Phishing Scam Costs U.S. Department of Defense $23.5 Million in Damages
Discover how a $23.5 million phishing scam exploited the DoD’s vendor systems, highlighting the persistent threat phishing attacks pose even to the most secure organizations.
How a Phishing Scam Cost the U.S. Department of Defense $23.5 Million
In a stark reminder of phishing’s pervasive threat, a 2018 phishing attack managed to steal $23.5 million from the U.S. Department of Defense (DoD). Led by Sercan Oyuntur and several co-conspirators, this sophisticated scam exploited DoD vendors' trust, exposing vulnerabilities even in high-security environments.
In this post, we’ll examine how this phishing attack unfolded, the critical vulnerabilities it revealed, and why phishing attacks remain a primary weapon for cybercriminals.
Cloned Websites and Stolen Credentials
One of the compromised vendors was a contractor responsible for supplying jet fuel to U.S. troops in southeast Asia. Through June to September 2018, the attackers targeted various DoD vendors, sending phishing emails that appeared to be government communications. The attackers created a near-identical copy of the General Services Administration (GSA) website, known for its role in supporting federal agencies. Vendors trusted the familiar interface, entering their login information without suspicion.
Once the attackers acquired these credentials, they accessed and altered financial systems, redirecting government funds to their accounts. By the end of the attack, they had rerouted $23,453,350 designated for jet fuel purchases into their own bank accounts.
Selecting High-Value Targets: The Sophisticated Approach
What made this attack particularly insidious was the attackers' deliberate choice of targets. They didn't send emails randomly; instead, they specifically targeted vendors with high-value contracts with the DoD. One key target was an employee in New Jersey, responsible for communicating with the government on behalf of their employer, a jet fuel supplier.
The attackers directed their efforts toward users of the System for Award Management (SAM), a database where government contractors register. When they stole a SAM user’s credentials, they could alter the user’s banking details, substituting their account with one under the attackers' control. Ultimately, the criminals convinced the DoD to transfer payment for 10,080,000 gallons of jet fuel into their account instead of the legitimate vendor’s.
Lessons Learned: Persistent Vulnerabilities in High-Security Environments
This attack exposed vulnerabilities that all organizations, including government entities, must take seriously. Here are key lessons that can help fortify defenses against sophisticated phishing schemes:
1. Double-Check Domain Accuracy
Attackers leveraged a slightly altered domain, “dia-mil.com,” that looked nearly identical to the DoD's legitimate domain. It underscores the importance of vigilance when reviewing email addresses and URLs. Tools like phishing simulators can train employees to spot such slight discrepancies, which may be crucial in preventing attacks. Consider implementing a phishing risk score trend system to measure awareness improvement over time.
2. Implement Two-Factor Authentication (2FA)
Had 2FA been required, stolen login credentials alone wouldn’t have granted attackers the access they needed. 2FA adds an essential layer of security by requiring a second form of verification. Strengthen your multi-factor authentication policies to reduce the risk of compromised accounts.
3. Train Vendors Alongside Internal Teams
Vendor relationships are an extension of any organization’s cybersecurity. Even the most secure organizations are vulnerable when their vendors are unaware of phishing risks. Implement security awareness training for employees and vendors alike to ensure that all parties handling sensitive information are alert to phishing tactics.
4. Adopt AI-Powered Phishing Detection Tools
AI-based security tools can identify phishing patterns, such as similar-looking domains or high-risk login behavior. The Keepnet Human Risk Management Platform offers advanced tools that simulate and detect phishing behaviors, empowering organizations to respond in real time.
Why Phishing Remains a Persistent Threat
Despite advancements in cybersecurity, phishing attacks continue to rise, especially as remote and hybrid workforces create new vulnerabilities. The FBI’s Internet Crime Complaint Center (IC3) reported 323,972 phishing complaints in 2021, a significant increase from 241,342 in 2020. This trend indicates the growing sophistication and reach of phishing attacks.
Many cybersecurity professionals attribute this increase to the ease with which cybercriminals can craft realistic-looking emails, along with the expanded digital landscape. As organizations adopt more online tools and platforms, the challenge of protecting digital assets becomes more complex.
Steps to Safeguard Your Organization Against Phishing
To protect against phishing, organizations need to employ a multi-faceted approach that addresses both technology and human factors:
- Regular Security Awareness Training: Educate all employees on identifying phishing signs, even in emails appearing from trusted sources. Simulated phishing campaigns are an effective way to reinforce training by testing employees in real-world scenarios.
- Strong Authentication Practices: Enforce strong, unique passwords across systems and implement 2FA for all accounts, especially for vendors and contractors with access to critical information.
- Secure Vendor Management: Since vendors are a part of your security ecosystem, they should receive the same level of phishing awareness training as your internal team.
- Use of Phishing Detection Tools: Consider investing in AI-driven solutions like threat intelligence and threat-sharing platforms to detect and respond to phishing attempts before they reach employees.
The Takeaway
The 2018 DoD phishing attack highlights the continued need for vigilance, training, and advanced cybersecurity solutions in today’s digital landscape. Phishing is not only a threat to small businesses but also to high-security government entities, demonstrating that no organization is immune. By strengthening security awareness among all stakeholders and leveraging the right technology, organizations can better defend against increasingly sophisticated phishing attacks.
Editor’s note: This blog was updated November 8, 2024