US Superior Court Phishing Attack

On July 26, 2019, 33-year-old Oriyomi Sadiq Aloba was found guilty of hacking the Los Angeles Superior Court (LASC) and using its server to send out what is believed to be around 2 millions malspam emails.

Today he was sentenced to 145 months in federal prison.

According to the United States Department of Justice, the Texas man “was found guilty of one count of conspiracy to commit wire fraud, 15 counts of wire fraud, one count of attempted wire fraud, one count of unauthorized impairment of a protected computer, five counts of unauthorized access to a protected computer to obtain information, and four counts of aggravated identity theft.”

Originally facing a statutory maximum sentence of 350 years in federal prison after being found guilty of the charges stated above, the judge sentenced him to a little over 12 years in federal prison.

United States District Judge R. Gary Klausner also ordered the man to pay $47,479 in restitution for the crimes.

Los Angeles Superior Court System Victim of Phishing Attack

Aloba found a way to infiltrate the Los Angeles Superior Court System following a phishing attack that compromised one of LASC’s employee’s email accounts sometime in July 2017.

The same account was later used in a spear-phishing attack that targeted the accounts of thousands of other LASC employees.

The phishing emails sent to the LASC employees contained a fake Dropbox notification asking them to send their user credentials to the company.

Hundreds of Superior Court employees responded, sharing their email addresses and passwords with Aloba, unknowingly.

Aloba then used these credentials “to log into LASC servers” according to the initial indictment from February 2018 and “sent test emails to himself to test the security features and ensure that he had full access to the accounts.”

But he didn’t stop there, he used the compromised email accounts to send around two million phishing emails impersonating companies like Wells Fargo and American Express.

“Hyperlinks in the fraudulent emails led victims to a webpage that asked for their banking login credentials, personal identifying information, and credit card information,” the Department of Justice says.

They also state that  “The link for the fake American Express website used source code that designated Aloba’s email account as the delivery address for the information that the victims input into the fake website.”

The Damage is Done

Law enforcement executed a search warrant at Aloba’s Texas home and found “dozens of phishing kits” on his laptop as well as signs of an attempt to destroy evidence such as “a thumb drive in a toilet, a damaged iPhone in the bathroom sink, and a laptop computer with a smashed screen that was smeared with fresh blood.”

The case prosecutors wrote in a sentencing memorandum in court that not only did Aloba’s actions cause harm to many victims of the phishing attack, it also “resulted in a substantial disruption to the administration of the LASC, including taking hundreds of employees offline for hours, at a minimum, and possibly days.”

Accomplices in the case include 28-year-old Robert Charles Nicholson (aka Million$Menace) who pleaded guilty to one count of conspiracy to commit wire fraud along with three other defendants who Aloba hired to develop the phishing kits for the attack. Nicholson is scheduled to be sentenced by Judge Klausner on November 4.