Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Nigerian Hacker Pleads Guilty to Stealing Payroll Deposits

Nigerian Hacker Pleads Guilty to Stealing Payroll Deposits

A Nigerian national named Charles Onus has pled guilty in the District Court of the Southern District of New York to hacking into a payroll company’s user accounts and stealing payroll deposits.

According to the indictment and the statements made in court, Onus was actively involved in a scheme that took over user accounts of company employees across the United States and stole payroll deposits by diverting the salary payments to debit cards under his control.

This malicious activity started in July 2017, and until the time of his arrest, Onus had compromised 5,500 user accounts to divert a total of $800,000 in payroll funds.

Also Read: 6 Ways to Protect Your Business From Employee Data Theft

Exploiting a hole in account security

The threat actor used credential stuffing attacks to gain access to accounts at a human resources and payroll company responsible for making salary payments for other company’s employees.

Credential stuffing is a type of cyberattack where threat actors use username and password combinations taken from previous data breaches and attempt to use those credentials to log in at other online sites.

The method is different from brute-forcing or guessing the passwords, as it doesn’t involve cracking but instead relies on the victim reusing the same credentials on multiple platforms.

“After a Company user account was compromised, the bank account information designated by the user of the account was changed so that Onus would receive the user’s payroll to a prepaid debit card that was under Onus’ control,” details the DOJ announcement.

The arrest of Charles Onus came on April 14, 2021, when the defendant flew from Abuja, Nigeria, to San Francisco, where he was arrested at the airport.

The defendant has now pled guilty to one count of computer fraud for accessing foreign computer networks without authorization. This carries a maximum sentence of five years in prison, and the actual punishment is to be decided by Judge Gardephe on May 12, 2022.

Also Read: The 6 Types of Shredder Security Levels: Advantage Business Equipment

Defending against credential stuffing

A simple way to thwart credential stuffing attacks is to use some form of multi-factor authentication (MFA), which requires a separate authorization code in addition to a user name and password.

As these codes are usually sent to a user via SMS text or using an authentication app, even if a threat actor has a stolen login name and password, they would not be able to log in without the MFA one-time passcode.

Online platforms may also employ fingerprint-based anti-stuffing systems to detect these automated login attempts and block repeated attempts. However, if the number of login attempts is small, it’s not easy to filter them out.

These attacks are the reason why password recycling is a bad idea and why users should globally reset their passwords once they’ve been compromised on any site.

Furthermore, users should utilize a password manager and unique passwords at every site they have an account to prevent a data breach at one site, affecting their accounts at other sites.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us