Sophos Cloud Optix
Class, get out your pencils: we’re having a surprise quiz. Please choose the best answer to this question: What’s the best way to ensure your friend is released early from jail?
- Encourage him to keep up his best behavior during his sentence so as to maximize the chances that his good behavior will be recognized and rewarded with early parole.
- Write a letter in support of an early release through the appropriate jurisdiction’s credit-earning programs.
- Hack the county jail’s network and alter his prison record.
A Michigan man opted for No. 3. Bad choice, Konrads Voits! For flunking the quiz, you’re looking at a maximum penalty under federal law of 10 years’ imprisonment and a $250,000 fine (though, of course, maximum sentences are rarely handed out).
According to the US Attorney’s Office for the Eastern District of Michigan, Voits, 27, on Friday pleaded guilty to damaging a protected computer.
The Attorney General’s office says Voits used a classic phishing scheme laced with typosquatting. According to court records posted by The Register, in January 2017, Voits set up a phishing domain. It looks just like a legitimate county domain name for Washtenaw, except Voits swapped the final W for a double V.
Then, he called and emailed employees of Washtenaw County, claiming that he was “Daniel Greene” and that he needed help with court records. Over the phone, he pretended to be “T.L.” or “A.B.”, a county IT employee. The emails tried to entice employees into clicking on a hyperlink so they’d be whisked off to his malware-poisoned site, while the object of the phone calls was to get his victims to type that phishing site domain into their browsers so as to download an executable malware file.
It was to “upgrade the county’s jail system,” Voits claimed.
Some employees fell for it. Voits also finagled remote login credentials out of one employee. That’s how he managed to install malware on the county’s network itself.
Voits got full access to the county network, including to the XJail system – which is a program used to monitor and track county prison inmates – as well as to search warrant affidavits, internal discipline records, and personal information of county employees. Through the phishing and the malware installed on the county’s network, he succeeded in stealing passwords, user names, email addresses and other personal information of more than 1,600 county employees.
In March 2017, after he’d gained full access to the county’s network, Voits got into the records of multiple inmates. He tweaked the record of at least one in an effort to get him out early.
Fortunately, jail employees do careful reviews of inmate releases. No dice, Voits: your records alteration(s) didn’t fool anybody, and no inmates were released early. Washtenaw county employees did, however, spend what the AG said was “thousands of dollars and numerous extra work hours” responding to and investigating the breach.
Part of that was the expense of hiring an incident response company to determine how extensive the breach was. Many of the county’s hard drives had to be reimaged. Also, the county purchased identity theft protection for its employees. All told, the county said its losses were at least $235,488.
Voits agreed to give up his assets to try to pay it off. Goodbye, laptop. Goodbye, collection of four cell phones. Goodbye, undisclosed amount of Bitcoin.
He’s in custody after agreeing to a plea deal. He’s due to be sentenced on April 5 2018.
I wouldn’t be surprised if one repercussion of Voits’ exploits were that county employees have been subjected to refresher courses on how to spot, and avoid, both IT support scammers and phishing attempts.
It isn’t easy. Like that easy to miss double V swap Voits employed, the signs of a phish can be subtle.
In time for the holidays, we recently came out with some simple tips on how to avoid getting phished.
As far as the bogus calls go, you might want to check out our explanation of social engineering. After all, pretending to be the IT guy is just one of the tricks the crooks like to pull!