Gone Phishin' Volume 7: Early to mid October, 2022

A school district, a car company, and an invention that just about anyone can use to extort people.

Post hero image

Table of contents

We're seven iterations into this experiment in phishing news and we have yet to be asked politely to stop, so here's to lucky number seven! Kinda crazy how this started as a whim and now we're all the way at the top of the Google rankings of the "Hoxhunt Gone Phishing" search phrase. That's a tough term to crack! To quote Shania Twain, "It looks like we've made it," folks.

So. There's some big news this week, and none of it is good. Let's get right to it.

Los Angeles Unified School District 

This is the big story of the week. Back in September, the Los Angeles Unified School District, herein referred to as LAUSD, was the subject of a huge, wide-ranging data breach — and ultimately ransomware attack — by a group known as the Vice Society Ransomware Gang (In terms of branding: I gotta say, the name really cuts to the chase). On October 2nd, Vice Society leaked the data, which includes highly classified information on children within the LAUSD. NBC Los Angeles reports that the data that has been breached includes "confidential psychological assessments of students, contract and legal documents, business records, and numerous database entries” while Bleeping Computer reports “[w]hile BleepingComputer has not examined any of the data leaked today, some of the folders indicate they may contain sensitive information, such as 'ssn', 'Secret and Confidential', 'Passport', and ‘Incident.’”

LAUSD responded in a statement, saying "Los Angeles Unified remains firm that dollars must be used to fund students and education. Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate.” Vice Society, meanwhile, seems to be squarely aiming themselves at CISA. After hacking the LAUSD website recently, they left a message saying “CISA wasted our time, we waste CISA reputation.” For what it’s worth, the education industry is a growing sector in terms of the number of data breaches and ransomware attacks, as are city (and state) level institutions. According to Vice (the magazine, not the Society), 1,043 schools and colleges were hit with ransomware attacks in 2021 alone. I don’t want to spend much time editorialising or analysing Vice Society’s motives here, but any way you slice it, this is way, way, way over the line in terms of scope and decency. Genuinely scary stuff. 


Do you like cars? How about fast cars? Even if your only connection to fast cars is Tracy Chapman’s 1988 acoustic banger ‘Fast Cars’ then you probably know who Ferrari are. The Italian automaker had a data breach wherein almost 7gb of data was lifted from their servers. According to an article at Spiceworks, it appears that the hackers were after data relating to the Formula 1 racing team. 

So, who breached ‘em? Turns out it was four year-old ransomware gadflies RansomEXX, who’s name might lead you to believe that they are a Soundcloud rapper, but yet in actuality are responsible for some big breaches in the manufacturing, education, and banking industries. No word — yet — on exactly how they got breached, but it would appear to be a phishing attack combined with some lateral moves in their servers in order to get access to these files. Coincidentally, we just wrote about that very same move. It’s becoming increasingly popular in the hackery world. Worth noting: I'm not sure if hackery is a real word or spellcheck is simply taking the day off today. 


Hoo boy. Quite a few downers this week. There’s a Phishing-as-a-service product called Caffeine that is squarely aimed at Microsoft 365—one of the biggest email clients in the western hemisphere—including other service providers in China and Russia. Basically, to use Caffeine, you pay the fee (from $250 to $850 USD) and select your target and… presto! The unfortunate person who receives it gets what looks like a Microsoft 365 login page (or other logo kit tailored to look like their company’s 365 login page) and then hands over their login. 

Caffeine's main webstore (screenshot via Mandiant & Bleeping Computer)

Hoxhunt response:

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones used in attacks like these, a week–and have captured tens of millions of threats to date. Working together with our powerful machine learning model, they cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus equipped with the habits to outsmart the latest actual threats that have outfoxed email filters, removing potentially catastrophic threats from your system. Learn how to equip your employees with the awareness training that will protect your company from phishing scams.

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this