On March 26, 2012, Christopher Chaney, 35, Jacksonville, FL had a very bad day – one of likely many more to come. Chaney pleaded guilty in federal court in Florida to nine felony counts, among which were the
- unauthorized access to protected computers in furtherance of wiretapping and wire fraud;
- unauthorized damage to protected computers resulting in more than $5,000 loss and physical harm; and
- wiretapping.
As part of his plea, at the time of his sentencing, federal prosecutors will agree to dismiss at sentencing the remaining counts in the 28-count Superseding Indictment, including nine counts of aggravated identity.
How did Chaney get himself into so much trouble? Well, he admitted that from at least November 2010 to October 2011, he hacked into the e-mail accounts of some 50 folks.
Okay, you’re right, not exactly earth shattering news. Seems like everyone has had their account hacked by now.
Oh, by the way, among the victims of Chaney’s intrusions were Scarlett Johansson and Mila Kunis.
Ahhh, so, what, now you’re interested?
How The Engine Works
Although the celebs’ names caught my attention too, the reason that I’m posting this story is because it provides an interesting explanation of how these crimes get started -- we actually get to pull up the hood and watch the engine work.
In embarking upon his unauthorized entry into his victim’s online lives, Chaney would often start with getting their email addresses. Not much of a challenge, if you think about it. We all publish, promote, and market our lives online. Tweet me. Friend me. Link me. Ebay me. PayPal me. Gmail this. AOL that. Hotmail whatever.
Once in possession of a target's email address, Chaney would often break into the account by clicking on the “Forgot your password?” feature, and then re-setting the password. To his dubious credit, Chaney did online research and apparently put bits and pieces of background together and came up with the necessary answers. For example, if a security question was the “Name of Your Favorite Pet” and recent online photos of a starlet show her with her pet Golden Retriever Bernie, it’s probably a decent hunch that the correct response to the security question will be “Bernie.”
If you think about it, there’s a veritable treasure trove of online information out there on Facebook, LinkedIn, Twitter, homepages, etc. about so many potential victims: the name of your high school, your parents’ names, your spouse’s name, etc.
Lesson To Be Learned: Choose your online security questions and answers carefully.
Upon re-setting his victims' email passwords, Chaney could pretty much run amok through all their email accounts, folders, and lists. Worse, Chaney would break into one victim’s account and then mine the list of contacts to find new targets. The potential damage became exponential at this point. On several occasions, Chaney would fraudulently pose as one of his victims and ask their contacts to send private photographs (as in "explicit") – which the senders thought were transmitted in confidence to the victim but were also being viewed by the defendant.
Also, Chaney downloaded many of the confidential documents and photographs he stole to his home computer – sometimes hoisting his trophies by sending stolen photographs to hacker and two gossip websites. Perhaps the online equivalent of gloating or a victory lap? Chaney admitted that he frequently changed email account settings to allow copies of all incoming mail to his victim to be sent to an alias address of his. As a result, Chaney had nearly real-time access to the mail of his victims, and that also gave him access to attached files of photos, documents, and videos.
This was a particularly devilish bit of nastiness because the duplicate mail forwarding often remained undetected even if a victim changed the account’s password and believed, falsely, that the integrity of the account was restored. Given how easy it was for Chaney to figure out potential answers to security questions needed to re-set the account passwords, he was able to invade a targeted account multiple time even after its owner changed the password.
Lesson To Be Learned: Regularly check to see if your email accounts are forwarding your messages.
At some point, apparently realizing that he was engaged in criminal conduct (now there’s a big “DUH”), Chaney tried to hide behind the proxy service “Hide My IP.” Frankly, this little trick was quite effective because after the feds seized his home computers but before his arrest, Chaney was still able to log on through another computer to continue hacking away.
Why did Chaney do all of this and what did he get out of it? Beyond the voyeuristic thrill of perusing his victims’ private messages, photo, and documents, he learned of their business contacts, scripts, letters, driver’s license information, Social Security information, and more. It doesn’t take a genius to figure out how one could make a dirty buck off of such purloined data.
Sentencing is scheduled for July 2012, at which time Chaney faces a maximum prison sentence of 60 years, brok.en down per charge as:
- Unauthorized Access to a Protected Computer: 5 years in prison;
- Unauthorized Damage To A Protected Computer: 10 years in prison, and
- Wiretapping: 5 years in prison.
Additionally, Chaney agreed to forfeit his computers and related devices seized during the investigation, pay restitution to all of the victims for any losses they suffered, and comply with strict restrictions regarding his future use of computers and computer-related devices.
