The Department of Justice has announced federal hacking charges against Oriyomi Sadiq Aloba, a Texas resident accused of sending millions of malicious phishing emails facilitated by breaching the Los Angeles County Superior Court (LASC) computer system.
Mr. Aloba, 32, allegedly compromised at least 18 different LASC employee email accounts last summer and then used those addresses to send approximately 2 million phishing messages, the Justice Department said Friday.
Mr. Aloba was arrested at his Houston home in November 2017 and charged by the L.A. County District Attorney’s Office with 18 criminal counts related to the hacking campaign, The Washington Times reported then.
The Department of Justice separately initiated its own investigation into Mr. Aloba that resulted in a federal grand jury returning the criminal indictment announced Friday.
Mr. Aloba waged “a multi-stage phishing attack” against the LASC computer system for a week in July 2017, according to the Justice Department. He successfully tricked multiple LASC employees into coughing up their email credentials and then used their log-in information to send subsequent phishing messages meant to trick additional targets into revealing their personal financial info.
“The phishing emails included an email purporting to be a communication from American Express that led to a webpage that asked victims to provide their American Express login credentials, personal identifying information and credit card information,” the Justice Department explained in a press release announcing the charges.
An FBI computer expert ultimately analyzed the bogus American Express page and found source code that led authorities to Mr. Aloba, according to court documents. Detectives subsequently executed a search warrant at Mr. Aloba’s home and found a USB flash drive in his toilet containing evidence of the crimes, the documents said.
David Wasserman, a public defender representing Mr. Aloba, declined to comment on the case when reached by The Times.
A review of LASC email logs revealed that approximately 550 court employees received phishing emails last July sent from a single LASC account allegedly under Mr. Aloba’s control, according to prosecutors.
Seventeen of the recipients clicked on a malicious document embedded in the emails, and six of those accounts were subsequently compromised and used to send additional phishing emails, prosecutors allege, suggesting a success rate of roughly one percent.
Mr. Aloba is scheduled to be arraigned March 8 in downtown Los Angeles, LA’s City News Service reported. He faces multiple federal charges of unauthorized impairment of a protected computer, unauthorized access to obtain information and aggravated identity theft, the likes of which carry a maximum combined sentence of 17 years in prison upon conviction, the Justice Department said Friday.
The L.A. County District Attorney’s Office previously said the spear-phishing campaign caused losses exceeding $110,000.
The roughly one percent of LASC employees who fell for Mr. Aloba’s alleged scam constitutes a slightly larger success rate than usual, with respect to spear-phishing. Typically about one-in-14 targets typically fall for phishing scams, Verizon concluded in its annual data breach report last year.
A spear-phishing email notably resulted in the breach suffered during the 2016 presidential race by John Podesta, the manager of Democratic candidate Hillary Clinton’s campaign, prior to his personal correspondence being consequently leaked online.