We’re all hopefully familiar with the notion that criminals can phish details from unsuspecting computer users by creating copycat websites.
To make a phishing page appear more legitimate a scammer might create a domain with a similar looking URL – for instance, appIe.com rather than apple.com (hint: if you didn’t notice, the first “appIe” had a capital “i” in its name rather than an “l”.)
But would it surprise you to hear that similar devious URL trickery could also potentially help a hacker spring one of his buddies from prison?
Last week, Konrad Voits from Ann Arbor, Michigan, pleaded guilty to breaking into the computer systems of Washtenaw County in an attempt to – ultimately – extract an inmate from the prison system.
The 27-year-old hacker’s plan hinged upon the creation of a website called ewashtenavv.org (note the two “v”s at the end), designed to look like the genuine website for Washentaw County,
In early 2017, Voits sent emails to County employees claiming to be a “Daniel Greene” and requesting help with court records. He also phoned employees posing as actual members of the County’s IT staff, in an attempt to trick workers into visiting the bogus website in order to “upgrade the County’s jail system”, but which would actually result in the installation of malicious code.
Unfortunately, some staff fell for Voits’s trick, and malware was installed on the County network.
With that bridgehead in place, Voits was able to gain full access to the County’s systems, including the passwords, usernames and personal information of 1600 employees, but also – most interestingly – the XJail software it used to monitor and track jail inmates.
With the login credentials to the prison management system in his hands, Voits attempted to change the records of one prisoner to arrange their early release.
It’s at this point that the County’s luck changed. Employees at Washtenaw County Jail spotted that something strange was afoot, alerted the FBI, and no prisoners managed to be released early as a result of the hack.
“Cyber intrusions affect individuals, businesses and governments. Computer hackers should realize that unlawfully entering another’s computer will result in a felony conviction and a prison sentence,” said Acting United States Attorney Daniel L. Lemisch. “We applaud the dedication of so many hard-working law enforcement officers to take away this man’s ability to intrude into the computer systems of others.”
Washentaw County officials claim that they paid over $235,000 determining the full extent of the breach, checking that other records had not been tampered with, and recovering systems.
Voits remains in custody, and is scheduled to be sentenced on April 5, 2018. Under a plea deal he faces up to ten years in prison, and a fine of $250,000.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.