past few days. It appears the intention was to never make these images public, but that somebody – quiet possibly the previously identified distributor – decided that the opportunity to make some money was too good to pass up and decided to try to sell some of the images. The first post from this set that I could track down was nearly 5 days to the story becoming public, on the 26th of August. Each of those post was a censored image with a request for an amount of money for an uncensored version. After numerous such posts and nobody paying attention to it (thinking it was a scam) the person behind the posts began publishing uncensored versions, which quickly propagated on anon-ib, 4chan and reddit. My theory is that other members of the ring, seeing the leaks and requests for money also decided to attempt to cash in thinking the value of the images would soon approach zero, which lead to a race to the bottom between those who had access to them.
17. In terms of staying secure the most obvious solutions are to pick a better password, set your security answers to long random strings and enable two-factor authentication. Further it is a good idea to ring-fence your email – use one email address that remains private for sensitive accounts such as your online banking, cloud storage etc. and then a separate account for communications whose address is made public. There is no privacy mode in phones and they lump together all your data and metadata in one large bucket, and the only solution if you wish to retain a more private or more anonymous profile is to run a separate phone with the account on there belonging to an alias. There is a reason why drug dealers carry multiple phones, it tends to work in terms of segregating your real identity.
18. There is no software that users will ever be able to install or upgrade that will make them completely secure. The responsibility is on both vendors and users. Users need to be aware of good password practices (unique passwords, long, passphrases) as well as the basics of anonymity and security (more on this in another post – attempting to tl;dr security tips in a few, small and simple to understand points)