A jury found a suburban Houston man, Oriyomi Sadiq Aloba, guilty of 27 federal criminal charges for hacking into the Los Angeles Superior Court computer system and then using it to send approximately 2 million malicious phishing emails. The jury found him guilty of conspiracy to commit wire fraud, 15 counts of wire fraud, one count of attempted wire fraud, one count of unauthorized impairment of a protected computer, five counts of unauthorized access to a protected computer to obtain information, and four counts of aggravated identity theft.
In July 2017, Aloba and his co-conspirators targeted the Los Angeles Superior Court for a phishing attack. During the attack, one court employee’s email account was compromised and sent an email – without her authorization – to co-workers purporting to be from the file hosting service Dropbox. In fact, it was a phishing email that contained a link to a phishing website that asked for the users’ Superior Court email addresses and passwords, court papers state. Thousands of court employees received the Dropbox email and hundreds disclosed their email credentials to the attacker. Multiple court employees’ emails then were used by the attacker to send out millions of phishing emails.
These additional phishing emails purported to be communications from American Express, Wells Fargo, and other companies, and led victims to a webpage that asked for their banking login credentials, personal identifying information, and credit card information. The link for the fake American Express website used source code that designated Aloba’s email account as the delivery address for the information that the victims input into the website, according to court documents.
Investigators executed a search warrant at Aloba’s residence in Texas, which revealed a thumb drive in a toilet, a damaged iPhone in a bathroom sink, and – in the closet of a spare bedroom – a laptop computer with a smashed screen that was smeared with fresh blood. Nearby, agents found a broken mug, which apparently was used to smash the laptop computer. At the time of his arrest, Aloba had blood on his hands and was picking something out of his hands.
During the search, agents retrieved from the thumb drive and bloody laptop dozens of phishing kits, which is software designed to facilitate a phishing attack, including the American Express phishing kit used in the court attack.
As a result of the phishing attack, the court suffered monetary losses, including more than $45,000 in employee time paid to respond to the attack that would have otherwise been spent on ordinary work activities. Additionally, there were more than $15,000 in combined actual and intended losses to credit card victims, according to court documents.
Aloba faces a statutory maximum sentence of more than 350 years in federal prison.
A co-defendant, Robert Charles Nicholson, 28, of Brooklyn, New York, already pleaded guilty to one count of conspiracy to commit wire fraud. Aloba’s other three co-defendants remain at large outside the United States.
If you want to go phishing, find a local pond. . . .