Foreign hackers in a former British colony targeted hundreds of Environmental Protection Agency (EPA) employees in an email phishing scam to steal office supplies with credit cards.
The case was closed in 2014 when a Nigerian man pleaded guilty to buying $1 million worth of office supplies using stolen credit card information from EPA employees, but EPA special agent Al Bailey sat down to discuss the case in a podcast.
“Back in 2012, a fellow law enforcement agency contacted us here at the OIG and said ‘Hey, we’re looking at hundreds of thousands of dollars of office supplies being ordered by employees at the EPA,’” Bailey said in an interview with the inspector general’s office.
“Posing as EPA employees and using EPA employees’ email accounts, the bad guys then sent an email to the vendors, ordering office supplies,” Bailey said, describing how hackers got access to government office supply purchasing sites.
“These office supplies weren’t being shipped to the EPA, though,” Bailey said. “They were being ordered with stolen credit cards. There was a belief that some employees may have been involved in some sort of purchasing scam.”
Starting in 2012, Abiodun Ade-john used phishing emails to lure unsuspecting EPA employees to divulge their personal information. Ade-john used stolen credit cards to buy office supplies, which he sold on the black market. He admitted to stealing from EPA in 2014.
Phishing scams are fraudulent emails that appear legitimate to give hackers access to your account. Hackers can get personal information, including credit card and social security numbers.
EPA isn’t the only agency to be hit with such attacks. Department of the Interior employees were targeted by hackers, according to a 2016 inspector general report. Hackers sent phishing emails to 1,500 Interior Department employees, comprising about 100 of them, according to investigators.
What’s interesting about the EPA attack is it was used to move products in Nigeria’s booming black market for office supplies.
“Well, this country is a former British colony,” Bailey said. “And the British government was very dependent on paper – all their records, decisions, documents needed to be printed out and literally rubber stamped.”
“And, to this day, even though it’s no longer a British colony, this country’s government is still very dependent on paper,” Bailey said. “So, there’s actually a huge market for office supplies, and things like printer cartridges are very pricey. If you can figure out how to get free toner and then re-sell it, you’re making quite a profit.”
Bailey said hackers were able to use the time difference between the U.S. and west Africa to “cover up their tracks, deleting all the emails they sent” before EPA officials could wake up and catch them.
“On top of that, they used credit cards that they had stolen from a completely separate phishing scam, where they sent emails that looked like they came from PayPal or JPMorgan or companies like that to people with Yahoo or Hotmail addresses, asking them to log in to their accounts and verify their credentials,” Bailey said.
“Of course, these were made up log-in pages as well, and that’s how the criminals stole the credit card numbers to pay for these supplies,” Bailey said.