Konrads Voits of Ypsilanti, Michigan has been convicted of hacking into the computers of the Washtenaw County Jail and changing its records to provide for the early release of a friend of his. Voits was sentenced to 87 months in prison for his crime. In order to achieve his crime, Voits used two simple techniques to trick Jail employees into downloading malware that enabled Voits to manipulate the jail records. He first attempted to gain access to jail records by sending spear phishing emails to lure employees of the jail to go to a phony website he had constructed that looked like the official jail website. The official jail website is http://www.ewashtenaw.org while the phony one set up by Voits that was filled with malware was http://www.ewashtenavv.org. The only difference between the real website and Voits’ phony website was his use of the letters”vv” instead of “w” in the domain name. Anyone not paying very careful attention to this difference could be fooled. When this tactic was not as successful as he had hoped, her merely called jail employees pretending to be an IT employee of the jail. He convinced jail employees to install a phony software update of the jail’s app. Rather than a legitimate software update, the unwary employees actually downloaded malware that enabled Voits to gain access to all of the information contained in the jail’s computer system, which he then manipulated in order to change the release date for his friend. Fortunately, Voits was apprehended shortly after committing his crime.
While this is certainly an interesting story, it also is one that provides lessons to all of us as to the steps we need to avoid the kind of social engineering used by by Voits to trick the jail employees into downloading malware. Scammers use these same techniques against individuals to trick them into downloading a wide variety of malware for purposes such as identity theft or extortion through ransomware. As I often remind you, you should never click on links in emails unless you have absolutely confirmed that the link is legitimate. Being lured into trusting an email that appears legitimate can lead to identity theft or other bad circumstances. Also, be always careful when you type the name of any domain name into your browser. Scammers and identity thieves will also get domain names that are incredibly similar to those of legitimate websites to catch people who may make a minor typographical error in typing in the name of a website’s domain name. Finally, you can never be sure of who is calling you on the phone. Never provide personal information to anyone you have not called or download software as a result of a phone conversation unless you have absolutely confirmed that the call is legitimate.
If you are not a subscriber to Scamicide.com and would like to receive daily emails with the Scam of the day, all you need to do is to go to the bottom of the initial page of http://www.scamicide.com and click on the tab that states “Sign up for this blog.”