A California man was convicted last week for his role in a multi-million dollar phishing scheme targeting the US Department of Defense (DoD).
The man, Sercan Oyuntur, 40, of Northridge, California, was convicted on six counts, including conspiracy to commit wire, mail and bank fraud, the use of an unauthorized access device to commit fraud, and aggravated identity theft.
Documents presented in court show that, from June to September 2018, Oyuntur and conspirators abroad targeted various DoD vendors to trick them into accessing phishing pages.
The emails masqueraded as legitimate communications from the US government and directed the targeted individuals to webpages resembling the official website of the General Services Administration (GSA), where they were prompted to supply their login credentials.
The perpetrators were looking to harvest these credentials and then use them to “make changes in the government systems and ultimately divert money to the conspirators,” the US Department of Justice (DoJ) says.
One of Oyuntur’s targets was a corporation that DoD had contracted to supply jet fuel to troops in southeast Asia, and which employed an individual in New Jersey to handle communication with the government.
[ READ: Third Member of FIN7 Cybercrime Gang Sentenced to US Prison ]
Oyuntur worked with Hurriyet Arslan, the owner of a used car dealership in Florence, New Jersey, who opened a shell company for use in the scheme, and also opened a bank account for the shell company.
In October 2018, Oyuntur convinced the DoD to transfer $23.5 million into Arslan’s Deal Automotive bank account. Arslan was able to access only some of the money, but one of the miscreants altered a government contract to falsely indicate that the DoD was working with Deal Automotive.
The court documents state that Oyuntur told Arslan to take the fake contract and use it at the bank to explain the provenance of the money, to convince the bank to release the remaining funds.
Oyuntur, who will be sentenced at a later date, faces up to 30 years in prison for the conspiracy and bank fraud counts he was convicted of, up to 10 years imprisonment for the use of an unauthorized access device to commit fraud, and a statutory mandatory consecutive term of two years in prison for aggravated identity theft. He may also have to pay more than $1 million in fines.
Arslan, who pleaded guilty in January 2020, is scheduled for sentencing on June 21, 2022.
Related: Estonian Ransomware Operator Sentenced to Prison in US
Related: Two Bulletproof Hosting Administrators Sentenced to Prison in U.S.
Related: ‘Money Mule’ Operator Gets Seven-Year Prison Sentence