The US DoD Got Snookered In A $23.5M Phishing Scam But Got Revenge In Court
We’ve recently covered a number of sophisticated phishing scam techniques, including fake animated windows designed to steal passwords and automated call bots that trick victims into giving away multi-factor authentication codes. While ransomware attacks are currently on track to surpass phishing attacks as the number one cause of data compromises, phishing attacks remain a major threat to cybersecurity. Last week, the US Department of Justice (DoJ) revealed that the Department of Defense (DoD) recently fell prey to a phishing attack that nearly cost the department almost $23.5 million.
The DoJ revealed this information after Sercan Oyuntur, a Turkish national who operated a phone repair business in California, was found guilty of conspiracy to commit mail, wire, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers. From June to October 2018, Oyuntur worked with four co-conspirators to access a government website and divert DoD funds to a bank account operated by the criminals. The group used a number of phishing techniques to carry out this high stakes theft.
The criminals began by registering the domain “dia-mil.com, which could be mistaken for “dla.mil,” a domain operated by the Defense Logistics Agency (DLA). The conspirators then sent emails from their newly registered domain to vendors who had registered in the System for Award Management (SAM) to work with the federal government. The emails redirected users to a website that appeared identical to the “login.gov” site, but functioned to steal user credential.
The DoJ revealed this information after Sercan Oyuntur, a Turkish national who operated a phone repair business in California, was found guilty of conspiracy to commit mail, wire, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers. From June to October 2018, Oyuntur worked with four co-conspirators to access a government website and divert DoD funds to a bank account operated by the criminals. The group used a number of phishing techniques to carry out this high stakes theft.
The criminals began by registering the domain “dia-mil.com, which could be mistaken for “dla.mil,” a domain operated by the Defense Logistics Agency (DLA). The conspirators then sent emails from their newly registered domain to vendors who had registered in the System for Award Management (SAM) to work with the federal government. The emails redirected users to a website that appeared identical to the “login.gov” site, but functioned to steal user credential.
At least one recipient of the phishing emails was fooled and gave away user credentials, as Oyuntur was able to gain access to a SAM account belonging to an employee of an oil refining company based in South Korea. At the time, the company had 11 active contracts with the US military. One of the contracts had a pending payment of $23,453,350 for 10,080,000 gallons of jet fuel being provided to the DoD.
Oyuntur sought to capitalize on this particular pending invoice by changing the banking information of the recipient to a bank account controlled by a shell company set up by a co-conspirator. The scheme was almost thwarted by an automated security system that flags bank account changes and blocks payments, but the conspirators were able to call the DLA and offer false explanations sufficient to satisfy scrutiny and have the bank account change manually approved. The DoD then completed the transaction, unknowingly depositing the full $23.5 million sum in a bank account owned by the conspirators.
The conspirators worked to create an explanation for the huge payment by falsifying invoices for a New Jersey car dealership owned by one of the co-conspirators. This effort ultimately failed, as the dealership wasn’t a government contractor registered in SAM. An automated system caught the mismatch, resulting in a investigation that eventually unraveled the scheme and led to the return of the stolen funds.
In the course of the investigation, the DoJ caught both Oyuntur and the owner of the car dealership, Hurriyet Arslan. Both criminals have been found guilty on multiple counts. Two of the counts could land Oyuntur in prison for 30 years and charge him with a fine of $1 million, or twice the gross profits or loss resulting from the offense. Oyuntur’s sentencing date is still yet to be determined, while Arslan’s sentencing is set for June 21.
Oyuntur sought to capitalize on this particular pending invoice by changing the banking information of the recipient to a bank account controlled by a shell company set up by a co-conspirator. The scheme was almost thwarted by an automated security system that flags bank account changes and blocks payments, but the conspirators were able to call the DLA and offer false explanations sufficient to satisfy scrutiny and have the bank account change manually approved. The DoD then completed the transaction, unknowingly depositing the full $23.5 million sum in a bank account owned by the conspirators.
The conspirators worked to create an explanation for the huge payment by falsifying invoices for a New Jersey car dealership owned by one of the co-conspirators. This effort ultimately failed, as the dealership wasn’t a government contractor registered in SAM. An automated system caught the mismatch, resulting in a investigation that eventually unraveled the scheme and led to the return of the stolen funds.
In the course of the investigation, the DoJ caught both Oyuntur and the owner of the car dealership, Hurriyet Arslan. Both criminals have been found guilty on multiple counts. Two of the counts could land Oyuntur in prison for 30 years and charge him with a fine of $1 million, or twice the gross profits or loss resulting from the offense. Oyuntur’s sentencing date is still yet to be determined, while Arslan’s sentencing is set for June 21.
