Ex-US Embassy London Employee Gets 4.9 Years For “Sextortion” Scheme

Posted: 4:03 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

Last December, the Justice Department announced that the former State Department/US Embassy London employee, Michael C. Ford  pleaded guilty to perpetrating a widespread, international e-mail phishing, computer hacking and cyberstalking scheme against hundreds of victims in the United States and abroad.

In a court filing submitted to aid in the sentencing, the USG recommended a sentence of 96 months of incarceration, followed by three years of supervised release. It also notes the following:

The sheer number of phishing e-mails that Ford sent is astounding. For example, on one day alone, April 8, 2015, Ford sent phishing e-mails to approximately 800 unique e-mail addresses. On the same date, Ford then sent 180 follow-up e-mails to potential victims who had not yet responded to his original phishing e-mail, as well as approximately 15 e-mails to victims who had provided incorrect passwords. Considering Ford’s daily volume, repeated over the course of several months, the number of Ford’s potential phishing victims is staggering.
[…]
Ford’s conduct was relentless and strikingly callous. He harassed his victims on almost a daily basis. He was particularly motivated by their reactions of fear, anger, and defiance. He was unmoved by their pleas to leave them alone. He laughed in the face of their fear, and he escalated his threats when they threatened to involve the police. He showed no remorse and thrived on his power over his victims.

Ford’s conduct was persistent and compulsive. He sometimes spent the majority of his work day, at taxpayer expense, engaged in his criminal scheme. This speaks powerfully about Ford’s dedication to his crime. In addition, his conduct was incredibly brazen. He used his U.S. Embassy work computer (which was positioned in a common, shared work area) to commit his crimes and at one point, filed a complaint with his employer, requesting more privacy in his workspace.

Today, U.S. District Judge Eleanor Ross sentenced the 36-year-old Michael C. Ford to serve four years and nine months (59 months) in prison followed by three years of supervised release.  The case is USA v. Michael C. Ford, Case No. 1:15-CR-319-ELR.

Related posts:

 

#

Advertisements

Former US Embassy London Employee Pleads Guilty to Cyberstalking and “Sextortion” Scheme

Posted: 12:47 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

We’ve blogged previously about the Michael C. Ford case (see State Dept Employee Posted at US Embassy London Faces ‘Sextortion’ Charges in GeorgiaUS Embassy London Local Employee Charged With Cyberstalking, Computer Hacking and Wire Fraud).

On December 9, USDOJ announced that the former State Department/Embassy London employee pleaded guilty to perpetrating a widespread, international e-mail phishing, computer hacking and cyberstalking scheme against hundreds of victims in the United States and abroad. More below:

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney John A. Horn of the Northern District of Georgia, Director Bill A. Miller of the U.S. Department of State’s Diplomatic Security Service and Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Field Office made the announcement.

Michael C. Ford, 36, of Atlanta, was indicted by a grand jury in the U.S. District Court for the Northern District of Georgia on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.  The names of the victims are being withheld from the public to protect their privacy.

Ford pleaded guilty to all charges and admitted that between January 2013 and May 2015, he used various aliases that included “David Anderson” and “John Parsons” and engaged in a widespread, international computer hacking, cyberstalking and “sextortion” campaign designed to force victims to provide Ford with personal information as well as sexually explicit videos of others.  Ford targeted young females, some of whom were students at U.S. colleges and universities, with a particular focus on members of sororities and aspiring models.

Ford posed as a member of the fictitious “account deletion team” for a well-known e-mail service provider and sent phishing e-mails to thousands of potential victims, warning them that their e-mail accounts would be deleted if they did not provide their passwords.  Ford then hacked into hundreds of e-mail and social media accounts using the passwords collected from his phishing scheme, where he searched for sexually explicit photographs.  Once Ford located such photos, he then searched for personal identifying information (PII) about his victims, including their home and work addresses, school and employment information, and names and contact information of family members, among other things.

Ford then used the stolen photos and PII to engage in an ongoing cyberstalking campaign designed to demand additional sexually explicit material and personal information.  Ford e-mailed his victims with their stolen photos attached and threatened to release those photos if they did not cede to his demands.  Ford repeatedly demanded that victims take sexually explicit videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores, and then send the videos to him.

When the victims refused to comply, threatened to go to the police or begged Ford to leave them alone, Ford responded with additional threats.  For example, Ford wrote in one e-mail “don’t worry, it’s not like I know where you live,” then sent another e-mail to the same victim with her home address and threatened to post her photographs to an “escort/hooker website” along with her phone number and home address.  Ford later described the victim’s home to her, stating “I like your red fire escape ladder, easy to climb.”  Ford followed through with his threats on several occasions, sending his victims’ sexually explicit photographs to family members and friends.

Ultimately, Ford sent thousands of fraudulent “phishing” email messages to potential victims, successfully hacked into at least 450 online accounts belonging to at least 200 victims, and forwarded to himself at least 1,300 stolen email messages containing thousands of sexually explicit photographs.  Ford sent threatening and “sextortionate” online communications to at least 75 victims.

During the relevant time period, Ford was employed by the U.S. Embassy in London.  The majority of Ford’s phishing, hacking and cyberstalking activities were conducted from his computer at the U.S. Embassy.
[…]
“When a public servant in a position of trust commits any form of misconduct, to include federal crimes such as cyberstalking and computer hacking, we vigorously investigate such claims,” said Director Miller.  “The Diplomatic Security Service is firmly committed to investigating and working with the Department of Justice, U.S. Attorney’s Office and our other law enforcement partners to investigate criminal allegations and bring those who commit these crimes to justice.”
[…]
U.S. District Judge Eleanor L. Ross of the Northern District of Georgia scheduled Ford’s sentencing hearing for Feb. 16, 2016.

The Diplomatic Security Service and the FBI are investigating the case.  Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Jamie Perry of the Criminal Division’s Human Rights and Special Prosecutions Section and Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia are prosecuting the case.  The Criminal Division’s Office of International Affairs and the U.S. Embassy in London provided assistance in this case.

The case is  USA v. Ford, CRIMINAL DOCKET FOR CASE #: 1:15-mj-00386-ECS-1 in the U.S. District Court in the  Northern District of Georgia (Atlanta).

According to court records, this individual, a U.S. citizen lived in London and joined the U.S. Embassy there in 2009; which suggests that he was a locally hired employee.  The charging documents do not indicate which section of the embassy he worked in or what was his job. But he apparently used his State Department-issued computer at the U.S. Embassy in London while he did his cyberstalking and sextortion schemes.

There are a few curious things about this case. One, that there’s no mention anywhere in court records about his location of work within the embassy; 2) no explanation of how he came to target Jane Doe, an 18 year old Kentucky resident; where did he find her and his other victims? and 3) he successfully hacked 450 online accounts belonging to at least 200 victims, and forwarded to himself at least 1,300 stolen email messages containing thousands of sexually explicit photographs — how come nobody noticed? Was this guy a locally hired IT person, so spending all that time on his computer did not raise red flags? 4) Did Embassy London/HR know that this person had a prior criminal record when it hired this employee? If not, why not?

The affidavit in support of a criminal complaint and arrest warrant executed by DSS Agent Erik Kasik is available below:

#

US Embassy London Local Employee Charged With Cyberstalking, Computer Hacking and Wire Fraud

Posted: 5:50 pm EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

We posted about this case last May (see State Dept Employee Posted at US Embassy London Faces ‘Sextortion’ Charges in Georgia). On August 19, the Justice Department announced that a locally employed staff member of US Embassy London,  Michael C. Ford, 36, was charged by indictment on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.  During the Daily Press Briefing of May 21st, the deputy spokesperson for the State Department informed the press that as of May 18th, this individual is no longer an embassy employee.

Via USDOJ | August 19, 2015:

WASHINGTON—A former locally-employed staff member of the U.S. Embassy in London was charged with engaging in a hacking and cyberstalking scheme in which, using stolen passwords, he obtained sexually explicit photographs and other personal information from victims’ e-mail and social media accounts, and threatened to share the photographs and personal information unless the victims ceded to certain demands.

Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division, U.S. Attorney John A. Horn of the Northern District of Georgia, Director Bill A. Miller of the U.S. Department of State’s Diplomatic Security Service and Special Agent in Charge J. Britt Johnson of the FBI’s Atlanta Division made the announcement.

Michael C. Ford, 36, was charged by indictment on Aug. 18, 2015, with nine counts of cyberstalking, seven counts of computer hacking to extort and one count of wire fraud.

“According to the indictment, Ford hacked into e-mail accounts and extorted sexually explicit images from scores of victims,” said Assistant Attorney General Caldwell. “As these allegations highlight, predators use the Internet to target innocent victims. With the help of victims and our law enforcement partners, we will find those predators and hold them accountable.”

“Ford is alleged to have hacked into hundreds of e-mail accounts and tormented women across the country, by threatening to humiliate them unless they provided him with sexually explicit photos and videos,” said U.S. Attorney John Horn. “This sadistic conduct is all the more disturbing as Ford is alleged to have used the U.S. Embassy in London as a base for his cyberstalking campaign.”

“The Diplomatic Security Service is firmly committed to working with the Department of Justice and our other law enforcement partners to investigate allegations of crime and to bring those who commit these crimes to justice,” said Director Miller. “When a public servant in a position of trust is alleged to have committed a federal felony such as cybercrime, we vigorously investigate such claims.”

“While the allegations in this case are disturbing, it does illustrate the willingness and commitment of the FBI and its federal partners to aggressively follow those allegations wherever they take us,” said Special Agent in Charge Johnson. “The FBI will continue to provide significant resources and assets as we address complex cyber based investigations as seen here.”

According to allegations in the indictment, from January 2013 through May 2015, Ford, using various aliases that included “David Anderson” and “John Parsons,” engaged in a computer hacking and “sextortion” campaign to force numerous women to provide him with personal information and sexually explicit photographs and videos. To do so, Ford allegedly posed as a member of the fictitious “account deletion team” for a well-known e-mail service provider and sent notices to thousands of potential victims, including members of college sororities, warning them that their accounts would be deleted if they did not provide their passwords.

Using the passwords collected from this phishing scheme, Ford allegedly hacked into hundreds of e-mail and social media accounts, stole sexually explicit photographs and personal identifying information (PII), and saved both the photographs and PII to his personal repository.

Ford then allegedly e-mailed the victims and threatened to release the photographs, which were attached to the e-mails, unless they obtained videos of “sexy girls” undressing in changing rooms at pools, gyms and clothing stores, and then sent the videos to him.

The indictment alleges that, when the victims either refused to comply or begged Ford to leave them alone, Ford responded with additional threats, including by reminding the victims that he knew where they lived. On several occasions, Ford allegedly followed through with his threats by sending sexually explicit photographs to victims’ family members and friends.

During the pendency of the alleged scheme, Ford was a civilian employee at the U.S. Embassy in London, England. He allegedly used his government-issued computer at the U.S. Embassy to conduct the phishing, hacking and cyberstalking activities.

The charges and allegations contained in an indictment are merely accusations. The defendant is presumed innocent unless and until proven guilty.

The case is being investigated by the U.S. Department of State’s Diplomatic Security Service and the FBI. The Criminal Division’s Office of International Affairs and the U.S. Embassy in London provided assistance. The case is being prosecuted by Senior Trial Attorney Mona Sedky of the Criminal Division’s Computer Crime and Intellectual Property Section, Trial Attorney Jamie Perry of the Criminal Division’s Human Rights and Special Prosecutions Section and Assistant U.S. Attorney Kamal Ghali of the Northern District of Georgia.

Anyone who believes that they are the victim of hacking, cyberstalking, or “sextortion” should contact law enforcement. Resources regarding hacking and other cybercrimes can be found at: https://www.fbi.gov/about-us/investigate/cyber.

#

OPM Hack Compromises Federal Employee Records, Not Just PII But Security Clearance Info

Posted: 3:39 am EDT
[twitter-follow screen_name=’Diplopundit’ ]

 

On June 4, WaPo reported that hackers working for the Chinese state breached the computer system of the Office of Personnel Management in December, and that the agency will notify about 4 million current and former federal employees that their personal data may have been compromised.

We should note that OPM’s Federal Investigative Services (OPM-FIS) oversees approximately 90% of all background investigations.

Reuters reported on June 6 that most of the State Department employees had not been exposed to the breach because their data was not housed on the hacked OPM systems. Apparently, only those who had previously been employed by another federal agency may have been exposed, it said. Did you get the notice on the data breach?

It appears, however, that OPM has a requirement that all candidates being offered positions of employment at U.S. government agencies or departments, including at the State Department, are to complete their Questionnaires for National Security Positions (SF-86) on-line via the electronic Questionnaires for Investigations Processing (e-QIP). We don’t know what happens to those completed questionnaires after they are submitted to OPM; are they transferred to the State Department and deleted from OPM servers?

OPM released the following statement:

The U.S. Office of Personnel Management (OPM) has identified a cybersecurity incident potentially affecting personnel data for current and former federal employees, including personally identifiable information (PII).

Within the last year, the OPM has undertaken an aggressive effort to update its cybersecurity posture, adding numerous tools and capabilities to its networks.  As a result, in April 2015, OPM detected a cyber-intrusion affecting its information technology (IT) systems and data. The intrusion predated the adoption of the tougher security controls.

OPM has partnered with the U.S. Department of Homeland Security’s Computer Emergency Readiness Team (US-CERT) and the Federal Bureau of Investigation (FBI) to determine the full impact to Federal personnel. OPM continues to improve security for the sensitive information it manages and evaluates its IT security protocols on a continuous basis to protect sensitive data to the greatest extent possible. Since the intrusion, OPM has instituted additional network security precautions, including: restricting remote access for network administrators and restricting network administration functions remotely; a review of all connections to ensure that only legitimate business connections have access to the internet; and deploying anti-malware software across the environment to protect and prevent the deployment or execution of tools that could compromise the network.

As a result of the incident, OPM will send notifications to approximately 4 million individuals whose PII may have been compromised.  Since the investigation is on-going, additional PII exposures may come to light; in that case, OPM will conduct additional notifications as necessary.  In order to mitigate the risk of fraud and identity theft, OPM is offering credit report access, credit monitoring and identify theft insurance and recovery services to potentially affected individuals through CSID®, a company that specializes in these services.  This comprehensive, 18-month membership includes credit monitoring and $1 million in identity theft protection services at no cost to enrollees.

“Protecting our Federal employee data from malicious cyber incidents is of the highest priority at OPM,” said OPM Director Katherine Archuleta. “We take very seriously our responsibility to secure the information stored in our systems, and in coordination with our agency partners, our experienced team is constantly identifying opportunities to further protect the data with which we are entrusted.”

OPM has issued the following guidance to affected individuals:

•Monitor financial account statements and immediately report any suspicious or unusual activity to financial institutions.

•Request a free credit report at www.AnnualCreditReport.com or by calling 1-877-322-8228.  Consumers are entitled by law to one free credit report per year from each of the three major credit bureaus – Equifax®, Experian®, and TransUnion® – for a total of three reports every year.  Contact information for the credit bureaus can be found on the Federal Trade Commission (FTC) website, www.ftc.gov.

•Review resources provided on the FTC identity theft website, www.identitytheft.gov.  The FTC maintains a variety of consumer publications providing comprehensive information on computer intrusions and identity theft.

•You may place a fraud alert on your credit file to let creditors know to contact you before opening a new account in your name.  Simply call TransUnion® at 1-800-680-7289 to place this alert.  TransUnion® will then notify the other two credit bureaus on your behalf.

How to avoid being a victim:

•Be suspicious of unsolicited phone calls, visits, or email messages from individuals asking about employees or other internal information.  If an unknown individual claims to be from a legitimate organization, try to verify his or her identity directly with the company.

•Do not provide personal information or information about your organization, including its structure or networks, unless you are certain of a person’s authority to have the information.

•Do not reveal personal or financial information in email, and do not respond to email solicitations for this information. This includes following links sent in email.

•Do not send sensitive information over the Internet before checking a website’s security (for more information, see Protecting Your Privacy, http://www.us-cert.gov/ncas/tips/ST04-013).

•Pay attention to the URL of a website.  Malicious websites may look identical to a legitimate site, but the URL may use a variation in spelling or a different domain (e.g., .com vs. .net).

•If you are unsure whether an email request is legitimate, try to verify it by contacting the company directly.  Do not use contact information provided on a website connected to the request; instead, check previous statements for contact information.  Information about known phishing attacks is also available online from groups such as the Anti-Phishing Working Group (http://www.antiphishing.org).

•Install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic (for more information, see Understanding Firewalls, http://www.us-cert.gov/ncas/tips/ST04-004; Understanding Anti-Virus Software, http://www.us-cert.gov/ncas/tips/ST04-005; and Reducing Spam, http://www.us-cert.gov/ncas/tips/ST04-007).

•Take advantage of any anti-phishing features offered by your email client and web browser.

•Employees should take steps to monitor their personally identifiable information and report any suspected instances of identity theft to the FBI’s Internet Crime Complaint Center at www.ic3.gov.

Potentially affected individuals can obtain additional information about the steps they can take to avoid identity theft from the following agencies. The FTC also encourages those who discover that their information has been misused to file a complaint with them.

More:
.

.

.

.

#

Twin Brothers and Co-Conspirators on Alleged Scheme to Hack State Dept to Obtain Passport Information

Posted: 2:16 am EDT
[twitter-follow screen_name=’Diplopundit’ ]


Via
USDOJ:

Twin brothers Muneeb and Sohaib Akhter, 23, of Springfield, Virginia, were indicted by a federal grand jury today on charges of aggravated identity theft, conspiracy to commit wire fraud, conspiracy to access a protected computer without authorization, access of a protected computer without authorization, conspiracy to access a government computer without authorization, false statements, and obstruction of justice.

According to the indictment, beginning in or about March 2014, the Akhter brothers and coconspirators hacked into the website of a cosmetics company and stole its customers’ credit card and personal information.  They used the stolen information to purchase goods and services, including flights, hotel reservations, and attendance at professional conferences.  In addition, the brothers and coconspirators devised a scheme to hack into computer systems at the U.S.  Department of State to access network traffic and to obtain passport information.

Related court documents and information may be found on the website of the District Court for the Eastern District of Virginia or on PACER by searching for Case No. 1:15-cr-124.

#