Hacker behind Just Eat phishing scam sentenced to 10 years by UK court
29 May 2018
Back in 2015, a sophisticated phishing scam conned as many as 165,000 Just Eat customers in the UK into sharing their personal data with fraudsters who then sold them on the Dark Web other cyber criminals for personal profit.
In March this year, Scotland Yard arrested Grant West from Kent and his girlfriend Rachael Brooks for carrying out the phishing scam in 2015 that not only compromised personal and financial details of 165,000 Brits such as names, addresses, email addresses, passwords, and CVV numbers, but also cost Just Eat around £210,000 in mitigation costs.
West sentenced to ten years
West and Brooks admitted to the Southwark Crown Court earlier this month that they had carried out the phishing scam in 2015 after hacking into a server owned by Just Eat and stealing personal details of customers. The duo sent emails to affected customers by impersonating Just Eat and asked them to respond to a survey and to fill in their personal and financial details in a form in exchange of ten-pound rewards.
“The customers were asked to complete a survey, but the emails were never sent back to Just Eat. They went to the fraudsters. This data was then used to get more information about the Just Eat customers. Complete sets of information are known as, ‘Fullz’. This is then used by the criminal minded to carry out fraud.
“It is of intrinsic value to them and often traded in massive quantities. When on the Dark Web each data is given a value, and this can be just a few pence or thousands of pounds. The prosecution say that was the ultimate purpose of the fraud. They wanted to benefit from selling personal details,” said Kevin Barry, the prosecutor.
The Southwark Crown Court has now awarded a jail term of ten years and eight months to West not only for the Just Eat scam, but also for carrying out hacking operations against firms like Asda, Ladbrokes, Barclays, and British Airways which cost the latter hundreds of thousands in mitigation costs.
Dedicated, repeated hacking attempts for financial gain
For instance, a cyber attack launched by Grant West cost British Airways £400,000 after he successfully hacked the Avios travel awards site and stole customer account details. Another cyber attack launched by West cost Barclays £300,000 in mitigation costs.
Upon carrying out raids on West’s home, Scotland Yard not only recovered £500,000 of Bitcoin from his wallets, but also found seven million email addresses and passwords in his computer along with 63,000 bank card details of Just Eat customers.
“With the arrest of Courvoisier, we can now see the extent of his operation. 7 million usernames and passwords, 63,000 credit cards, and $2.5 million USD in Bitcoin, of which $2,000,000 still remains unaccounted for. He forged phishing emails from major brands in order to steal the personal data. This marks 3 recent successes for law enforcement in fighting cybercriminals,” said Andy Norton, director of threat intelligence at Lastline.
“One of the Carbanak banking group leaders was arrested in Spain in March, and the founder of the Counter Anti-Virus service Scan4you was also recently arrested. Interestingly, Bitcoin was a common payment method in all arrests; Apparently crime does pay, but in cryptocurrencies,” he added.