
Two major US technology firms 'tricked out of $100M' - RijilV
http://www.bbc.co.uk/news/technology-39351215
======
tyingq
More detail here: [https://www.justice.gov/usao-sdny/pr/lithuanian-man-
arrested...](https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-
theft-over-100-million-fraudulent-email-compromise-scheme) There's a download
link for the actual indictment as well.

He registered a company with a name very similar to an existing, legitimate
computer hardware manufacturer. Then targeted companies that already had a
relationship and already regularly paid invoices to the company with the
similar name.

It mentions the victims were "multinational internet companies". The
indictment goes farther, saying:

 _" Victim-1 was a multinational technology company, specializing in Internet-
related services and products, with headquarters in the United States"_

and

 _" Victim-2 was a multinational corporation providing online social media and
networking services, with headquarters in the United States"_

Edit: It mentions that both victims already regularly paid multi-million
dollar invoices to the computer hardware company being impersonated. So, if
you're trying to guess who the victims are, they are large enough that they
run on their own purchased hardware, in fairly large quantities.

~~~
cylinder
I'm surprised he was this clever but didn't think to flee Lithuania and hide
the money somewhere else.

~~~
ldev
He thought that no one would bother to look for him in Lithuania, too bad
Lithuania is a member of EU and not forgotten nook.

~~~
jacquesm
Lot of Europeans would not know that Lithuania is part of the EU (and in
Schengen too), lots of Europeans would not be able to point to it on a map.

Estonia, Latvia and Lithuania are amongst the least known countries in the EU.

Hiding in Lithuania is silly because yes, it is part of the EU and no, it is
not so large that you could disappear into the background.

What I'm surprised about is that the two companies paid their invoices without
matching purchase orders, and that for amounts that large there was no
extended verification process in place requiring at least two signatures and a
destination account number check.

The majority of fraud like this goes the other way: small amounts just enough
to be interesting and small enough to not go over the discretionary spending
limits sent to 10's of thousands of companies.

------
dopamean
I have a friend who's father is very, very wealthy. He purchases a lot of art
and often actually finalizes the sales by emailing someone who works for him
something to the effect of "please transfer X dollars to Y party for Z piece
of artwork." A few years ago someone got access to his gmail account in what
appeared to be a mass phishing attack and saw several of these emails in his
sent email folder. The intruder was able to have a few million dollars
successfully transferred to himself. It was several months before it was
noticed and the guy was never caught.

My friend's father now uses two factor auth and has whoever receives those
emails confirm via phone call the next day.

~~~
jeppebemad
Last week I received a similar e-mail from my co-founder, asking me if I could
transfer some money to an account. I found it a little strange, but not enough
to question that it actually had to be done. Since I was headed to the office
anyway, I waited until I got in, and asked him what the money was for.

"What money? What email?"

Turns out the e-mail was sent from a fake gmail account with the name of my
co-founder. Hadn't spotted that the email address was wrong, as it was hidden
in my email client.

I reported the email to Google and sent the scammer a sarcastic reply: "how
many millions do you need?"

The scammers' response? "You're fired"

What a cheeky fraudster! That said, I'm sure he has pulled it off before.

~~~
markdown
Are you in the US?

Don't 'know your customer' laws ensure that no bank account is owned by an
anon?

~~~
objclxt
> Don't 'know your customer' laws ensure that no bank account is owned by an
> anon?

Unless your scammer is really, really stupid these accounts are in the names
of third party patsies who are promised some cut or percentage of the amount,
or have been conned into thinking they're helping someone out (usually the
money would then be transferred from that US account to somewhere foreign via
western union or the like).

~~~
tim333
Or in the name of some other person who has no idea the account exists. In the
UK you basically need a utility bill and a photocopy of a passport to open an
account which is not that hard to fake.

------
Someone1234
People would legitimately be surprised to learn how low tech
ordering/invoicing/remittances remain in 2017 even for half billion dollar
contracts.

There's very little automation, even EDI is the exception rather than the rule
(particularly for one off orders), most are either still paper, fax, or
insecure email.

Email remains pretty broken. You'll be lucky to get end to end encryption, and
once it arrives it is hard to make assurances that the sender really sent it
(or even the sender's domain).

People have tried to fix email but nothing as ambitious as TLS/HTTPS has been.
And getting people to use a more secure platform built on top of HTTPS is
likely a non-starter...

So what can be done? I legitimately don't know. Even snail mail can be
"hacked" via sending a plausible sounding invoice to the right address at the
right time.

~~~
jerf
"People have tried to fix email but nothing as ambitious as TLS/HTTPS has
been. And getting people to use a more secure platform built on top of HTTPS
is likely a non-starter..."

Makes me wonder if it's time to metaphorically pack it in, and respecify the
SMTP infrastructure on top of HTTP(S), precisely because that seems like the
only way we're going to get cert security with email systems. As long as it's
an optional add-on to SMTP it seems it just isn't going to be added on. (Of
course SMTP wouldn't go anywhere right away; I'm talking about a real process
with transition times and such, not a mystical one where this would one day
replace SMTP in a big bang.)

I mean, there's a _loooot_ of i's to dot and t's to cross betwixt this little
comment and an actual standard, but conceptually it doesn't seem too
difficult. SMTP is conversational standard but it seems like we've probably
got enough negotiation tech in HTTP to pull it off in a request/response
manner nowadays.

~~~
Xylakant
> Makes me wonder if it's time to metaphorically pack it in, and respecify the
> SMTP infrastructure on top of HTTP(S), precisely because that seems like the
> only way we're going to get cert security with email systems.

Transport security is not the actual issue. SMTP over TLS has been around for
a while and is fairly well functional. The problem is attaching an identity to
the senders email. That's what S/MIME and GPG/PGP do, but the actual real-
world problem here is that you need to somehow certify that the sender is the
right person. So you can either have a centralized set of authorities (S/MIME)
or Web of Trust (GPG/PGP). Neither option actually scales. Some countries
started issuing certificates in their ID cards, but given that other countries
don't even have ID cards, this is obviously not going to fix this either.

HTTPS has the same problems in principle, but it only needs to certify a
comparatively small number of entities (web servers) as opposed to actual
users.

~~~
jerf
"Transport security is not the actual issue."

From what I hear from security folks, transport security is still an issue.
You can negotiate up to TLS easily in SMTP, as long as you don't care about
certificate validity. But without caring about certificate validity, MITM is
still quite possible.

~~~
Xylakant
sure, there are still providers that don't offer TLS, but my point is that
fixing TLS doesn't even begin to tackle this actual problem. It's an
orthogonal problem. This issue is about authorization/authentication, not
about transport security/MITM attacks. PGP and SMIME, even when used for
signing only will protect against this attack while even fully deployed TLS
will not.

------
wyc
The funny thing is that these incidents are probably what it takes for those
_particular_ companies to beef up their security culture. Everyone else will
likely keep their heads down: "How asinine of them! This dumb thing could
_never_ happen to us." The truth is that without the right security processes
and culture in place, it could really happen to anyone dealing with
substantial value and overworked mid-level managers, a form of the
principal–agent problem[1].

Security incidents have a stark resemblance to emergency room visits. People
are so hard to sell on prevention, and they end up paying big for an ER visit.

[1]
[https://en.wikipedia.org/wiki/Principal%E2%80%93agent_proble...](https://en.wikipedia.org/wiki/Principal%E2%80%93agent_problem)

------
perlgeek
To me, the surprising thing is that they managed to get the bank transferred
to the "correct" fraudulent accounts.

If you send an existing customer another invoice, but with a changed bank
account number, chances are that the money goes to the same bank account as
they used previously. Even if you explicitly add a note about the changed
account number, chances are still very high that they use the old one.

~~~
analogmemory
I freelance and just moved, trying to get accounting departments to send
checks to the correct address is worse than pulling teeth. Even after making
large notes about the address changes and emailing them repeatibly. I should
figure out how this guy managed to do it ;)

~~~
sfifs
Honest question: Why would you use cheques instead of bank transfer? Isn't
that cheaper all the way around?

I live in India and practically haven't​ seen any company use cheques for
payment in the last few years.

~~~
pas
USA is still big on checks. (Paper trail and all!)

~~~
kawsper
UK too, I was very surprised to see that they have ATMs that can process
checks.

~~~
GordonS
Eh, cheques have been on their way out here for many years now. They are
pretty rare these days.

~~~
kawsper
In some circles maybe. My girlfriend is a pet behaviorist, some of her clients
pay by cheques, she sees at least 2 every week.

------
DanBC
The important bit of this for HN is that he got these companies to pay by
using their sales order, invoice, payment process, and that process is common
to most companies.

If you have a small or an open source project you're going to struggle to get
companies to pay unless you can fit their process.

This means that it's probably worth while offering a "professional" licence.
This grants no extra functionality, but allows the company to put in a sales
order, and allows you to deliver something and allows you to issue an invoice.

------
dboreham
Even more surprising when I consider my own experience getting large
technology corporations to pay my companies money they legitimately owe us!

------
SteveNuts
This happened to Ubiquiti a while back

[https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-
suffe...](https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-
suffers-46m-cyberheist/)

~~~
drzaiusapelord
>crooks spoof communications from executives at the victim firm in a bid to
initiate unauthorized international wire transfers.

In other words simple social engineering. These finance people are scared of
their CEOs and VPs so they jump at their requests, often skipping the
verficiation stage because "Bossman will get pissed if I ask him for his
secondary auth. My manager told me I'd be fired if I pissed off bossman
again."

If anything, the companies that get hit by such simple scams deserve to be.
They clearly don't have the corporate culture and accountability to stop a
simple fake money request. Lets stop blaming the technology here and start
blaming the real problem: executive entitlement and the incredibly classist
structures at most companies where the bottom people can't even question the
top people.

This is why these scams work so well. The people in finance are petrified at
questioning an executive. That shouldn't be the case, especially if they claim
to be compliant with various financial and technical regulations and
certification processes. A lot of good HIPPA is when everyone is too scared to
tell a surgeon he can't send patient information that way or SOX if
accountants are scared of their bosses.

------
leonroy
Ironic we nearly went under a few times during the early days because our
customers (tier 1 telecoms and financial firms) would drag their heels for
months and months over invoices many magnitudes less than this.

Makes me wonder what's up with the process at these firms - wish we knew
enough to say whether they're the exception or the rule.

~~~
downrightmike
By delaying any and all payments to vendors, you free up cashflow. It is in
the company's best interest to hold off payment as long as they can.

~~~
abraae
Except that you create a toxic environment inside your accounts team, who have
to constantly deal with incoming calls demanding money.

And if you're the kind of organization that makes a process out of paying each
vendor as late as possible (I mean beyond the agreed terms) - which some do -
then you'e likely a shitty org in many other ways too.

------
settsu
There is quite a bit that could be mined from this story, but just as a start:

1) The most zealous and persistent phishing awareness campaigns/training I've
encountered has been at large corporations. I can imagine a series of
articles, if not an entire career, that is based on exploring the psychology
of employees in varying organization sizes being influenced by their
perceptions of the stake they feel they hold in the performance of the
organization (i.e., their "ownership") and how much their actions, positive
and negative, might bear notable influence.

Not confident I made my point clear, but the idea being I'm going to think
differently about jumping up and down on a cruise ship vs. a row boat...

2) Putting aside the questionable application of it in this specific case,
"cybercriminal" is an outmoded term that I believe actually undermines the
mundane and routine nature of these crimes. Regardless of magnitude, it imbues
the perpetrator and their activities with some 90s-era aura of mystery and
preternatural skill—an exceptional event executed by exceptional individuals
under exceptional circumstances.

------
6stringmerc
This aligns well with my 2017 Nicholl Fellowship screenplay entry called "Do
Unto Others" where in Act III the protagonists use their insider knowledge of
International Banking and Wire Transfers to clean out the hidden stash of
illicit monies hidden by disgraced Enron executives[1].

To me, plausibility is important in fictional works that reach for meaning or
defined structure, at least where possible. I mean, I love _Hackers_ but of
course groan at scenes inside "The Gibson" and whatnot. This guy actually made
it work - I'm impressed.

[1] [https://www.scriptrevolution.com/scripts/do-unto-
others](https://www.scriptrevolution.com/scripts/do-unto-others)

------
wyldfire
I saw speculation on Twitter that it was Google or Apple and Facebook. But to
me, it seems like it could be any of dozens of companies based on "Internet-
related services and products" and "multinational ... online social
media/networking".

See also: affidavit [1]

[1] [https://www.scribd.com/document/342639731/Rimasauskas-
Affida...](https://www.scribd.com/document/342639731/Rimasauskas-Affidavit)

~~~
tyingq
They do say that the victims _" regularly conducted multimillion-dollar
transactions"_ with the computer hardware company that was being impersonated.

That does narrow it down to companies in those spaces that run on their own
metal, and significant amounts of it.

~~~
ryanmarsh
Multimillion could be 2 or 10 and as far as running your own metal that's not
really a big purchase relative to your average Fortune 100's IT budget.

~~~
tyingq
The space, though, is more narrow than that. Victim 2, for example, is
specifically a social media company. Can't be that many social media
companies, headquartered in the US, running their own metal, with more than
one multi-million dollar invoice for it in a 2 year period.

How many could that be? I can only think of 3 or 4 contenders.

------
ccvannorman
Stories like this are what give African Princes hope that someday they will
find their Princess.

~~~
mirimir
Could you unpack that a little?

~~~
Strom
The reference is to popular scams where a person contacts you and claims to be
royalty in need of a bit of money. [https://en.wikipedia.org/wiki/Advance-
fee_scam](https://en.wikipedia.org/wiki/Advance-fee_scam)

~~~
mirimir
Doh. Thanks :)

------
kirykl
I would think a simple 2nd factor check, by phone to the actual vendor would
have prevented this. For such large amounts the time involved would be worth
it

~~~
kbart
Try to call international company with thousands of workers and get somebody
who knows _anything_ on phone. Also, most workers simply don't care for a tiny
chance of scam, it's not _their_ money after all.

~~~
manquer
I would think that vendors with large enough contracts will be more than happy
to jump through any hoops if required.

------
tlrobinson
Similar scams have targeted (medium-large, funded) startups as well.

Typically the attacker starts by phishing an employee, then uses information
discovered through that to trick someone else in the company to initiate a
wire.

------
owly
Security is only as good as the weakest link, employees who do not question
legitimacy and authority.

------
mixedbit
Sounds like a story for another "Catch Me If You Can" kind of movie.

------
dangerboysteve
I imagine these types of crimes are very much helped by mining data from
Linked in and Facebook.

------
elchief
How do you steal $100M and _not_ get away with it? He had access to the money
for years

~~~
spoiledtechie
He probably became verbose. You always think you would stop after the first
10m, but most folks want to see how far they can take it. I figure after the
first 20m, he was like, I could do this forever! I would have stopped after
the first 10m. They would have never missed the money and it could have turned
into an accounting error.

~~~
nandemo
> You always think you would stop after the first 10m

There's No Desire To Retire If You Love Your Work, or something like that.

------
ryan-c
Anyone have a better guess than "Foxconn" as to who this guy was
impersonating?

------
bvinc
Why didn't he wire it to a Swiss or Cayman Islands bank account?

~~~
ryanlol
Because he didn't know anyone who could create him drop accounts in those
countries?

