Two men will appear in federal court to face charges that they were involved in the unauthorized takeover of social media and other personal online accounts belonging to professional and semi-professional athletes, U.S. Attorney Craig Carpenito announced.

Trevontae Washington, 21, of Thibodaux, Louisiana, and Ronnie Magrehbi, 20, of Orlando, Florida, are each charged in separate criminal complaints with one count of conspiracy to commit wire fraud and one count of conspiracy to commit computer fraud and abuse. 

According to documents filed in this case and statements made in courts:

At various times between December 2017 and April 2019, Washington and Magrehbi took part in illegal schemes to gain access to social media and other personal online accounts belonging to professional and semi-professional athletes, including athletes employed by the National Football League (NFL) and the National Basketball Association (NBA).

Washington is alleged to have compromised accounts belonging to multiple NFL and NBA athletes. According to the DOJ, Washington phished for the athletes credentials, messaging them on platforms like Instagram with embedded links to what appeared to be legitimate social media log-in sites, but which, in fact, were used to steal the athletes’ user names and passwords. Once the athletes entered their credentials, Washington and others locked the athletes out of their accounts and used them to gain access to other accounts. Washington then sold access to the compromised accounts to others for amounts ranging from $500 to $1,000.

Hank Schless, Senior Manager, Security Solutions at Lookout, a San Francisco, Calif.-based provider of mobile phishing solutions, says, “Account Takeover (ATO) is oftentimes the goal for malicious actors because they can access personal data of the account owner, move laterally in corporate infrastructure if it’s a work account, or pose as the account owner to influence others. In this case, the attackers used mobile social media platforms to socially engineer targets and phish their login credentials. Social engineering is a common tactic used to increase the likelihood of a successful attack. The goal of it is almost always credential phishing."

Ray Kelly, principal security engineer at WhiteHat Security, a San Jose, Calif.-based provider of application security, says, “Social engineering remains a common method for attackers to gain access to internal systems. We have seen that humans are often the weakest link in the security chain. Appropriate training and employing services that test human exposure to social engineering attacks can be key to helping prevent an individual from becoming a security gap in any organization.”

Magrehbi is alleged to have obtained access to accounts belonging to a professional football player, including an Instagram account and personal email account. Magrehbi extorted the player, demanding payment in return for restoring access to the accounts. The player sent funds on at least one occasion, portions of which were transferred to a personal bank account controlled by Magrehbi, but never regained access to his online accounts.

Schless explains, "Instagram is built as a mobile-first experience, which means that these attackers knew they could build a mobile-specific phishing campaign to increase the likelihood of success. Since we carry our mobile devices with us all the time, we trust them to be inherently secure. Threat actors know this and socially engineer targets through SMS, social media, and 3rd party messaging apps and convince them to click a malicious link. It’s more difficult to spot phishing targets on mobile. Smaller screens, a simplified user experience, and shortened URLs make it difficult to tell if a site is legitimate or not. It’s also much easier to create a legitimate-looking account or phone number that could convince a target that the communication is real. "

Lookout, for instance, discovered a mobile-specific phishing campaign earlier this year that intended to phish individual mobile banking login credentials through SMS. "While we think of mobile devices as extensions of ourselves, we need to exercise the same level of caution on them as we do on our computers. At both a personal and professional level, we need to recognize that smartphones and tablets hold just as much valuable data as our laptops and desktops. Everyone has anti-virus and phishing protection software on their computers, so why should our smartphones and tablets be any different?” Schless adds. 

Kacey Clark, Threat Researcher at Digital Shadows, a San Francisco-based provider of digital risk protection solutions, notes, “While email phishing remains one of the most prominent attack vectors for compromise, mobile devices are front-and-center in the lives of just about everyone. This ever-increasing adoption of mobile devices has provided attackers with a large attack surface that could only be dreamed about a decade ago. The threat of mobile device targeting will only increase moving forward as handheld devices continue to be prominent in our lives. Many cybercriminals have also translated tactics and techniques commonly used in email phishing to phishing on mobile devices.”

Shahrokh Shahidzadeh, CEO at Acceptto, a Portland, Oregon-based provider of Continuous Behavioral Authentication, explains, “Often times, folks are not as aware that malicious attempts can be made via text – most assume it is solely through email. Because of this, the cyberattackers rely on unsuspecting people to click on a text more readily than an email link. More often than not, individuals will likely click on the text link if it comes from a phone number they somewhat recognize, or contains colloquial language that makes the end-user feel , for example, that “oh, ok – this is a normal human on the other end sharing something with me that I’ve forgotten about.”

First and foremost, be aware, says Shahidzadeh. "Do not click on texts or respond to texts if you are not sure who they’re coming from. Even if it does come from a reputable source, but still seems off, consider checking in with them to make sure it was meant to be sent to you before clicking. Companies and end-users that are relying solely on binary authentication tactics, such as two-factor authentication (2FA) or multifactor authentication (MFA) via SMS, need to understand that these items are static and stored somewhere, waiting to be compromised time and time again. The best way to avoid these scams is to assume all credentials, even those yet to be created have been compromised and instill a technology solution that continuously monitors authentication that employs artificial intelligence and machine learning, along with behavioral modeling. Doing so allows for the smartest, most risk-based authentication and life cycle management available,” Shahidzadeh says.