Hacker accesses prison data to (almost) break someone out

One enterprising scammer has used phishing techniques not to try and get rich quick, but secure a prisoner’s early release.

Konrad Voits from Michigan, USA, masterminded an elaborate scheme to try and get a prisoner at Washtenaw County out of jail long before they were due for release.

He began by creating a duplicate county website using the URL ewashtenavv.org (using two ‘v’s at the end, instead of a ‘w’, to make it look the same at-a-glance). Brazen as the scheme may be, it actually worked. Voits emailed county employees and managed to trick some into visiting his fraudulent website. From here he encouraged them to download an ‘upgrade to the county jail system’ that was actually malicious code.

With malware installed on the network, Voits was granted full, unfettered access to county systems. Despite having user names, passwords and personal information for 1,600 members of staff at his fingertips, Voits instead turned his attention to the XJail system, used to store information on and monitor the county’s inmates. From here he managed to amend the information of one inmate, to facilitate an early release.

Unfortunately for Voits, this was the point at which county employees became suspicious of his activities and alerted the FBI. Shortly afterwards, Voits was arrested and the status of the prisoner in question was returned to normal.

Though the fast action of both county employees and FBI may appear to give this story a neat ending, there is still a warning here for all businesses. Washtenaw County ended up spending some $235,000 (£175,000) determining the extent of Voits’ hack, to ensure no other information was tampered with and damaged systems were recovered.

“Cyber intrusions affect individuals, businesses and governments,” said acting United States Attorney Daniel L. Lemisch. “Hackers should realise that unlawfully entering another’s computer will result in a felony conviction and a prison sentence. We applaud the dedication of so many hard-working law enforcement officers to take away this man’s ability to intrude into the computer systems of others.”