U.S. Seizes Domain Names Used in Spear-Phishing Campaign With Mimicked @USAID Emails

13 Going on 14 — GFM: https://gofund.me/32671a27

 

Via USDOJ:
Justice Department Announces Court-Authorized Seizure of Domain Names Used in Furtherance of Spear-Phishing Campaign Posing as U.S. Agency for International Development

On or about May 25, malicious actors commenced a wide-scale spear-phishing campaign leveraging a compromised USAID account at an identified mass email marketing company. Specifically, the compromised account was used to send spear-phishing emails, purporting to be from USAID email accounts and containing a “special alert,” to thousands of email accounts at over one hundred entities.

Upon a recipient clicking on a spear-phishing email’s hyperlink, the victim computer was directed to download malware from a sub-domain of theyardservice[.]com. Using that initial foothold, the actors then downloaded the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network. The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order.
[…]
On May 28, pursuant to court orders issued in the Eastern District of Virginia, the United States seized two command-and-control (C2) and malware distribution domains used in recent spear-phishing activity that mimicked email communications from the U.S. Agency for International Development (USAID). This malicious activity was the subject of a May 27 Microsoft security alert, titled “New sophisticated email-based attack from Nobelium,” and a May 28 FBI and Cybersecurity and Infrastructure Security Agency joint cybersecurity advisory.

The Department’s seizure of the two domains was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims. However, the actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures.

 

SDNY Charges @StateDept Contractor in Multimillion-Dollar Fraud Schemes, Then There’s “Insider-1” at OBO

13 Going on 14 — GFM: https://gofund.me/32671a27

 

On May 28, 2021, USDOJ/Southern District of New York announced the arrest of SINA MOAYEDI, the owner of a construction company on charges of wire fraud, conspiracy to commit wire fraud, and one count of bribery of a public official. According to the announcement, “Sina Moayedi allegedly paid lucrative bribes to a State Department insider in exchange for confidential bidding information, and fraudulently induced the State Department to pay his company approximately $100 million.” Excerpt from the announcement:

Manhattan U.S. Attorney Audrey Strauss said:  “As alleged, Sina Moayedi made misrepresentations about his employees’ qualifications and his company’s ownership in order to induce the State Department into awarding approximately $100 million in lucrative construction contracts to Moayedi’s company, Montage, Inc.  Moayedi also allegedly cultivated a State Department insider, and paid the insider lucrative bribes in exchange for confidential State Department bidding information.  Moayedi must now be held accountable for his alleged brazen fraud on the government.”

Special Agent in Charge Michael Speckhardt said:  “As alleged, the defendant’s scheme to undermine the Department’s procurement process for personal gain caught up with him today and he will now be held accountable.  His alleged actions not only hurt other legitimate businesses competing for awards, but also damage the public’s trust in the effective and efficient utilization of taxpayer money.”

According to allegations in the Complaint[1]:

Montage, Inc. (“Montage”) is a U.S.-based business that is primarily involved in worldwide Government construction projects, including embassies, military posts, consulates, and similar overseas properties owned and operated by the United States Government.  Montage has performed over $220 million in contracting work for the U.S. Government, including for the Department of Defense, the Department of Justice/Federal Bureau of Investigation, the State Department, the Department of the Interior, the Department of Agriculture, the National Aeronautics and Space Administration (“NASA”), the Equal Employment Opportunity Commission (“EEOC”), and the Department of Veterans Affairs.  Since 2014, Montage appears to have focused primarily on competing for and obtaining contracts with the State Department.  During that period, the State Department has awarded Montage approximately six overseas U.S. Embassy/Consulate construction project contracts totaling $100 million, in locales such as Ecuador, Spain, Sudan, the Czech Republic, and Bermuda.  The founder of Montage is SINA MOAYEDI.

Montage engaged in at least two fraud schemes.  The first scheme alleges that, from approximately 2014 to September 2020, MOAYEDI and Montage lied that it was a female-owned business in order to secure unmerited advantages in the bidding process.  By way of context, it is advantageous to a company, when bidding for federal government contracts, to be majority-owned by an individual from a socially or economically disadvantaged community.  In fact, certain contracts (or portions of contracts) are “set aside” for – i.e., only available to – such companies.  MOAYEDI and Montage repeatedly represented falsely in submissions to the State Department that Montage was female-owned, or female-owned and minority-owned, in order falsely to induce the State Department to award Montage lucrative construction contracts.  In actuality, MOAYEDI repeatedly lied about Montage being a female-owned business, and indeed, MOAYEDI controls Montage and makes all material decisions on Montage’s behalf.  As MOAYEDI revealed to a bank that inquired about Montage’s ownership status, “I am the sole owner and president of Montage and have always been.”  Montage and MOAYEDI also repeatedly misrepresented, and significantly overstated, the qualifications of Montage employees.  MOAYEDI made these misrepresentations in order to, among other things, meet State Department and contractual requirements for minimum experience in certain key positions.

The second scheme charged in the Complaint is a bribery scheme during at least 2016 and 2017.  Insider-1 is employed in the State Department’s Overseas Building Operations (“OBO”), which, according to OBO’s website, “directs the worldwide overseas building program for the Department of State and the U.S. Government community serving abroad.”  Specifically, Insider-1 works for the State Department’s OBO Project Development and Coordination Division, European division.  
[…]
MOAYEDI, 66, of Chevy Chase, Maryland, is charged with one count of wire fraud, and one count of conspiracy to commit wire fraud, each of which carries a maximum potential prison sentence of 20 years, and one count of bribery of a public official, which carries a maximum potential prison sentence of 15 years.  
[…]
[1] As the introductory phrase signifies, the entirety of the text of the Complaint and the description of the Complaint set forth below constitute only allegations, and every fact described should be treated as an allegation.

Download U.S. v Sina Moayedi complaint (21 mag 5598).pdf
Excerpt from complaint:

15. Based on my review of State Department records, I am aware that between approximately 2014 and 2017, Montage was awarded six U.S. embassy/consulate construction projects with the State Department, worth a total of approximately $100 million.
[…]
26. Based on information derived from witness interviews, I reviewed resumes submitted by Montage for various State Department projects. Department requirements referenced in the contract specify certain levels of experience in order to serve as “key personnel” (i.e., personnel whom the State Department has deemed critical to the safe, successful, and timely completion of a project).
[…]
In the course of my review, I identified numerous deficiencies regarding the resumes of key personnel submitted to the State Department for the Guayaquil, Ecuador project.

a. For example, Montage submitted an individual for the key role of Project Controls Engineer and Site Health Project Manager. In the claimed experience for this individual, it stated that he was employed at Montage since 2008 and had “inspected emergency egress and life/safety issues” and conducted “inspections of asbestos containment.” In fact, this individual had only been employed at Montage for approximately one year, and served in an office staff capacity, performing none of those duties.
[…]
[O]ne Montage employee’s resume claimed that he had earned a bachelor’s Degree in Civil Engineering and also claimed years of full-time complex work in the construction field in various capacities over several years. Neither representation was true. In fact, this individual testified at a deposition that they did not graduate; and this individual’s SF-86 security clearance application noted that this individual had actually sold meat as a door-to-door salesman, was a landscaper, and built swimming pools for several years during the period that they had claimed years of full-time complex work in the construction field.
[…]
39. I am aware, from my personal participation, that a judicially authorized search warrant was executed at the residence of Insider-1, on or about May 20, 2021. On that date, Insider-1 was informed, in substance, that she was not in custody, she was free to go, and she was not required to speak with law enforcement agents. She then participated in a voluntary interview with myself and an SDNY Special Agent on her back porch, and she made the following statements, in substance and part:

a. At first, Insider-1 claimed to have sold a large green rug to SINA MOAYEDI, the defendant, for about $60,000, but she said that the payment for the rug came from MOAYEDI’s friend.

Read more here.
The Daily Beast has identified the OBO insider in their May 27 report as well as provided the link to the Salehi Search Warrant; she has not been charged.
The document is 145 pages, the allegations spans many years and the government appears to be looking at multiple embassy projects.  The project in Guayaquil, Ecuador gets top mention. The search warrant executed includes “Records and information relating to forged submittals for the Guayaquil Consulate Project in Ecuador, and other State Department or other Government construction projects” and “Records and information that constitute evidence concerning persons who either (i) collaborated, conspired, or assisted (knowingly or unknowingly) the commission of the criminal activity under investigation; or (ii) communicated with MOAYEDI or other MONTAGE employees about matters relating to the criminal activity under investigation, including records that help reveal their whereabouts.”

Related news:

###

@StateDept on Pride Month: Recognition, Advance LGBTQI+ Rights, Fly the #Pride Flag

13 Going on 14 — GFM: https://gofund.me/32671a27