The Department of Defense (DoD) nearly lost $23.5 million to a phishing scam in 2018, and the ringleader was recently convicted of multiple charges that could put him in prison for years and add millions of dollars of fines on top.
After phishing DoD vendors, the criminals were able to siphon off a small fortune in payments. The scheme was only stopped by a combination of required payment release procedures and the diligence of bank employees in recognizing that something was wrong.
Phishing scam hits DoD vendors using lookalike website
Sercan Oyuntur, a California resident who worked for a DoD jet fuel supplier, had inside knowledge of vendor payment systems and made use of it to concoct a phishing scam.
The victims, who were all known DoD vendors, were sent phishing emails that appeared to come from the General Services Administration (GSA) and directed recipients to a fake login page mocked up to look like the real one. The page was hosted at the “dia-mil.com” URL registered by the scammers, similar to the legitimate “dla.mil” URL that recipients would expect to see.
Oyuntur had the help of some confederates in pulling off this phishing scam: hackers in Turkey and Germany that prepared and delivered the phishing emails, plus a New Jersey man named Hurriyet Arslan. Arslan owned a car dealership in Florence and was tasked with setting up a fake shell company, contact information and bank account to run the stolen payments through.
The phishing scam seemed to work well enough, netting $23.5 million in stolen payments from June to September 2018 before it all fell apart. The crew tricked DoD vendors into giving up their login credentials via their phishing emails, using the credentials to log in and redirect vendor payments to the shell company’s bank account.
Phishing scam fell apart when cashing out
But, as was the case in the classic movie “Office Space,” the scam came apart at the seams when it was time to cash the payments out. An automated DoD system required that the recipient appear at a bank and show proper paperwork before the payments could be released to their account. The phishing scam crew’s harebrained solution to this obstacle was to have Arslan attempt to transfer the money to his car dealership’s account, using documents forged by the foreign hackers claiming that the dealership was receiving a $23.5 million DoD contract.
As might be expected, this didn’t work and Arslan ultimately pled guilty to the scheme in early 2020. Oyuntur was convicted in April of this year after a very short trial, convicted on six charges ranging from identity theft to fraud. Though it is unlikely he will be hit with the maximum penalty on all of them, Oyuntur could be looking at spending the rest of his life in prison along with $3 million in fines. Both he and Arslan are scheduled for sentencing in June.
While the phishing scam ended up being something of a comedy of errors in the end, it serves as a reminder that employees need to be trained to verify that email links are legitimate before following them and to navigate to login sites independently if there is any amount of doubt.