Between 2013 to 2015 Facebook and Google paid Quanta Computer 100 million dollars. This is not unusual. What is unusual is that these payments did not go to Quanta Computer in Taiwan, but Quanta Computer in Latvia, with bank accounts in Latvia and Cyprus.
How could this happen?
In court documents the US Department of Justice outlined the activities of Evaldas Rimasauskas, who is from Lithuania, in this way:
“Forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, were used in furtherance of the fraudulent scheme orchestrated by Evaldas Rimasauskas, the defendant. Rimasaukas caused these fraudulent documents to be submitted to banks in support of the large volume of funds that were being transmitted via wire transfer into the [Facebook] bank accounts.”
What is this?
This is BEC, business email compromise, a sophisticated kind of social engineering email attack that is on the increase. It takes a lot of advanced effort in research and establishing false, but authentic looking documents, business entities, and bank accounts. In this case, for example, they were able to create realistic invoices for products that had been purchased. How could this activity go on undetected for nearly 2 years at a cost of 100 million dollars?
BEC attempts to avoid detection by:
· Creating personalized emails to specific people
· Not including malware, email links or attachments
· Executing low-volume attacks
· Using a legitimate source or domain
· Sometimes coming from a legitimate email account
· Engineering to pass DMARC checks
In this case Facebook and Google reported they recovered most of the funds, but how much is “most” of 100 million dollars? Mr. Rimasaukas was convicted in federal court in the US and sentenced to 5 years in prison on December 19, 2019, along with restitution and hefty fines.
Because this kind of attack is engineered to avoid cybersecurity controls, what could have helped? Stronger financial asset control policies, employee training, and cybersecurity policies that take BEC style attacks into consideration. For example, if Facebook and Google had a policy that required verification with the vendor and authorizing executive whenever there is a change of banking information, this could have stopped the attack at the first request for payment.
The sophistication of attackers today requires a review of your policies to keep your organization safe moving forward.
Sources:
Comments