The U.S. Department of Justice (DoJ) has announced the conviction of Sercan Oyuntur, 40, resident of California, for multiple counts relating to a phishing operation that caused $23.5 million in damages to the U.S. Department of Defense (DoD).
The fraudster managed to divert to his personal bank account DoD funds destined for a jet fuel supplier.
After an eight-day trial in Camden, California, Oyuntur was found guilty of conspiracy to commit wire, mail, and bank fraud, unauthorized device access, aggravated identity theft, and making false statements to federal law enforcement officers.
Phishing operation
According to the criminal complaint against Oyuntur in 2019, the damage from the phishing fraud occurred in September 2018.
Oyuntur and his conspirators registered the domain “dia-mil.com”, which is very similar to the legitimate “dla.mil, and used it to send phishing emails.
These emails were delivered to users of SAM (System for Award Management), which is a vendor database where companies that want to conduct business with the Federal Government register themselves.
The phishing messages contained links to a cloned “login.gov” website, where the victimized vendors entered their account details, unknowingly exposing them to Oyuntur.
In at least one confirmed case, Oyuntur logged onto one of the stolen accounts belonging to a corporation from Southeast Asia that had 11 active contracts of fuel provision for the United States military at the time.
One of them was a $23,453,350 contract with a pending payment for the provision of 10,080,000 gallons of jet fuel to the U.S. DoD.
By logging in onto the SAM database as the victimized corporation, Oyuntur changed the registered banking information, replacing the foreign account with one that he controlled.
Attempting to overcome safeguards
At the time, DoD’s EBS servers featured a security system that scanned the SAM database every 24 hours for bank account changes and blocked payments of outstanding invoices that met specific risk criteria.
The conspirators stumbled upon this problem following the bank account change and resorted to calling the DLA (Defense Logistics Agency), delivering false explanations, and requesting the manual approval of the financial information changes.
In October 2018, the payment went through. Oyuntur and his conspirators used falsified invoices of a dealership’s car sales to forge a seemingly legitimate source for the hefty sum.
“As part of his participation in the scheme, Oyuntur worked closely with another conspirator, Hurriyet Arslan, who owned a used car dealership, Deal Automotive Sales, in Florence, New Jersey.”
“Arslan opened a separate shell company based in New Jersey for use in the criminal scheme, obtained a cell phone number for the shell company, hired another person to pose as the shell company’s owner, and opened a bank account in the name of the shell company” – the U.S. Department of Justice
However, the dealership used in the scheme wasn’t a government contractor and wasn’t registered on SAM, so the transaction was still a mismatch for the automated checking systems in place.
As a result, an investigation was launched, gradually uncovering all of the steps in the fraud, identifying one of Oyuntur’s conspirators, Hurriyet Arslan, the owner of the car dealership, and reverting the transaction.
Arslan pleaded guilty to conspiracy, bank fraud, and money laundering in January 2020 and is scheduled to be sentenced this summer.
Oyuntur faces a maximum potential penalty of 30 years in prison and a maximum fine of $1,000,000 or twice the gross profits of loss resulting from his offenses. The date of the sentence has not been set yet.
Source: https://www.bleepingcomputer.com/news/security/us-dod-tricked-into-paying-235-million-to-phishing-actor/