NFL and NBA athletes whose social-media accounts were taken over have been thrown the ball of justice.
Multiple professional and semi-pro athletes were victimized by two men who infiltrated their personal accounts, according to testimony in federal court on Wednesday. Trevontae Washington of Thibodaux, La., and Ronnie Magrehbi, of Orlando, Fla., faced separate judges in the Eastern District of Louisiana and the Middle District of Florida, respectively, and were charged with one count of conspiracy to commit wire fraud, and one count of conspiracy to commit computer fraud and abuse.
Federal prosecutors alleged that between December 2017 and April 2019, Washington and Magrehbi actively took part in illegal schemes to gain access to social media and other personal online accounts of the players.
Washington allegedly specialized in NBA and NFL players, and phished for their credentials by taking advantage of public platforms like Instagram. He would send them messages with embedded links to what appeared to be legitimate social media log-in sites, prosecutors said, but these were actually phishing pages used to steal the athletes’ user names and passwords. Once the athletes entered their credentials, they would be sent to Washington, who, along with others allegedly locked the athletes out of their accounts. They also used the credentials against other accounts, banking on password reuse. Prosecutors claimed that Washington then sold access to the compromised accounts to others for amounts ranging from $500 to $1,000.
Magrehbi, meanwhile, is alleged to have obtained access to accounts belonging to one professional football player, including an Instagram account and personal email account. Magrehbi took a ransomware-like tack, prosecutors said, and extorted the player. He demanded payment in return for restoring access to the accounts – and was paid, according to Department of Justice documents. However, even though the player sent funds on at least one occasion, portions of which were transferred to a personal bank account controlled by Magrehbi – he was double-crossed and the athlete never regained access, prosecutors said.
The DoJ has not released the names of the affected players.
“Instagram is built as a mobile-first experience, which means that these attackers knew they could build a mobile-specific phishing campaign to increase the likelihood of success,” Hank Schless, senior manager of security solutions at Lookout, told Threatpost. “Since we carry our mobile devices with us all the time, we trust them to be inherently secure. Threat actors know this and socially engineer targets through SMS, social media and third-party messaging apps and convince them to click a malicious link.”
It’s more difficult to spot phishing targets on mobile, he added.
“Smaller screens, a simplified user experience and shortened URLs make it difficult to tell if a site is legitimate or not,” he said. “It’s also much easier to create a legitimate-looking account or phone number that could convince a target that the communication is real. Lookout discovered a mobile-specific phishing campaign earlier this year that intended to phish individual mobile banking login credentials through SMS.”
The wire fraud conspiracy charges carry a statutory maximum of 20 years in prison and a fine of up to $250,000. The computer fraud conspiracy charges carry a statutory maximum of five years in prison and a fine of up to $250,000.
To avoid being a victim of a mobile phishing scam, “first and foremost, be aware,” Shahrokh Shahidzadeh, CEO at Acceptto, told Threatpost. “Do not click on texts or respond to texts if you are not sure who they’re coming from. Even if it does come from a reputable source, but still seems off, consider checking in with them to make sure it was meant to be sent to you before clicking. Companies and end-users that are relying solely on binary authentication tactics, such as two-factor authentication (2FA) or multifactor authentication (MFA) via SMS, need to understand that these items are static and stored somewhere, waiting to be compromised time and time again. The best way to avoid these scams is to assume all credentials, even those yet to be created have been compromised.”
Meanwhile, account takeovers of high-profile accounts have been in the news lately, after hackers “mislead certain employees” to gain access to internal tools at Twitter to take over celebrity and company handles and push out a Bitcoin scam.
In that case, the attackers targeted 130 Twitter accounts, ultimately tweeting from 45, accessing the direct messages of 36 and downloading the Twitter Data of seven. Accounts for Joe Biden, Bill Gates, Elon Musk, Apple and Uber were all hijacked in the scheme.
On October 14 at 2 PM ET Get the latest information on the rising threats to retail e-commerce security and how to stop them. Register today for this FREE Threatpost webinar, “Retail Security: Magecart and the Rise of e-Commerce Threats.” Magecart and other threat actors are riding the rising wave of online retail usage and racking up big numbers of consumer victims. Find out how websites