Celebgate: A Case Study in Phishing Attacks
I. Introduction
“It’s a very, very trying time that we live in”, said Charles Kocaras, the U.S District judge at the sentencing trial of Edward Majerczyk, who was found guilty of the charge of unauthorized access to a protected computer to obtain information. Majerczyk himself was to serve nine months in a federal prison and ordered to pay $5,700 in restitution to one of his victims for his role in obtaining nude, or otherwise compromising photographs. The sexy nature of this story brought the field of cybersecurity right there at the front of the tabloids. Those certain photos weren’t released by some spurned loverboy. The outrageous part of all of this is that the photos were released straight from the victim’s individual cloud accounts (Meisner, 2017).
The scandalous incident, where the very private images of over 100 well known female victims were distributed on the public internet, which was dubbed “celebgate” by the media who very dutifully covered the matter (Naughton, 2014). These images first appeared on 4chan by an anonymous user who claimed that that the images came from hacking directly into victim’s iCloud accounts. Apple later confirmed that user accounts had been hijacked, but that iCloud hadn’t been breached (Strange, 2014).
It’s up to iCloud users to maintain and secure their own data in the cloud. However, this incident shows that even the most prominent end users are on their own when it comes to securing their data on the platform. In fact, its practice of automatically storing photos without much user education, or oversight strongly contributed to Majerczyk getting access to this private data in the first place (Apple, 2023).
It’s important to note that Majerczyk and other “celebgate” attackers didn’t seem to directly target cloud providers. None of Apple’s applications, network or infrastructure elements were breached in this incident. The attackers focussed on sophisticated spear phishing campaigns onto high profile end users (Ohlheiser, 2016), who were responsible for their own data, device and account security to get to that data(Apple, 2023).
The “celebgate” incident has shown that focussing on the enterprise alone isn’t sufficient to secure cloud data from the user end. The average end user, after all, is much less likely to have a cybersecurity budget than the average enterprise would. This leaves some users not being able to keep abreast as a result That’s why it’s in the best interest of cloud service providers like Apple to focus on vulnerabilities from the end user’s vantage point. If they did, less-trying times for their reputations and the integrity of their data could be on the horizon.
II. Challenges and Root Causes
User Vulnerabilities to Phishing: Majerczyk, and others were able to phish their way to restricted iCloud data by impersonating Apple, or Google in some cases, and tricking victims to supply their famous credentials. Evidentially, hundreds of these high-profile targets fell for the trick (Ohlheiser, 2016). Users bear the legal responsibility of dealing with the fallout of this invasion of privacy (Apple, 2023). However, users are just humans, and humans aren’t perfect. Cloud service providers should take heed.
95% of all insider breaches can be attributed to human error (Starnes, 2016). User education is important, but that’s only one side of the equation. Precautions taken on the cloud provider’s end could have mitigated, or even halted the damage caused by this attack.
Enterprises often invest in technology that helps to identify phishing messages and are more likely to have policies and procedures to prevent or mitigate damage to their environments. However, the same cannot be said about the average iCloud end user.
Lack of Data Protection: Apple’s “advanced data protection” offers encryption for iCloud users (Apple, 2023), which would be helpful to defend against a breach against Apple’s cloud infrastructure. In such a breach, an attacker would only be able to see ciphertext. However, this option does very little to shield users from the impacts of an attack like “celebgate”. Once the attacker successfully phishes out some of those juicy account credentials, they would be able to decrypt the user’s information, no problem.
End user privacy gripes are further exacerbated by iCloud’s default setting, which automatically saves pictures and videos to the user’s cloud storage account by default. Something can be done about this.
Anonymous Distribution Channels: Private images associated with this attack were first distributed by 4chan, where users use ephemeral accounts to achieve a high degree of anonymity. It only “exists in the present”, as the site has no archive. If a user wants to keep up with a thread, they must keep their browser on a particular thread and keep refreshing. Otherwise, the thread is lost (Shifman, 2017). Unfortunately, the same can’t be said of images downloaded from the thread.
Lack of / Insufficient Multifactor Authentication (MFA): It’s important to note that multifactor authentication (MFA) wasn’t in use as commonly at the time of this attack as it is today. Despite recent adoption of MFA authentication, it’s not a silver bullet against privacy breaches. While it offers some resistance to attackers, it can inevitably be thwarted by skilled and persistent attackers. Some of their methods are described below (Grimes, 2019):
1. Fake authentication attacks trick the users into inputting their login credentials into a false website, which they have an MFA token for. This fake website will go through a charade of a login process in which more information, like answers to security questions, could potentially be given to attackers (Grimes, 2019).
2. Recovery question attacks stem from the fact that users must answer recovery questions, which attackers can easily guess, but users can hardly remember. Therefore, recovery questions represent a huge vulnerability in user account security, even with MFA enabled. Some recovery questions can be successfully guessed on the first try 20% of the time. Additionally, 6% of answers to recovery questions can be found on social medial profiles. Once the attacker is in, they can change the account’s MFA information (Grimes, 2019). That is a bad day for the user.
3. Session hijacking occurs when a user’s legitimate session is taken over by an attacker. For example, a user could receive an email directing them to a malicious website with a proxy. Once in, they can fall victim to the good old Man-in-the-Middle attack. Websites like these often look and feel like the legitimate sites they aim to impersonate them, but they function in an entirely different way. Once the user authenticates to the fake site, an attacker can intercept the session token from the authenticated session and then turn it around to access the victim’s account (Sjouwerman, 2018).
4. A very effective way to cook a user’s goose is to modify the infrastructure underlying authentication. Attackers can modify an element of the MFA infrastructure (E.g. interface, API, network nodes etc.) to the point where it can be completely bypassed. Law enforcement has successfully compromised network nodes to steal encryption keys by employing this method. While attacks like these are rare, MFA users are still vulnerable to them (Grimes, 2019).
Although attacks like the ones described above, along with many others, can’t be completely avoided. It’s in the user’s interest to defend themselves as much as possible.
(Alkhalil, Hewage, Nawaf, & Khan, 2021)
III. Solutions
Invasive data hacks, like the ones associated with “celebgate” phishing attacks are high impact incidents that can have a range of impactful consequences. The fact that Google blocks approximately 100 phishing emails a day (Griffiths, 2023) demonstrates high probability. To exacerbate this, a there is no single solution that cybersecurity practitioners trust to mitigate these attacks (Alkhalil, Hewage, Nawaf, & Khan, 2021). Combining end user education and mitigation techniques alongside diverse technical solutions and suitable, law-based deterrents should go a long way against unauthorized access to private information in cloud environments.
A. Non-Technical Solutions
Since phishing targets the end user to divulge authentication credentials, user education in detecting and avoiding phishing attacks would go a long way in reducing the likelihood of these types of attacks. It’s important for users to know that using a single password for one account is bad, and knowing how to recognise phishing emails is a good thing. Therefore, user training should be the first step of a comprehensive user awareness program in a way that meets their needs (Alkhalil, Hewage, Nawaf, & Khan, 2021).
Organizations should also test user vulnerabilities by conducting mock phishing attacks on its users. Furthermore, organizations should consider how training is carried out. Wombat Security’s “2018 State of the Phish Report” found that only two fifths of US organizations, and about 15% of UK firms use a combination of online awareness training together with simulated phishing attacks (Alkhalil, Hewage, Nawaf, & Khan, 2021).
Developers of phishing awareness programs should consider meeting their users where they are by gamifying training to reduce user reluctancy of undertaking such a program (Alkhalil, Hewage, Nawaf, & Khan, 2021). The Chart below shows percentages of correct answers before and after differing types of training were conducted.
(Sheng & Et Al, 2007)
Recommended by LinkedIn
Notice how respondents in who trained using a game significantly outperformed respondents who used existing anti-phishing training material existing at the time of the study. Additionally, the “game” cohort was able to outperform users who were trained by reading “Anti Phishing Phil’s” tutorial material alone (Sheng & Et Al, 2007). This data strongly shows that cloud providers like Apple should develop engaging anti phishing content to educate their users against phishing attacks. Decision makers within any given organizations should consider the same.
Additionally, it is in the public interest that those found illegally accessing cloud accounts and exfiltrating their contents into public websites should be prosecuted. Prosecution under the law should be reasonably used to deter potential attackers from acting out in the future (Alkhalil, Hewage, Nawaf, & Khan, 2021).
B. Technical Solutions
While educating users only strengthens one side of the equation, cloud providers should also offer their users technical anti-phishing solutions, like robust MFA, to provide them with the deepest defence against “celebgate” style phishing attacks.
One technical approach against phishing attacks is to maintain access control lists to defend against fake addresses, domains, or URLs. However, this approach does not investigate the content of the phishing messages itself and is further limited by the fact that it won’t be able to detect all phishing websites. Once a site has been blacklisted, attackers can register a new domain, which wouldn’t be on any blacklist upon creation.
Technology like this has been very effective in blocking 3rd party trackers from accessing personal information from browsers (Spread Privacy, 2022), but can’t keep up with today’s dynamic threat landscape. To counter this, organizations can focus on scanning message contents for anything “phishy” using heuristic access control approaches (Alkhalil, Hewage, Nawaf, & Khan, 2021).
Potential solutions could train artificial intelligence (Ai) to recognise sketchy message features like special characters, IP addresses, misspelled words, etc. This approach, in essence, would educate the system symmetrically to how the user is taught, but developers need to recognise that human and machines need to be taught in different ways.
This heuristic approach to hardening systems against phishing attacks is limited by the fact that it is reactive. Organizations must also enact proactive measures to truly minimize the efficacy of phishing attacks like those seen in the “celebgate” attacks.
Photos that were illegally accessed in “celebgate” had been automatically uploaded to iCloud at the time the photo was taken (Clare, 2015). While users of iCloud (or any other photo storage service) can turn off automatic synching, the photos in question will be automatically uploaded as soon as auto sync is turned back on (Apple, 2023). There is an opportunity for Apple to apply more granular control here.
When I save this Word file, I can dictate where it gets saved at the of creation, or modification. I could save it to my personal One Drive, my UNSW One Drive, a thumb drive, or here locally on my PC. Why should pictures taken from smart phones be any different?
Cloud providers like Apple only let users choose which apps can sync data (Apple, 2023), but this Boolean control doesn’t offer much more in the way of granularity. Additionally, sensitive data will sync to the cloud service once synching is turned back on. Sending a naughty photo in these trying times involves turning off sync in that pesky setting app, taking the photo in question, sending it (which leaves a trace), and deleting it. More granularity should be introduced to strengthen this weak link.
Users aren’t likely to save compromising photos, like the ones involved in “celebgate” to their cloud accounts if they are aware that the photos will be uploaded into Apple’s servers. Additionally, they will enjoy a higher level of control over their personal information than the current iCloud default setting.
Multi-factor authentication has been touted as some sort of white knight in the fight against phishing attacks like “celebgate”. It, along with the use of strong passwords was touted as the definitive solution against such attacks during the “celebgate” attack’s aftermath in a statement in response to the incident (Stanforth, n.d.). However, this reductive mindset provides a false sense a security as there is almost as many ways to circumvent MFA controls as there are implementations of it. See section II of this report for multiple examples of how MFA bypass can be achieved.
Virtually all MFA technologies have one thing in common; given enough patience and expertise, they can be bypassed (Grimes, 2019). The difficulty of bypassing the plethora of MFA technology varies from one method to the next, but they should be generally considered as vulnerable.
Out of band MFA, where an authentication factor is sent via a different channel from the rest of the authentication process is a more robust implementation method than in line MFA. Either way, they can both be bypassed (Grimes, 2019). A stronger MFA challenge might stop some attackers in their tracks but may only add a bit more resistance for to others to inevitably overcome. Given the prevalence and severity of phishing attacks, a new approach needs to be put into practice.
Fast Identity Online (FIDO) technology steps away from the use of problematic knowledge-based credentials, like those involved in the celebgate attack in favour of a possession-based approach. Essentially, FIDO technology works by bonding a device to a particular service through public key infrastructure (PKI). A private and public key are created when a user registers with a service. The user’s device holds onto the private key, which never leaves the device while the public key is retained by the service requiring authentication (FIDO Alliance, n.d.).
(FIDO Alliance, n.d.)
FIDO compliant authenticators can typically be unlocked by using a single factor from the user’s perspective, as simply possessing the device will satisfy the second factor as “something you have.” Device-based authentication is a lot safer and easier to use only if the physical security of the device is properly maintained. This may not be very hard to overcome as the threat landscape keeps evolving.
Technology like this may well have prevented the celebgate attacks from happening. Nevertheless, it has also been bypassed. If a company like Apple wanted to implement FIDO technology to its products, it would need to investigate how to harden its recovery process, which can be vulnerable if improperly implemented. Additionally, they would also need to keep its cryptographic algorithms secure as evidenced by a Chinese APT breaking into Lockheed Martin. They got their hands on RSA private keys by duplicating code associated with a trusted device (Grimes, 2019). Another white knight falls off the horse!
IV. User, Business and Policy Implications
Celebgate was a very public display of the toll that a successful phishing attack can take on individuals and organizations alike. While most of the blame was rightly pointed at the perpetrators of the attack, Apple didn’t come out of the incident unscathed. Apple’s initial statement on the matter came under increased scrutiny when it placed blame on its users in the aftermath of the celebgate attacks. There wouldn’t have been a need to write such a n embarrassing statement if their cloud environment directly addressed user concerns. While not directly responsible for the hack, there was a looming perception that Apple users’ data security needs were not being fully addressed.
Further investigation of the incident found that Apple had known about an unrelated flaw in its “Find My Phone” app, which left iCloud accounts vulnerable to brute forcing attacks months before any nude photos were leaded to 4chan (Cameron, 2014). To counter the perception of indifference stemming from this incident, Apple should halt the current practice of hiding behind their lengthy terms and conditions to blame users when things go pear shaped. Instead, they should focus on meeting users where they are and enacting the more robust solutions outlined above.
V. Conclusion
The celebgate incident was largely due to a confluence of factors including user vulnerabilities to phishing attacks, a lack of proper authentication mechanisms and Apple’s inability to meet users where they stand to harden their individual security posture. This is where the otherwise robust Apple security mechanisms run into a weak link.
While user education is paramount in securing cloud accounts, cloud companies can solve such a critical vulnerability on the client end of their systems. Apple, or any of the other cloud providers could profit by giving their users more granular methods to save data like photos at the time the file is created.
Defence in depth is the name of the game on the technical side, so organizations should investigate both proactive and reactive solutions to make sure the minimum amount of attack surface is exposed. It’s better to use an allow/deny list together with an MFA solution than just one of those solutions alone.
It’s virtually impossible to completely defend phishing attacks. The threat landscape is ever changing, so it’s good to be pragmatic in this fight. Authentication technology has come a long way since the celebgate incident. Every invested party, from the legislator down to the end user could navigate these trying times if developers and educators take steps in making the attackers’ life an increasingly difficult one.