12-Year Prison Term for Hacking LA Court SystemTexas Resident Convicted of Hijacking Court Computers to Send Millions of Phishing Emails
A Texas resident has been sentenced to 12 years in federal prison for hacking into the Los Angeles Superior Court computer system and sending out approximately 2 million phishing emails to steal hundreds of credit and payment card numbers, according to the U.S. Department of Justice.
See Also: The 2020 Bad Bot Report
In July, a jury found Oriyomi Sadiq Aloba, 33, guilty on one count of conspiracy to commit wire fraud, 15 counts of wire fraud, one count of attempted wire fraud, one count of unauthorized impairment of a protected computer, five counts of unauthorized access to a protected computer to obtain information and four counts of aggravated identity theft, according to the Justice Department.
In addition to his 12-year sentence, Aloba was also ordered to pay over $47,000 in restitution, prosecutors say.
After serving his federal prison sentence, Aloba will also face possible deportation, according to a report from MynewsLA.com, a local news website in Los Angeles.
During the sentencing Monday, federal prosecutors noted that Aloba and his co-defendants in this case targeted the "largest court system in the world," which merited special attention. "[Aloba's] conduct resulted in a substantial disruption to the administration of the LASC, including taking hundreds of employees offline for hours, at a minimum, and possibly days," according to the Justice Department.
Aloba was initially charged by the Los Angeles County District Attorney's Office, but the matter eventually was referred to the U.S. Attorney's Office for the Central District of California, which covers Los Angeles, for prosecution.
Phishing for Credentials
The attacks began in July 2017, when Aloba and another man compromised one email account belonging to an Los Angeles court employee, according to the Justice Department.
Once that email account was compromised, Aloba used it as a starting point to send phishing emails to other employees throughout the court system, prosecutors say. Those phishing emails claimed to be from Dropbox and contained a malicious link that led to a fake website controlled by Aloba and others, prosecutors say.
After clicking the link and landing on the webpage, the court employees were asked for their credentials, such as email addresses and passwords, according to the Justice Department.
"Thousands of court employees received the Dropbox email, and hundreds disclosed their email credentials to the attacker," prosecutors say. Aloba also used the credentials collected from the employees to log into Los Angeles court system servers and even test out the security features by sending emails to himself, according to a federal indictment.
Once Aloba and and a co-defendant had control of hundreds of these court email accounts, they began sending out phishing emails to potential victims outside the court system. Prosecutors found that about 2 million of these malicious emails were sent over the period of several weeks.
Those phishing emails were disguised to look like messages from American Express, Wells Fargo and other banks and financial firms, according to the Justice Department.
The messages asked for victims' banking log-in credentials, personal identifying information and credit and payment card details, prosecutors say. The emails also contained a malicious link that would send those details back to a server that Aloba and others controlled, they say.
"The link for the fake American Express website used source code that designated Aloba's email account as the delivery address for the information that the victims input into the fake website," according to the Justice Department.
Plea for Leniency
During his sentencing, Aloba's attorney, Shaun Khojayan, argued for a sentence of two years, telling the judge that a 12-year sentence was "unreasonable" because court employees did not lose any money in the phishing attack, according to MynewsLA.
Prosecutors counter argued that Aloba caused about $45,000 in damage and clean-up costs and that his attack "compromised the integrity of the [Los Angeles Superior Court], which is a court system that thousands of people rely on to administer justice."
In addition to Aloba, Robert Charles Nicholson also used some of the stolen credit card information to make purchases, prosecutors allege. Nicholson, who also went by the name "Million$Menace," pleaded guilty to one federal count of conspiracy to commit wire fraud in June and is scheduled to be sentenced on Nov. 4.
In addition, federal prosecutors believe three other people were also involved in the attack and helped create the phishing kits that Aloba used against the court system. Those others, who have not yet been indicted, are believed to be living outside the U.S., authorities say.