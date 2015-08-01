Hacker News new | comments | show | ask | jobs | submit login
Two major US technology firms 'tricked out of $100M' (bbc.co.uk)
More detail here: https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested... There's a download link for the actual indictment as well.

He registered a company with a name very similar to an existing, legitimate computer hardware manufacturer. Then targeted companies that already had a relationship and already regularly paid invoices to the company with the similar name.

It mentions the victims were "multinational internet companies". The indictment goes farther, saying:

"Victim-1 was a multinational technology company, specializing in Internet-related services and products, with headquarters in the United States"

and

"Victim-2 was a multinational corporation providing online social media and networking services, with headquarters in the United States"

Edit: It mentions that both victims already regularly paid multi-million dollar invoices to the computer hardware company being impersonated. So, if you're trying to guess who the victims are, they are large enough that they run on their own purchased hardware, in fairly large quantities.

Thank you. I was really frustrated reading the article of this post as it was very vague about the actual scam.

I'm surprised he was this clever but didn't think to flee Lithuania and hide the money somewhere else.

He thought that no one would bother to look for him in Lithuania, too bad Lithuania is a member of EU and not forgotten nook.

To me, the surprising thing is that they managed to get the bank transferred to the "correct" fraudulent accounts.

If you send an existing customer another invoice, but with a changed bank account number, chances are that the money goes to the same bank account as they used previously. Even if you explicitly add a note about the changed account number, chances are still very high that they use the old one.

I freelance and just moved, trying to get accounting departments to send checks to the correct address is worse than pulling teeth. Even after making large notes about the address changes and emailing them repeatibly. I should figure out how this guy managed to do it ;)

People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts.

There's very little automation, even EDI is the exception rather than the rule (particularly for one off orders), most are either still paper, fax, or insecure email.

Email remains pretty broken. You'll be lucky to get end to end encryption, and once it arrives it is hard to make assurances that the sender really sent it (or even the sender's domain).

People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter...

So what can be done? I legitimately don't know. Even snail mail can be "hacked" via sending a plausible sounding invoice to the right address at the right time.

If email is broken for sending invoices, then the correct response is to stop sending invoices over email. Banks figured this out already: Stop sending things directly in email, and instead send notifications. Have the user log into the banking system to see the notification.

So, host invoices on your own domain, and only send links to clients. Clients can confirm they are talking to the correct server when downloading the invoice. Same as they should be used to doing for any email with links regarding money.

"People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts."

Totally agree with this. I occasionally deal with relatively large contracts and it is amazing the amount of labor behind processing purchase orders, invoices, etc. Many companies locate their accounts payable/receivable departments in low-cost countries.

"People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter..."

Makes me wonder if it's time to metaphorically pack it in, and respecify the SMTP infrastructure on top of HTTP(S), precisely because that seems like the only way we're going to get cert security with email systems. As long as it's an optional add-on to SMTP it seems it just isn't going to be added on. (Of course SMTP wouldn't go anywhere right away; I'm talking about a real process with transition times and such, not a mystical one where this would one day replace SMTP in a big bang.)

I mean, there's a loooot of i's to dot and t's to cross betwixt this little comment and an actual standard, but conceptually it doesn't seem too difficult. SMTP is conversational standard but it seems like we've probably got enough negotiation tech in HTTP to pull it off in a request/response manner nowadays.

> Makes me wonder if it's time to metaphorically pack it in, and respecify the SMTP infrastructure on top of HTTP(S), precisely because that seems like the only way we're going to get cert security with email systems.

Transport security is not the actual issue. SMTP over TLS has been around for a while and is fairly well functional. The problem is attaching an identity to the senders email. That's what S/MIME and GPG/PGP do, but the actual real-world problem here is that you need to somehow certify that the sender is the right person. So you can either have a centralized set of authorities (S/MIME) or Web of Trust (GPG/PGP). Neither option actually scales. Some countries started issuing certificates in their ID cards, but given that other countries don't even have ID cards, this is obviously not going to fix this either.

HTTPS has the same problems in principle, but it only needs to certify a comparatively small number of entities (web servers) as opposed to actual users.

"Transport security is not the actual issue."

From what I hear from security folks, transport security is still an issue. You can negotiate up to TLS easily in SMTP, as long as you don't care about certificate validity. But without caring about certificate validity, MITM is still quite possible.

sure, there are still providers that don't offer TLS, but my point is that fixing TLS doesn't even begin to tackle this actual problem. It's an orthogonal problem. This issue is about authorization/authentication, not about transport security/MITM attacks. PGP and SMIME, even when used for signing only will protect against this attack while even fully deployed TLS will not.

You might be interested in Dan Bernstein's IM2000 proposal, which centers around the idea that instead of sending email to a local server which forwards it to some number of other servers before it lands in an inbox, the local server hangs on to the body of the email and just sends a notification that it's available to be read.

This helps reduce the spam problem, because a mail sender needs to be contactable in order to read the content. Serving up the mail with https is a no-brainer.

You still have reputation problems and certificate authority issues, but the value of a botnet to send spam is greatly reduced.

That's pretty interesting. Once the recipient contacts the sender to view the contents, presumably their client could also download the contents to have it locally available, no? Would the retrieval of the email have to be user-initiated?

I'm all for technical solutions to this problem, but after reading the original article, I can't help but pointing out that this scam was social engineering, not technical engineering.

I'd be extremely surprised if half billion dollar contracts were automated in any way, that seems like a really bad idea.

Automating the payment would be a really bad idea, but the workflow of receiving the contract/invoice, running it through internal systems, negotiation and legal could use some software help.

All my contract negotiation & signing over a few bucks has been done using cloud based encrypted services for years. Yes email is not encrypted, but I'm not sure what the problem is, or how this even relates to the article.

This was a phishing scam over new deals. New deals can't generally be automated, shouldn't generally be automated, and the issue here involved human factors that are likely to always exist. The presumption that more computers and more encryption could fix what happened in this story seems misguided to me.

Totally agree.. This process is SO broken and frustrating.

I wonder how long a less greedy approach would have worked. I would guess a larger number of smaller invoices might have gone unnoticed for some time. This egregious approach lasted for 2 years.

reply


Email uses tls. If both ends support it, it uses it. Most popular email providers support it. Also, dmarc signs emails the guaranteeing domains, and if you want email to be reliable, you must support dmarc.

reply


The funny thing is that these incidents are probably what it takes for those particular companies to beef up their security culture. Everyone else will likely keep their heads down: "How asinine of them! This dumb thing could never happen to us." The truth is that without the right security processes and culture in place, it could really happen to anyone dealing with substantial value and overworked mid-level managers, a form of the principal–agent problem[1].

Security incidents have a stark resemblance to emergency room visits. People are so hard to sell on prevention, and they end up paying big for an ER visit.

[1] https://en.wikipedia.org/wiki/Principal%E2%80%93agent_proble...

Even more surprising when I consider my own experience getting large technology corporations to pay my companies money they legitimately owe us!

This happened to Ubiquiti a while back

https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffe...

>crooks spoof communications from executives at the victim firm in a bid to initiate unauthorized international wire transfers.

In other words simple social engineering. These finance people are scared shitless of their CEOs and VPs so they jump at their requests, often skipping the verficiation stage because "Bossman will get pissed if I ask him for his secondary auth. My manager told me I'd be fired if I pissed off bossman again."

If anything, the companies that get hit by such simple scams deserve to be. They clearly don't have the corporate culture and accountability to stop a simple fake money request. Lets stop blaming the technology here and start blaming the real problem: executive entitlement and the incredibly classist structures at work at most companies where the bottom people can't even question the top people.

This aligns well with my 2017 Nicholl Fellowship screenplay entry called "Do Unto Others" where in Act III the protagonists use their insider knowledge of International Banking and Wire Transfers to clean out the hidden stash of illicit monies hidden by disgraced Enron executives[1].

To me, plausibility is important in fictional works that reach for meaning or defined structure, at least where possible. I mean, I love Hackers but of course groan at scenes inside "The Gibson" and whatnot. This guy actually made it work - I'm impressed.

[1] https://www.scriptrevolution.com/scripts/do-unto-others

I saw speculation on Twitter that it was Google or Apple and Facebook. But to me, it seems like it could be any of dozens of companies based on "Internet-related services and products" and "multinational ... online social media/networking".

See also: affidavit [1]

[1] https://www.scribd.com/document/342639731/Rimasauskas-Affida...

They do say that the victims "regularly conducted multimillion-dollar transactions" with the computer hardware company that was being impersonated.

That does narrow it down to companies in those spaces that run on their own metal, and significant amounts of it.

Similar scams have targeted (medium-large, funded) startups as well.

Typically the attacker starts by phishing an employee, then uses information discovered through that to trick someone else in the company to initiate a wire.

I imagine these types of crimes are very much helped by mining data from Linked in and Facebook.

Sounds like a story for another "Catch Me If You Can" kind of movie.

Security is only as good as the weakest link, employees who do not question legitimacy and authority.

I would think a simple 2nd factor check, by phone to the actual vendor would have prevented this. For such large amounts the time involved would be worth it

I've worked for companies in the past where no money would ever be paid out to anyone but government (tax bills etc.) without the party sending them the invoice having a valid purchase order number that referred to a pre-agreed supplier record that specified tha company name and address and the bank account to send it to.

It was annoying at times, but it also meant their accounts department could match every single expense to a specific contract or pre-agreed authorisation, complete with who (on their end) had made the request and who had signed off the request.

Even if you don't do that for everything, even just doing that for everything above a certain amount would make such fraud a lot harder.

Try to call international company with thousands of workers and get somebody who knows anything on phone. Also, most workers simply don't care for a tiny chance of scam, it's not their money after all.

reply


Seems like a reasonable requirement as part of any large deal like this. Even if each party pays someone 200k a year solely to sit in an office and make calls verifying large invoices you're still talking about a small amount compared to the size of these contracts.

I would think that vendors with large enough contracts will be more than happy to jump through any hoops if required.

A phone check can solve a lot when you've got a single point of contact at a company and they know all its subdivisions and are on first name terms with the accounts receivables department(s). That's not likely to be the case for a large multinational with multiple divisions selling multiple products to different divisions of the client, especially assuming the scammers have socially engineered their way to having enough information on existing contracts and invoices to be able to plausibly adapt them for their own purposes.

Quite likely people on the other side (employees of the victim companies) collaborated with him and got their share...

Why didn't he wire it to a Swiss or Cayman Islands bank account?

Because he didn't know anyone who could create him drop accounts in those countries?

Stories like this are what give African Princes hope that someday they will find their Princess.

Could you unpack that a little?

The reference is to popular scams where a person contacts you and claims to be royalty in need of a bit of money. https://en.wikipedia.org/wiki/Advance-fee_scam

