
Facebook and Google were conned out of $100M in phishing scheme - mattmanser
https://www.theguardian.com/technology/2017/apr/28/facebook-google-conned-100m-phishing-scheme
======
beastcoast
I used to do Accounts Payable for a large tech company. Any invoice >$5,000
had to be matched to a PO. POs had to be approved by an appropriate level.
Payment information was maintained by a separate team and POs were linked to
that payee. Nearly all payments were done via ACH; we actively discouraged
wire transfers wherever possible by charging ridiculous fees. The payment
process itself was also audited daily by the payments team. We also had an
entire org of finance people responsible for controllership. This fraud would
have been hard, though not impossible to pull off in this system.

~~~
acchow
Public key cryptography of any sort would also probably help here. PGP keys on
their website, Facebook page, annual report?

Blockchain?

~~~
0x0
Blockchain would be WORSE because you have much less of a shot at reversing
and recovering the fraudulent transactions.

~~~
at-fates-hands
True, but can't you still trace the transactions as they are processed or
converted into real cash?

~~~
nols
Bitcoin tumblers obfuscate the trail

~~~
ribosometronome
Tumbling $100 million seems slightly painful.

------
mpeg
A guy I used to work with emailed the CEO of our company, a certain cloud
software shop with thousands of employees, asking for the company to buy him a
plane.

There was some more to it, about using it to participate on a competition
representing the company, but it was absolutely ridiculous.

Instead of the email getting filtered out right away, the story goes that it
rolled downhill through several layers of management, and apparently, people
were asking each other "who is this guy? do we need to buy him a plane?"

~~~
planteen
What? So he an actual employee and wasn't phishing or committing fraud? And
asked the company to buy him an airplane?

~~~
cosmie
Sounds like they knew he wasn't an employee. What they _didn 't_ know was if
he was associated with some high profile account and whether an employee
(generally in sales or marketing) had inadvertently signed up the company to
sponsor the guy in that competition.

Better to check internally (and chew out your employee for overpromising if
needed) than to accidentally jeopardize a large account by calling the guy a
fraud or ignoring him and it turning out to be true.

~~~
mpeg
He was an employee

------
user5994461
Stealing the money => 10% of the work.

Laundering the money and not getting caught => 90% of the work.

The dude made a big fraud and got caught in 5 minutes. That's amateur hour.

~~~
lucasmullens
Sure, but when 'big' is $100M, I wouldn't really call that amateur.

~~~
astrodust
It's amateur hour. There's a sort of paradox: It's actually easier to steal a
lot _more_ money. The problem is that draws eponentially more attention and
the likelihood of getting caught grows to the point where it's pretty much
guaranteed.

If they'd done $1M nobody would have heard about it, nobody would bother
investigating too thoroughly, and they'd just shrug and move on.

The "pro" thing to do is to take your $1M and _walk away_ even though you know
there's more money at that tap.

There's a lot of casino cheats that talk about their craft. The good ones work
extra hard to give the constant illusion of losing money which helps them win
a little bit more without drawing too much attention. There's a whole art to
knowing where the line is and not crossing it, flying completely under the
radar.

That's what professionals do.

~~~
cityhall
The real professionals are the ones who don't talk about it.

------
josu
This does not sound like phishing to me. It's not like they mistakenly gave
their banking credentials away.

~~~
ballenf
Agreed. This scam originated long before the internet existed. Businesses have
long been warned to watch out for fake invoices. They're usually for office
supplies and <$500, but the scam is very old.

A common variation on the them is where they actually ship some low value
item, wait just long enough for UCC return rights to expire and then send a
ridiculous invoice. If ignored, a threatening follow-up comes that includes
the proof of delivery of the item and late penalty threats. The item was
usually shipped signature-required, so the proof more intimidating. (If you're
wondering, the law is generally still on your side but you shouldn't just
ignore the letters and keep the item even though they will likely give up
anyway.)

------
97262733837373
How would criminals actually get away with this kind of scam? Where do you
hide $100m?

~~~
appetizer
Well the one in the article didn't, so there's your answer?

~~~
hippich
well... unless it was shot in the blue sky - how did someone plan to launder
that much money? i mean such amount will certainly attract attention from
local bank, wouldn't it?

~~~
appetizer
right, it was a half baked plan, but its not impossible. typically you would
want either a corporate account in a country with little accurate banking
information required, and then you would obfuscate the origins with casinos.
(Fake players losing, or simply exchanging large amounts of chips which have
no record of ownership, but this is a nuance because it only need to happen on
paper)

To get it back to you in large amounts as clean money, you would need to have
another corporation that contracts with the casino or other service provider,
and it is paid with money that is clean for all intents and purposes.

~~~
antjanus
Basically what Bitcoin laundering does: create a bunch of users, route the
money in small transactions a million times, and repeat the process. Except
what you're also suggesting is doing it in a country where that specific
information would be obscured even further.

~~~
appetizer
yeah I didn't want to derail the discussion with cryptocurrency, as it is
better and requires less cooperation, between partners.

but the problem here is the name on the bank accounts even if you wanted to
get to cryptocurrency, you would really want a nominee director on the
corporate bank account, but then you have to trust they don't take the money
(there are plenty of reputable ones though).

if you had that much in cash already then you could buy mining hardware. set
up a solar powered mining farm and get cryptocurrency over the next 6-12
months, then you have the liquidity. if you are interested in national
currency and bigger material things, then you will still need to contract w/ a
crypto-service so that you could report income, but the crypto-service's
funding source would be a deadend for auditors.

There are many reasons to mine at a loss.

------
fjdlwlv
The Guardian is reblogging original content from
[http://fortune.com/2017/04/27/facebook-google-
rimasauskas/](http://fortune.com/2017/04/27/facebook-google-rimasauskas/)

Admins, please change the link.

~~~
dpark
Does this actually count as "reblogging"? If an independent news agency writes
a substantial story about something a separate news agency covered first, I
wouldn't think that's reblogging.

------
Waterluvian
I'm very naive to how large sums of money transfer. But couldn't you
presumably do a public and private key share with your suppliers and validate
every transaction request?

I hear about a kind of phishing at my company. It is as primitive as
pretending to be our CEO, who is trying to reoncile an invoice for a supplier.

~~~
noxToken
The last time this came up, the same thing was suggested. Someone brought up
that whoever needed to verify the keys would eventually stop doing so unless
the key verification process could be automated from beginning to end.

The argument was that the person who needed to verify the key wouldn't be
bothered to actually verify. The key would be so commonplace that as long as a
nonsensical string of characters appeared, the verifier would check the box
using the it's-good-enough mentality. The crux is still the same: fool the
human, get the goods.

~~~
loceng
Well, then you make them personally responsible and liable - likely having a
third-party company who provides the verifier and keeps a close eye on them?
They'd also be liable. That could be a very successful company if you get the
fortune 1000 on board.

~~~
noxToken
You can make me personally liable all you want for the transaction, but if you
think you can recoup $100M from me, good luck.

~~~
loceng
Hence why needing to be associated with a larger 3rd party company who'd be
insured + have fortune 1000 clients.

~~~
tatersolid
This is called an escrow company. They've been around for about 500 years.
They're not cheap.

------
peter303
We get fake invoice on the Fax and email all the time. Know your venders.

------
SA500
Seems like a fairly simple scam. All you would need is an email thread with
relevant invoices and you would be well on the way. Surprised all the money
was recovered after the fact though?

------
r00fus
And this is why automated industry standards like Ariba cXML are valuable - it
allows you securely automate the bulk of your invoicing (with ties back to
requisition/purchase order chains) and also, more relevant to this discussion,
to force multiple levels of approvals for manual invoicing without a req/PO
chain.

~~~
xrjn
Is Ariba cXML an open standard? In my experience working with SAP stuff is
incredibly complicated coming from a more traditional development background.

~~~
r00fus
It's open and free [1] as of 1999. It has nothing to do with SAP specifically,
many vendors and enterprise software systems support it.

[1] [http://cxml.org/license.html](http://cxml.org/license.html)

------
jgalt212
So funny, I thought this was another article about Levandowski.

