In July 2017, Oriyomi Sadiq Aloba, 33, of Katy, TX, hacked into the computer system of the Los Angeles Superior Court (LASC). Aloba conducted a phishing attack and compromised the email account of a LASC worker. That individual’s email account was then used to send spear phishing emails to other Superior Court employees. The phishing emails included a link to a shared file on Dropbox. Instead, the link directed employees to a website where they were required to enter their login credentials. Those credentials were captured by Aloba.
The phishing attack involved thousands of messages and hundreds of Superior Court email accounts were compromised. Those accounts were then used to send millions of phishing emails impersonating several entities including AMEX and Wells Fargo. The phishing emails sought bank credentials, credit card information, and personal information.
However, Aloba made a schoolboy error. The source code in the phishing page included Aloba’s own email account, which allowed the attack to be traced back to him. A search warrant was executed, and law enforcement found evidence of Aloba’s role in the phishing scam – A thumb drive had been flushed down the toilet, a smashed iPhone was found in the bathroom sink, and Aloba had smashed his laptop screen with a mug and cut his hand in the process. The smashed mug was found and blood on the mug and the screen was a match for Aloba. The computer equipment contained phishing kits and other evidence of Aloba’s crimes. Victims of the phishing attacks lost $15,000 and the Supreme Court incurred costs of around $45,000 in lost man hours.
Aloba was initially charged by the Los Angeles County District Attorney, but the case was referred to the U.S Attorney’s office for federal prosecution. Aloba faced a maximum jail term of 350 years. He was convicted on 27 federal charges in July.
This week, Aloba was sentenced to 145 months – 12 years – in jail for the crimes and was ordered to pay $47,479 in restitution. One of his co-conspirators, Robert Charles Nicholson, 28, of Brooklyn, NY, is scheduled to be sentenced on November 4 after pleading guilty to one count of conspiracy to commit wire fraud. Three other co-conspirators who were hired to create phishing kits for the attacks remain at large outside the United States.