A man has been convicted as part of a complex phishing attack that resulted in the Department of Defense (DoD) transferring $23.5 million into an attacker-owned account.
The California man, Sercan Oyuntur, 40, launched the attack in 2018 along with several other co-conspirators, according to the Department of Justice (DoJ). The attackers first targeted DoD vendors with phishing attacks in order to steal their login credentials, which they then used to make changes in government systems in order for money to be diverted to an attacker-owned bank account. One of these vendors was a corporation that had a contract with the DoD to supply jet fuel to troops operating in southeast Asia. The attackers sent the phishing emails to a New Jersey-based employee of the vendor, who was responsible for communicating with the federal government on behalf of the corporation through a government system.
“Through a complex phishing scheme, Oyuntur and criminal conspirators in Germany, Turkey, and New Jersey targeted the corporation and the individual so that the conspirators could steal money that DoD intended to pay to the corporation for providing jet fuel,” according to the DoJ in a Friday release.
In order to trick the DoD vendors, the attackers created fake email accounts in other people’s names, and developed fake webpages that purported to be the public-facing website of the General Services Administration, an agency established to help manage and support various functionalities of federal agencies. The phishing emails purported to be legitimate communications from the U.S. government and prompted victims to visit the fake site. In October 2018, the DoD transferred $23.5 million to the jet fuel supply company; however, because of the changes made in the governmental systems, this money went to a bank account owned by another conspirator, Hurriyet Arslan, who owned a used car dealership called Deal Automotive Sales in New Jersey. Arslan pleaded guilty in January 2020 to conspiracy, bank fraud and money laundering and is scheduled to be sentenced on June 21.
“Arslan went to the bank and was able to access some of this money, but the bank would not release all of the funds to Arslan,” according to the DoJ. “That same day, a conspirator in Turkey sent Arslan an email with an altered government contract that falsely indicated Deal Automotive had been awarded a DoD contract valued at approximately $23 million dollars. Oyuntur instructed Arslan to take this fake contract into the bank to explain why he had received the money, so that Arslan could convince the bank to release the remaining funds.”
Phishing attacks are the most-reported type of cyberattack, and they continue to grow more complex. According to the FBI Internet Crime Complaint Center, in 2021 the reported number of phishing attacks reached 323,972, up from 241,342 in 2020. Researchers have also pointed to how organizations face evolving challenges in how they defend against phishing attacks, due in part to remote and hybrid workforces that rely on different devices.
Oyuntur was convicted on Friday of one count of conspiracy to commit wire, mail and bank fraud; two counts of bank fraud; one count of using an unauthorized access device to commit fraud; one count of aggravated identity theft; and one count of making false statements to federal law enforcement officers. The DoJ said Oyuntur will be sentenced on a date to be determined.