Skip to main content

US court system hacked to send phishing emails

(Image credit: Shutterstock)

A man from Texas has been sentenced to 145 months in federal prison after he hacked the Los Angeles Superior Court (LASC) computer system and used its servers to deliver some 2m malspam emails.

The man behind the hack, 33 year old Oriyomi Sadiq Aloba "was found guilty of one count of conspiracy to commit wire fraud, 15 counts of wire fraud, one count of attempted wire fraud, one count of unauthorized impairment of a protected computer, five counts of unauthorized access to a protected computer to obtain information, and four counts of aggravated identity theft."

Aloba was found guilty in July and faced a statutory maximum sentence of over 350 years for his crimes but during his recent sentencing hearing, the judge sentenced him to roughly 12 years in federal prison and he will also have to pay $47,479 in restitution.

Following a phishing attack that compromised one of LASC's employee email accounts in July of 2017, Aloba was able to infiltrate the court's computers. He then later used this account to launch a spear-phishing attack which targeted the accounts of thousands of other LASC employees.

In order to collect the email addresses and passwords of other Superior Court employees, Aloba sent phishing emails that contained a fake Dropbox notification asking them to send over their user credentials

Compromised email accounts

According to the initial indictment from February of 2018, Aloba used these stolen credentials “to log into LASC servers” where he sent test emails to himself to make sure that he had full access to the accounts. These compromised email accounts were then used by Aloba to send over two million phishing emails in which he impersonated companies such as American Express and Wells Fargo.

In a press release, the US Department of Justice explained how it discovered Aloba's phishing scheme, saying:

“Hyperlinks in the fraudulent emails led victims to a webpage that asked for their banking login credentials, personal identifying information, and credit card information. The link for the fake American Express website used source code that designated Aloba’s email account as the delivery address for the information that the victims input into the fake website.”

Aloba was finally apprehended by law enforcement authorities after they used a search warrant to search his home. There the investigators found signs that he attempted to destroy any evidence that could incriminate him such as the “dozens of phishing kits” discovered on his laptop. They also found a thumb drive Aloba tried to dispose of in his toilet, a damaged iPhone in his bathroom sink as well as a laptop with a smashed screen covered in fresh blood.

However, Aloba did not work alone and his co-conspirator 28 year old Robert Charles Nicholson (aka Million$Menace) also pleaded guilty to one count of conspiracy to commit wire fraud. Additionally three other defendants who Aloba hired to develop the phishing kits used in his attacks remain at large outside of the US.

Via Bleeping Computer