Nigerian hacker arrested for stealing $7.5M from charities

A Nigerian national was arrested in Ghana and is facing charges related to business email compromise (BEC) attacks that caused a charitable organization in the United States to lose more than $7.5 million.

Olusegun Samson Adejorin was arrested on December 29 for defrauding two charitable organizations in Maryland and New York, according to an eight-count federal grand jury indictment in the U.S.

Specifically, Adejorin faces charges for wire fraud, aggravated identity theft, and unauthorized access to a protected computer linked to attacks aimed at two Maryland-based charitable organizations, culminating in the embezzlement of $7.5 million.

Stealing millions

In an annoucement this week, the U.S. Department of Justice (DoJ) says that Adejorin’s fraud scheme occurred between June and August 2020 and involved unauthorized access to email accounts as well as impersonating employees..

Posing as an employee of one charity (Victim 2), Adejorin requested large withdrawals of funds from the other charity (Victim 1), which provided investment services to Victim 2.

To successfully process withdrawals over $10,000, Adejorin used stolen credentials to send emails from accounts of employees that needed to approve the transactions.

“As part of the scheme, Adejorin also allegedly purchased a credential harvesting tool designed to steal email login credentials, registered spoofed domain names, and concealed the fraudulent emails from a legitimate employee by causing the fraudulent emails to be moved to an inconspicuous location within Employee 1’s mailbox.” – U.S. Department of Justice

Following these actions, Adejorin successfully tricked Victim 1 into transferring $7.5 million to bank accounts the attacker controlled, while the organization believed they were depositing the amounts into legitimate Victim 2 bank accounts.

Adejorin faces a maximum penalty of 20 years for wire fraud, five years for unauthorized access to a protected computer, and a mandatory sentence of two years for aggravated identity theft.

The U.S. DoJ announcement also notes that the sentence may be extended by seven years for malicious registration and use of a domain name.

BEC attacks, also known as CEO fraud, can result in significant financial damage. Last summer, a report from the FBI noted that business email compromise had caused billions of U.S. Dollars in losses.

Some reasonable defense measures to consider include implementing multi-factor authentication to reduce the likelihood of unauthorized account access, using email filtering to detect and block phishing attempts, and establishing a verification procedure that underpins wire transfer requests and involves using a secondary communication channel.

When met with suspicious requests such as changing bank account details, simply calling the partner on a pre-determined number to confirm the action can help save millions.

Source: www.bleepingcomputer.com