The losses to phishing scams can be considerable. What starts with a single phishing email can easily result in a costly data breach, malware infection, or the fraudulent transfer of millions of dollars to an attacker-controlled account.
Last week, the U.S Department of Justice announced that one of the perpetrators of a phishing scam has been convicted on six counts for his role in a complex phishing scheme and vendor email compromise attack targeting vendors used by the U.S. Department of Defense (DoD). The scam resulted in the fraudulent transfer of $23.5 million from the DoD to the bank account of a shell company that was set up for the scam.
Sercan Oyuntur, 40, of Northridge, California, had previously pleaded guilty to his role in the scam, and on April 28, 2022, was convicted of one count of conspiracy to commit wire, mail, and bank fraud, two counts of bank fraud, one count of using an unauthorized access device to commit fraud, one count of aggravated identity theft, and one count of making false statements to federal law enforcement officers.
The scam started with phishing emails that were sent to DoD contractors between June and September 2018, one of which had a contract with the DoD to supply jet fuel to troops operating in southeast Asia. The email accounts spoofed a genuine Defense Logistics Agency domain and directed victims to a fake website that mimicked the General Services Administration’s (GSA) public-facing website, where credentials were harvested. The credentials provided access to a system through which payments were made to vendors. The account details were changed to direct an upcoming payment to an account under the control of the group.
A shell company had been set up by Oyuntur’s co-conspirator, Hurriyet Arslan, who was the owner of a used car dealership in New Jersey. A cell phone number for the shell company was obtained, and Arslan hired another person to act as the shell company’s owner and opened the account. A payment of $23.5 million was then made by the DoD to the shell company account, which should have been directed to the DoD contractor for payment for the jet fuel.
Arslan attempted to withdraw the funds, although the bank only released a portion of there money. A co-conspirator in Turkey provided an altered DoD contract that indicated his car firm had a DoD contract for Arslan to show the bank to allow the withdrawal of the remaining funds. The contract indicated the used car firm had a contract worth around $23 million, but the funds were not released.
Oyuntur, who is a native and citizen of Turkey, pleaded guilty, was convicted, and now faces spending the rest of his life in jail. He will be sentenced at a later date and faces a maximum of 107 years in jail – A maximum term of 30 years for each of the conspiracy and bank fraud counts, up to 10 years for the unauthorized device access to commit fraud count, up to 5 years for the false statement count, and a mandatory 2-year jail term for the aggravated identity theft count. He could also be ordered to pay up to $1 million in fines. Arslan pleaded guilty to charges of conspiracy, bank fraud, and money laundering and will be sentenced in June.