Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nigerian Man Charged in Hacking of Los Angeles County Emails (theguardian.com)

Posted by msmash on from the mere-hacking dept.

A 'mere' 10.8% phishing success rate has forced Los Angeles County to notify approximately 756,000 individuals that their personal information may have been compromised. The attack occurred on May 13, 2016 when 1,000 County employees received phishing emails. 108 employees were successfully phished. A Nigerian national has been charged in connection with the hack. From a report on The Guardian: Many large organizations would welcome a 10% success rate in their internal anti-phishing training sessions, with 30% and above being common. The 2016 Verizon DBIR suggests that 30% of all phishing emails are opened. The high number of individuals affected from a relatively low number of successes in LA County demonstrates how dangerous phishing attacks can be. The nature of the potentially compromised information is also concerning. "That information may have included first and last names, dates of birth, Social Security numbers, driver's license or state identification numbers, payment card information, bank account information, home addresses, phone numbers, and/or medical information, such as Medi-Cal or insurance carrier identification numbers, diagnosis, treatment history, or medical record numbers," said the County of Los Angeles Chief Executive Office in a statement.

44 comments

  1. Must be Russian by Oswald+McWeany · · Score: 2, Funny

    A Nigerian man caught hacking?

    He must be Russian.

    --
    "That's the way to do it" - Punch
    1. Re:Must be Russian by mmell · · Score: 1

      Where do you get your news - 100percentfedup.Com?

    2. Re:Must be Russian by Anonymous Coward · · Score: 0

      Someone should call Barron Trump, he is the best at the cyber. He is better than anybody else at the cyber. It’s unbelievable. He can fix this in no time and handle it bigly.

    3. Re:Must be Russian by mi · · Score: 1
      Are you attempting to dispute the facts I provided? Was that an attempt at sarcasm demanding citations, perhaps? Here: Popular vote break-down nation-wide Clinton - 65,788,583, Trump - 62,955,363 Popular vote break-down in California Clinton - 8,753,788, Trump - 4,483,810.

      Ergo, without California, Trump's nation-wide deficit of 2,833,220 votes becomes a 1,436,758 surplus. Just as I said.

      Could that Nigerian asshole have had anything to do with Hillary getting so many more votes in CA than in the rest of the nation? Of course not. But it is just as plausible as Putin somehow "hacking our elections"...

      --
      In Soviet Washington the swamp drains you.
    4. Re:Must be Russian by Anonymous Coward · · Score: 1

      California is liberal hippy land, the bluest state in the nation, of course it went overwhelmingly for Clinton. I don't see you questioning the fact that Trump overwhelmingly won the popular vote in, say, super-red Oklahoma.

    5. Re:Must be Russian by sethstorm · · Score: 1

      Which would explain, why Hillary Clinton got 4 million votes more in California, than Trump...

      --
      Twitter supports and protects racists - by smearing their critics with the "Hate Speech" label.
  2. Gubmint (IT) by Anonymous Coward · · Score: 0

    Are these getting past spam filters? And if they aren't, are the employees really that stupid to reply to emails identified as spam?

    1. Re:Gubmint (IT) by Tablizer · · Score: 1

      If you know of spam filters that are 100% reliable, or even 99%, we'd like to know about them.

      There are vast networks of people around the world who are paid to get around spam filters and try to stay one step ahead of them. The filter companies will usually take at least a couple of hours to identify new spam patterns and set up filtering criteria, and it may take yet longer to propagate the patterns to the customers' spam catalogs.

      --
      Table-ized A.I.
    2. Re: Gubmint (IT) by Anonymous Coward · · Score: 0

      Occams razor: government employees are stupid enough to open obvious spam. Then take a coffee break.

  3. Prince? by Anonymous Coward · · Score: 2, Funny

    I bet it was a Nigerian prince they caught.

    1. Re:Prince? by jfdavis668 · · Score: 4, Funny

      Did he get the $4000 I sent him? He owes me money!

    2. Re:Prince? by Yvan256 · · Score: 1

      What happened to diplomatic immunity?

    3. Re:Prince? by Tablizer · · Score: 2

      He owes me money

      You can get it back by sending your bank account info to InstantRefund@sucker.foo

      --
      Table-ized A.I.
  4. So what about the county's responsibility. by Brigadier · · Score: 2

    So big hurrah for LA Counties judicial system. I am frustrated however that no entity be it private corporate, or municipality has simply said protection of our information shall come first. This thought that let's just contract with (insert name provider, likely Microsoft) for an off the shelf solution which clearly isn't secure is absurd. Now I am also not saying some municipality pay a contractor to custom design a system, we know which way that will go (see link).

    DWP billing system errors add $245 million to uncollected debt
    http://www.latimes.com/local/c...

    Am I the only one who thinks all 'secure' networks should be on a isolated protocol e.g. email be only text with no public network dependent information. user systems with no access to the internet, and no user level login on public devices including your phone.

    The price being paid for the convenience of looking up bread pudding recipes from your work station (or ranting on /. for that matter) is simply too high. Just a thought.

    1. Re:So what about the county's responsibility. by mmell · · Score: 0

      You're right - the county should ensure that its employees can make only the most minimal use of the web, and only for the specific purpose of performing their work related duties. Laptops should not be issued and their use prohibited, and the use of personal mobile equipment (including smart phones) should be absolutely banned. Also, all county employees should be required to obtain a Bachelor's degree in Information Processing within two years of being hired, regardless of their capacity within county government.

    2. Re: So what about the county's responsibility. by Anonymous Coward · · Score: 0

      Won't work, because government employees are too lazy to get the degree. Plus, a significant number are afro-american and unable to attend segregated university.

    3. Re:So what about the county's responsibility. by evilviper · · Score: 1

      Am I the only one who thinks all 'secure' networks should be on a isolated protocol e.g. email be only text with no public network dependent information. user systems with no access to the internet, and no user level login on public devices including your phone.

      That only moves the bar slightly. Information still needs to get in and out. If it's not done via the internet, then it'll be network shares, USB Flash drives, or similar, and that's where the malware will develop. The data it collects will eventually make its way off-site, too. Maybe making its way to a system that does have wider network access, or just sneaking out big databases on one of those USB thumb drives, some fool plugs into his home PC.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    4. Re:So what about the county's responsibility. by Brigadier · · Score: 1

      On the contrary, my issue is with the client not the protocol. A good client will sterilize any links or downloads and present the information in text only format. File transfers will get handled similar to google approach (need to confirm) but the file is scanned server side then made available via a server link which cannot extend to the internet. Lastly user stations have no access to the internet, likewise any systems which phone home are identified immediately and shut down.

  5. Anti-Phishing Training by Anonymous Coward · · Score: 5, Interesting

    My company HR sent notice of required anti-phishing email training.

    - The email came from someone I never heard of.

    - It contained a link to an external website.

    - And the external website required we log in with our domain credentials.

    I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.

    1. Re:Anti-Phishing Training by Mike+Van+Pelt · · Score: 1

      At a previous employer, HR did some actual benefits mailing from a third party I'd never heard of... a domain with a wacky name like "12monkeys.com". (That wasn't the name, I don't think, but it was something like that.) I think the domain's whois was even privacy protected. I sounded the "We are being phished!" alarm with IT. HR was kind of put out, but my boss approved of my actions.

    2. Re:Anti-Phishing Training by Tablizer · · Score: 1

      I had the opposite happen to me once.

      As the webmaster, I got a vague notice something like, "To whom it may concern, please remove item X from your commerce site. The site in question is not authorized to sell X. Contact us at [phone and email] immediately to resolve this!"

      I dismissed it as spam/phishing because it had no specifics. It was like a form-letter (generic template). It didn't mention or our site URL nor identify the page and date spotted.

      A few weeks later some angry lawyers called our org and complained that we ignored their request. I mentioned that I saw the message but dismissed it as spam, but kind of got chewed out for not forwarding it to management. (Unfortunately, I couldn't recover it, long story.)

      They didn't understand that I got lot of similar spam trying to trick one into calling or emailing so as to put the respondees on a sucker list, and that lack of specifics was usually a sign of foul play.

      In the future, I started forwarding such things with the message, "Boss, this is probably spam, but you may want to review..."

      I think initially they were okay with that approach, but started getting annoyed by it, but couldn't formulate a decent alternative forwarding rule. Eventually the company folded, making it a non-issue.

      --
      Table-ized A.I.
    3. Re:Anti-Phishing Training by networkBoy · · Score: 2

      I had similar (and I think 12 monkeys *might* be right...)
      I added the domain to our blacklist within a minute of getting the e-mail. Chaos and hilarity ensued.

      I regret nothing.
      -nB

      --
      whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
    4. Re:Anti-Phishing Training by PPH · · Score: 1

      Just wait until someone with a security clearance is contacted by an alleged outside contractor doing an "investigation". The f[censored]ing FBI can't even keep people from running around with fake badges, claiming to be agents.

      --
      Have gnu, will travel.
    5. Re:Anti-Phishing Training by sysrammer · · Score: 2

      My company HR sent notice of required anti-phishing email training.

      - The email came from someone I never heard of.

      - It contained a link to an external website.

      - And the external website required we log in with our domain credentials.

      I ignored the notices for weeks until my boss came to my desk and made me do it. Just unbelievable.

      Been there, done that. As you say, just unbelievable.

      --
      His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
    6. Re:Anti-Phishing Training by Anonymous Coward · · Score: 0

      Infosys disables the ability to send e-mail from the corporate account if an employee doesn't take the yearly security awareness training and doesn't pass the associated quiz.

    7. Re:Anti-Phishing Training by antdude · · Score: 1

      I see this with huge security companies too. Others and I facepalmed to mention this. :(

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
  6. Evolution by DaMattster · · Score: 1

    So the Nigerians have progressed from advanced fee fraud to phishing? Well,they must be getting better because it is usually clear to me when an email is sent that is not legitimate. The email is rife with spelling and grammar errors and even word misuse.

    1. Re: Evolution by Anonymous Coward · · Score: 0

      No, a lot of them have ALWAYS been phishing - it's how they compromise the accounts at .gov and .edu sites they use to send advance-fee scam emails. There has been a change in abuse patterns, though; a compromised account used to emit spam within hours of pwnage, but I've seen cases where the compromised account has been sat on for weeks before being "thrown away" in a spam run. Internal email directories, access to corporate systems and files ... it's not the intantly-abused accounts I worry about, it's the ones where the scammers lurked and learned for a while.

  7. Going to need a white russian after this... by Anonymous Coward · · Score: 0

    Nah, they're too busy trying to start WWIII by shooting Russian diplomats in Turkey with their plant in the special police. And here I thought Obama would do something more subtle as retaliation for exposing the DNC's corruption, but I guess their Saudi & Qatari backers don't do subtle things? Now you know why Trump isn't dumb enough to give up his private security detail.

    Meanwhile they wonder why the rest of us are 10 steps ahead of their dirty tricks.

  8. Onion News? [Re:Must be Russian] by Tablizer · · Score: 1

    I always considered the "Nigerian Prince" thing to be a complete joke; for the spammers can claim to be anybody from any country such that the Nigerian connection here sounds dodgy.

    What's next, the butler actually did it?

    --
    Table-ized A.I.
  9. Rank [Re:So what about the county's responsibil by Tablizer · · Score: 1

    My experience with similar orgs is that the executives want instant connectivity, even when at home or at "important" conferences (cough cough). The executives out-rank most IT security personnel, and thus if they want risky toys/access, they get risky toys/access.

    County government is very rank-sensitive. Logic is secondary to rank. Powerful idiots are dangerous.

    --
    Table-ized A.I.
  10. But that means no cat videos... by toonces33 · · Score: 1

    Oh, the felinity!

  11. Set up a rule for external email? by bev_tech_rob · · Score: 2

    Our company set up our mail system to insert this line into ANY incoming external email. Has helped us a LOT with reducing the impact of phishing emails...along with filtering known phishing domains......

    >>Attention: This email was sent from someone outside of [your company name here]. Always use caution when opening attachments or clicking links from unknown senders or when receiving unexpected emails.

    --
    You're messin' with my Zen Thing, man.....
    1. Re:Set up a rule for external email? by The-Ixian · · Score: 1

      Not a bad suggestion, thanks.

      We do phishing audits here 2-3 times a year. We always get a click through of between 7 - 25% no matter how much training we do.

      Of course, when we devise our tests, we try to be as sneaky as the bad guys are likely to be while still providing enough tells to make it identifiable as a phishing e-mail.

      Our most recent effort is in mitigation since we are probably never going to get to 0% click through.

      We have been using OpenDNS for a while to help with that. We utilize L7 rules to block executables at the firewall as well as content filtering packages in our SonicWALL. We keep all software up to date and keep up with MS patches. Most recently we have implemented application whitelisting using Avecto Defendpoint. The idea with the whitelisting is to shut down executables from anywhere that the user's have write access to so even if an exe get's through it isn't allowed to run. (and of course we run backups, rotate them offsite and test them regularly)

      Even with all that, I worry about ransomware a lot. We have vendors and clients who have fallen prey to it and had thousands of dollars in lost productivity and downtime.

      --
      My eyes reflect the stars and a smile lights up my face.
    2. Re:Set up a rule for external email? by Anonymous Coward · · Score: 0

      Our company does it too, but they messed up the configuration and a lot of internal server notifications get tagged "External email".

  12. Public employees are stupid by Anonymous Coward · · Score: 0

    Nothing new here. I'm actually surprised it wasn't a higher number.

    1. Re: Public employees are stupid by Anonymous Coward · · Score: 0

      Yeah, no dummies in the private sector, no way. All that capitalism keeps them smart.

  13. Nigerian hacking? by unixisc · · Score: 1

    So did President Muhammadu Buhari of Nigeria have had any reason to prefer Trump? He's Muslim, so if anything else, he should have wanted to rig the election for Clinton: break into RNC emails and expose attempts by Cruz to steal delegates disproportionate to the votes, making all Republicans wanna vote for Hilary

  14. Re:Nigerian hacking? by mi · · Score: 1

    Obviously, Putin used the Nigerian to hide his own tracks. Duh...

    --
    In Soviet Washington the swamp drains you.
  15. I'm so excited, I'm getting my $100,000 check soon by filesiteguy · · Score: 1

    As an LAC employee, I cannot believe the hit this has taken. I got the email and dumped it, Still, I'm waiting on the $10,000 inheritance check from the former deposed Nigerian prince. I only had to submit my credit card.

    --
    The Kai's Semi-Updated Website Thingy
  16. 409 by Anonymous Coward · · Score: 0

    I got a phone call from a Nigerian prince who said he was thrown in prison for a small infraction while trying to get through customs. He said that if I only pay his bail of $5000 that he will most assuredly share with me the 35 million in cash that is waiting for him in customs.

  17. What A ... by NoSalt · · Score: 1

    Prince