A Nigerian Charles Onus has been arrested in connection with a scheme to conduct cyber intrusions into multiple user accounts maintained by a company that provides human resources and payroll services to employers across the United States, in order to steal payroll deposits.
Onus, 34, was arrested on April 14 in San Francisco and detained for his alleged participation in a scheme that stole nearly $1 million by hacking into a payroll processing company’s system to access user accounts and divert payroll to prepaid debit cards he controlled.
“From at least in or about July 2017 through at least in or about 2018, at least approximately 5,500 Company user accounts were compromised and more than approximately $800,000 in payroll funds were fraudulently diverted to prepaid debit cards, including those under the control of ONUS,” allegations filed before Magistrate Judge Sarah L. Cave in Manhattan federal court said.
Assistant United States Attorney Sagar K. Ravi in charge of the prosecution said during the course of the scheme, unauthorised access was obtained to over 5,500 company user accounts through a cyber intrusion technique referred to as ‘credential stuffing.’ During a credential stuffing attack, a cyber threat actor collects stolen credentials, or username and password pairs, obtained from other large-scale data breaches of other companies.
The threat actor then systematically attempts to use those stolen credentials to obtain unauthorised access to accounts held by the same user with other companies and providers, to compromise accounts where the user has maintained the same password.
“Cyber intrusions ripple through everything our society relies upon – this one impacted people’s paychecks. The FBI’s goal is to prevent cyber criminals from causing harm and holding them accountable, but we can’t do it alone,” Federal Bureau of Investigation Assistant Director William Sweeney said on Wednesday.
Sweeney advised companies to continuously improve their cyber hygiene and awareness and take steps, such as training of their workforce, to defend the US from cyberattacks.
On his part, Special Agent in Charge of the New York Field Office of the Internal Revenue Service at the Criminal Investigation (IRS-CI) Jonathan Larsen said his office would always work with law enforcement partners to track down those trying to breach the country’s tax and financial infrastructure.
“We will continually endeavor to bring to justice criminals who think they can comfortably steal from victims in America while hiding behind their computer screens,” he added.
Onus was charged with one-count offense of computer fraud for causing damage to a protected computer, which carries a maximum sentence of 10 years in prison, and one count of computer fraud for unauthorised access to a protected computer to further intended fraud.
He also had a one-count charge of receipt of stolen money, each of which carries a maximum sentence of five years in prison; one count of wire fraud, which carries a maximum sentence of 20 years in prison; and one count of aggravated identity theft, which carries a mandatory sentence of two years in prison to be served consecutively with any other sentence imposed.