The title reminds me of the slightly twisted Freddy Got Fingered movie, and this tale is almost as bizarre. Two of the worlds biggest technology giants Microsoft and Google were taken by a sophisticated phishing scam to the tune of $100,000,000, yes ONE HUNDRED MILLION DOLLARS!, or £77,000,000 of the Queens own British Pounds.
This goes to show not even biggest more resourceful in the tech sector are immune to cyber attacks and internet fraudsters. Exact details, are not clear, but it would smell of insider information to me. It was reported a 48 yr old Lithuanian Man called Evaldas Rimasauskas tricked both Google and Microsoft into sending him more than $100,000,000 via Wire Transfers to settle bogus invoices.
The details are a little light, on the hows, but he basically impersonated Quanta Computer, which is a Taiwanese Electronics manufacturer, which has most of the tech world as clients including Apple, Google, Facebook and many more. The questions I’m curious about are how did he know exactly what the invoices look like, how was he able to deliver it in the same way as usual and are wire transfers the usual method, lots of questions which won’t be answered.
Purely speculation on my part but my guess is he had some sort of inside information thus he knew what the invoice looks like and what sort of things to include, how big to make the dollar value and more.
The end result is Mr Rimasauskas was charged with Wire Fraud, Aggravated Identity Theft and Money Laundering. The latter offence is interesting given the statements from both tech giants.
Crime May Pay
Given he was charged with Money Laundering, and there is a wedge of cash missing it shows Rimasauskas may have hidden some away. Facebook said “We recovered the bulk of the funds.”, when dealing with many millions, bulk makes it sound like a significant chunk were missing. Googles statement on the other hand says “We recouped the funds and we’re pleased this matter is resolved.”, seems they got it all back.
Exactly how much is Bulk, breaking it down to smaller numbers. If someone steals 1,000 from me, and I get 975 back, I would say I got it back. If I got 900 back, I’d say I got most of it back, if I got 800 back, I’d say I got the bulk of it back. Extrapolate this to $50,000,000, and many millions could be missing from facebooks slice.
This is an instance where one of the sites I helped build were subject to a similar scam on the Quanta side. Their clients had been told many many times that only emails from their domain name were official, anything else they should ignore, this was even in the boiler plate and header of the email. Along with details of the account holders name, the account handlers name, and other information included in every email.
At some point in 2014 I think, someone was sending fake invoices to clients, mostly for small amounts £30-100 as I recall. Not a single one paid up because the emails didn’t match templates, and the domain they used were were wrong. The company had educated their clients to spot an email/invoice which didn’t add up.
This maybe a good lesson and opportunity to strengthen your own security… maybe buy a new premium domain which can’t be spoofed, and include a footer/boilerplate with all your emails to help clients. However when even Facebook and Google, who are market leaders in technology, and even make products which are meant to help protect against online scammers, get tricked, it paints a grim picture for your average user.