Naked Security Naked Security

Fake Dell support rep admits to talking US colleges out of $874,000

His victims: UCSD and a Pennsylvania university. He hid out in Kenya for nearly 8 months before being nabbed.

A charlatan who passed himself off as a Dell staffer working in equipment and services support has pleaded guilty to stealing nearly $750,000 from the University of California San Diego (UCSD).

The Justice Department (DOJ) announced on Thursday that Amil Hassan Raage has pleaded guilty to receiving the money as part of a spear-phishing scheme.

On 23 July 2018, UCSD received the spear-phishing email, which posed as a legitimate business communication coming from a for-real Dell email account. The email instructed UCSD to redirect the payments it owed Dell for equipment and services to Raage’s Wells Fargo bank account in Minnesota.

UCSD employees swallowed the hook and did as they were told.

Of course, that was no Dell communique. The email actually came from one of Raage’s criminal buddies in Kenya. Between 8 August through 12 September 2018, UCSD sent Raage 28 payments totaling $749,158 before it found out it had been conned and stopped the payments.

As soon as the money arrived, Raage would withdraw it as cash or transfer it to another account.

It wasn’t just UCSD, though. Raage and his gang did the same thing to another, unnamed university, this one in Pennsylvania. Again using a fake Dell account, they told the university staff to redirect their Dell payments to a bank account in Minnesota, again controlled by Raage.

During January 2018, the Pennsylvania university wired six payments totaling $123,643.77 to Raage’s bank account before the university was alerted to the fraud and stopped payments.

Raage actually skipped town after the bank froze the accounts he used in the UCSD theft. He fled to Kenya on 22 September 2018. That didn’t stop the FBI from tracking him down, though: the FBI’s Legal Attaché in Kenya worked with Kenyan law enforcement and the DOJ’s Office of International Affairs. Kenyan police arrested Raage on 7 May 2019, and extradited him back to the US on 23 May 2019, to face prosecution.

Raage pleaded guilty to conspiracy to commit wire fraud. The crime carries a maximum penalty of 20 years in prison, though maximum penalties are rarely handed out. He’s due to be sentenced by Judge Gonzalo Curiel in San Diego court on 11 October 2019.

US Attorney Robert Brewer said it doesn’t matter that the tools have changed; highway robbery is still highway robbery:

Modern criminals like Raage have ditched the ski mask and getaway vehicle and opted for a computer as their weapon of choice. As this defendant has learned, we are matching wits with new-age thieves and successfully tracking them down and putting an end to their high-tech deception.

Doesn’t matter if crooks flee to Kenya or Kentucky or Kalamazoo, said FBI Special Agent-In-Charge Scott Brunner: the law’s still going to track you down:

As exemplified by this outstanding result, criminals who operate in cyberspace falsely believe themselves to be beyond the reach of law enforcement, but they are sorely mistaken. Our agents will relentlessly pursue justice, aided by our foreign partners. Thank you to the Kenyan National Police and the Office of International Affairs for their invaluable assistance in bringing Mr. Raage before the bar of justice.

What to do if you get scammed?

If you – or your business or organization – has been scammed via email by these type of fraudsters, the DOJ says it’s important to act fast. First, immediately contact your financial institution and get them to contact the financial institution to which they transferred your money.

The faster you act, the less time the crooks have to funnel your money into other accounts, and the better the chances are that you can claw back at least some of it. You might have heard of the North Carolina county that recently got fleeced for $2.5 million in a Business Email Compromise (BEC) scam? The county’s bank managed to freeze $776,518.40 of that: not exactly a happy ending, but better than losing the whole $2.5 million they initially transferred to fraudsters’ accounts.

After you call your bank, call the FBI at 1-800-CALL-FBI. Also, no matter how little or big the loss, file a complaint with the FBI’s Internet Crime Complaint Center (IC3). If you’re in the UK, you can report it to Action Fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *