A former US State Department employee has admitted stalking hundreds of women online and sextorting his targets after hacking into their email accounts.
NBC News reports that Michael C. Ford, 36, pleaded guilty in federal court on Wednesday to nine counts of cyberstalking, seven counts of hacking into a computer with the intention to extort, and one count of wire fraud.
According to an indictment filed in the United States Northern District Court of Georgia in May of this year, from January 2013 to May 2015, Ford is alleged to have posed as a technical support staff person working at Google when sending phishing emails to potential targets:
Subject: Goodbye, Your Email Account is Scheduled to Be Deleted.
Message body: We have received your request to delete your Google account. The request details are as follows: March 20, 2015 2:33 AM PDT IP address [Listing numbers]. The deletion process may take up to 96 hours to complete. If this request ·was made in error, you may cancel the process by responding to this email with your current password in the message body. Your account will remain active once your emailed password has been verified through our automated system. We are sorry to see you go, thank you for using Gmail!
Sincerely, Gmail Account Deletion Team.
These emails asked that the recipients hand over their passwords to Ford. Those that did had their social media and email accounts raided not only for explicit personal content but also valuable personal information including contact lists, physical addresses, and passwords to other accounts.
Ford subsequently leveraged this personal information to demand additional explicit content, including videos filmed by the victims of other women undressing:
“I want you to record videos of sexy girls changing. In gyms, clothing stores, pools… You do that, and I disappear.”
Those who refused to comply received threats from Ford, who told at least one woman, “Don’t worry, it’s not like I know where you live.” He also on several occasions sent explicit photos of the victims to their friends and family or posted them online.
Fortunately, federal authorities learned of Ford’s scheme after one of his emails was traced back to a State Department IP address.
Further investigation linked the IP to a single terminal associated with the US Embassy in London. It would turn out that Ford had been using his government-issued computer to conduct most of the hacking, cyberstalking, and sextorting.
Law enforcement agents were ultimately able to arrest Ford after he attempted to return to London after visiting his parents in Georgia.
Ford’s sentencing is currently scheduled for February 16, 2016.
Following his arrest, a spreadsheet was recovered of 250 emails that it is believed the former State Department employee compromised and/or targeted with his sextortion attacks, many of which appeared to belong to young women attending college. We can only speculate about the humiliation and additional damage all of these victims suffered as a result of Ford’s reckless acts.
This incident is another reminder that when it comes to personal security online, do not click on any suspicious links, and be careful about what types of information you post on social media.
Additionally, and perhaps most importantly, NEVER give out your password to anyone.
No matter what.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
One comment on “Hacking, stalking, and sextorting women from a US embassy PC”
'Following his arrest, a spreadsheet was recovered of 250 emails …'
Every single one of those better count as a charge… and I really hope each and everyone is a federal offence. More specifically, he deserves nothing but spending the rest of his worthless life in jail.
'Additionally, and perhaps most importantly, NEVER give out your password to anyone.
No matter what.'
To repeat that. Never, ever, give out your LOGIN CREDENTIALS (login, password or anything else) to anyone under any circumstances. Anyone who actually has a need to login as you (which in practise should be no one) doesn't need your password in order to do it. Anyone claiming otherwise is either very ignorant (and therefore you wouldn't want them working with your accounts) or is a liar trying to breach your account. Or should I say A or (B and A).