Facebook and Google Were Victims of $100M Payment Scam

Employees of Facebook and Google were the victims of an elaborate $100 million phishing attack, according to a new report on Fortune, which further adds that the employees were tricked into sending money to overseas bank accounts. From the report: In 2013, a 40-something Lithuanian named Evaldas Rimasauskas allegedly hatched an elaborate scheme to defraud U.S. tech companies. According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies. The scheme worked. Over a two-year span, the corporate imposter convinced accounting departments at the two tech companies to make transfers worth tens of millions of dollars. By the time the firms figured out what was going on, Rimasauskas had coaxed out over $100 million in payments, which he promptly stashed in bank accounts across Eastern Europe. Fortune adds that the investigation raises questions about why the companies have so far kept silence and whether -- as a former head of the Securities and Exchange Commission observes -- it triggers an obligation to tell investors about what happened.

WOW

[whitlocktj]

I remember hearing about this, but never suspected Google was one of them. Good thing they realized their mistake promptly and got their money back. Bad publicity nonetheless.

Re:WOW

[AK+Marc]

I remember hearing about this in the '90s, where (non) toner companies in my area were sending out bills for toner to lots of mid-sized companies, and many bills were paid. This form of fraud has been around a long time. Maybe it didn't make international news because $100k isn't the same as $100M.

Idiots

Anyone who falls for stuff like this should be fired and black listed.

First rule

[Chris+Mattern]

First rule of damage control for corporations hit by scams like this is to NEVER disclose it happened if you don't have to. If nobody finds out about it, there won't be any damage to your reputation and there won't be copycats inspired by it.

Re:First rule

First rule of damage control for corporations hit by scams like this is to NEVER disclose it happened if you don't have to. If nobody finds out about it, there won't be any damage to your reputation and there won't be copycats inspired by it.

Another important rule is: Keep quiet about it while the investigation is ongoing. Not only does this avoid spooking the bad guys, which increases the odds you can recover your money, but in many cases it's a legal requirement.

Re:First rule

[slashrio]

And the other good thing is investors in the company that you're running with their money won't find out how stupid you are and how easy it is to steal their money so they won't dump their shares in the company you're running and/or fire you.
Until they find it out, plus that you didn't inform the SEC, so that by now the shares will take the hit anyway.

Well

[DontBeAMoran]

If huge corporations such as Facebook and Google can fall victim to scammers, who are we to even try resisting?

Help me pay for the scams I'm a victim of. Send donations directly to:
18LQHMjKSCSU3g4f29TfmtfxHXUfnh7juB (Bitcoin)
D9scjyKETYZesSmhjCR4vye4bc6iDqXPd6 (Doge)

Re:Well

People still use Doge?

Re:Well

[mysidia]

If huge corporations such as Facebook and Google can fall victim to scammers, who are we to even try resisting?

A company's large size actually works against you, when it comes to protecting against issues like this ---- the more people you have,
the harder it is to effectively communicate a message to everyone and mobilize all the important parties against a threat....
  Instead of being agile and able to adapt, you need to rely mostly on written policies, putting systems into place, and training staff in advance.

If your company was smaller (Unlike Google), then you can probably put new systems into place and modify existing IT systems to more quickly detect and respond to issues.

Also, if your company has only a few million in the bank, it's unlikely that $100 Million will be stolen from you

Re:Well

[GLMDesigns]

If you mine litecoin you get doge

Re:Well

[AK+Marc]

If you don't know what you are paying for, you shouldn't authorize it. In Google sized companies, it was likely approved by at least 2 people, then seen by at least 2 more before being paid. Does the payment system not flag unusual terms for a standard vendor? Does the authorizing manager not know the services ordered in that time period?

It takes systemic incompetence to fall for these well known and old billing frauds.

Re: Well

[will_vK]

Where there is a Well there is mining.

I have a dream

One day, I wish that we all can be like:

"Hey remember a long, long time when Facebook was using everyone? It was so MySpace, Geocities, Yahoo!, Lycos, and About.com! Hahahaha. --yeah, 'I really felt sorry for Facebook'... said nobody ever!"

Hall of Fame worthy

[mccrew]

Wow, conning FB and The Goog out of a cool $100M. He should go to jail... but also be inducted into the Scammers Hall of Fame!

Re:Hall of Fame worthy

[Highdude702]

Your sig! I love it. That is one of the things that bothers me most about normals.

Re:Hall of Fame worthy

We've hired several former Google employees and one former Facebook employee here in Seattle, and they're just terrible employees. I'm not surprised they got scammed.

Re: Hall of Fame worthy

Same here. Facebook and Google do a terrible job at hiring.

Re: Hall of Fame worthy

It be the way of their kind.

Re:Hall of Fame worthy

[Streetlight]

There may be a good reason they're former employees. These days letters of recommendation mean almost nothing since any negative statement can result in a law suit against the writer. I've been told to just write statements like: the applicant worked here from date 1 to date 2 and his/her experience may qualify him/her for the job he/she has applied for. Likewise, CVs don't mean anything either.

Re: Hall of Fame worthy

Keep in mind that they didn't workout at either place, so they're not not an example of the best of.

Re:Hall of Fame worthy

[AK+Marc]

The most enthusiastic recommendation came from her current employer. Found out later that it was all a lie, hoping someone would hire her away, as she was a violent alcoholic. She got fired when she showed up to a sales meeting with a customer 4 hours late, slightly drunk, and very hungover. I'm the one that got her fired. She played the "I'm 5 minutes away" game for hours.

Re: Hall of Fame worthy

Same here. Apparently Google and Facebook aren't good at hiring.

Re:Hall of Fame worthy

[Streetlight]

Understood. I've also run into folks hired who were "gotten rid of" with wonderful letters of rec. The earlier employer in your case didn't want to take the trouble of firing the person, was afraid of litigation or didn't want to go to the trouble of helping the employee solve her problem, so just wrote a good rec letter.

Congrats sleuth slashdot users

[s1d3track3D]

Should we now upvote users who figured out the companies months ago? https://news.slashdot.org/stor...

Moral of the story, Greedy dude got caught.

Re: Congrats sleuth slashdot users

Greed you say? What about irony?

Fuckerberg buys an island for "privacy" by selling everyones private information they give to him for free.

I see a different moral to the story.

Checking your own accounting database.

[Nutria]

Isn't that SOP? It should be...

Why the companies have so far kept silence

why the companies have so far kept silence

I can take a guess...

Nothing new here

[AF_Cheddar_Head]

This is and old scam updated for modern times, scammers used to send small bills for office supplies to accounting departments of large corporations hoping the bill would be paid without any checking for validity. Worked often enough that the scammers kept doing it.

Smart but dumb....

[EvilSS]

At some point don't you have to say to yourself "Self, we've been lucky so far. We have 15 or so mil in the bank already. This scheme really can be run from virtually anywhere. Shouldn't we pack up and move to a country that the US doesn't have an extradition treaty* with?"

I mean Russia is right there. He could have hopped over to Kaliningrad and it would be like he never really moved, nestled between Lithuania and Poland. He had enough money I'm sure he could arrange for residency.



*Yes, the US has an extradition treaty with Lithuania.

Re:Smart but dumb....

[Nutria]

Are there any NATO countries that don't have bilateral extradition treaties?

Re:Smart but dumb....

[EvilSS]

Are there any NATO countries that don't have bilateral extradition treaties?

I don't think so. The list of countries that have treaties or other arrangements is actually surprisingly larger than I thought it would be. The no-treaty list is pretty short. Even shorter when you remove the places that are dangerous and/or third-world.

Re:Smart but dumb....

[jandrese]

The list consists of only two types of countries: "third world war torn shithole" and "tiny island". Some of the islands would sound nice, but they would be a prison. You would be trapped on there for the rest of your life.

Re:Smart but dumb....

Trapped on a tropical island with millions of dollars to spend. It would be truly hellish.

Re:Smart but dumb....

[AK+Marc]

And legal extradition would be out, but illegal extradition would be in, as the tiny nation wouldn't care to stop or object.

Re: Smart but dumb....

[EvilSS]

So are Russia and China war town shithole or tiny island?

Re: Smart but dumb....

Russia is war, and China is town shithole. Next question.

Re: Smart but dumb....

So are Russia and China war town shithole or tiny island?

Yes.

Paradoxical.

[Gravis+Zero]

the investigation raises questions about why the companies have so far kept silence and whether [...] it triggers an obligation to tell investors about what happened.

The problem is that disclosure is paradoxical.

1) Scammed corporations need to tell their stockholders because if the information is found out, it could negatively affect the value of the stock therefore it's in the interest of the stockholders to be told.
2) By covering it up, corporations prevent the stock from dropping and thus maintaining the value of the stock which is in the interest of the stockholders therefore the information should be withheld from stockholders.

Until a legislative imperative resolves this paradox, corporations will take the path that aligns with their own interests.

Common

[Solandri]

If you ever start a business, you'll be inundated with these types of phishing attacks. Most of them are actually by postal mail too.

• Letters and envelopes designed to look like government correspondence, saying you need to renew your business registration for $200. The actual requirement (annual statement of information) is about $20, and can be done online. These scam artists trick business owners who don't know into thinking it's $200 (effectively $20 for the filing, $180 for their "service"). My dad (a family practice doctor) didn't learn this until after he retired, and he found one of these letters in my trash and demanded to know why I was throwing out a government notice. By our estimate he paid over $5000 to these crooks during his career. These got so bad that many states passed laws requiring any correspondence for a service assisting with filing government forms have "THIS IS NOT A GOVERNMENT NOTICE" printed all over.
• Letters masquerading as subscription renewals for things you haven't actually subscribed to. They're hoping someone in accounting doesn't know you haven't actually subscribed to it, assume it's a renewal so they won't investigate it to see if it's legit, and just pay it.
• Package delivery fees for your clients. If you're in a business where your customers temporarily or permanently share your address (hotel, landlord, etc), sometimes your customers don't pay their bills to other companies. These companies then try to trick you into paying the bill because you share the same address. They'll send you a legit invoice with your company name as the purchaser/recipient. Buried down in the handwritten description of the charge it'll mention your client who is the actual payer.
• A company who sold merchandise to one of our customers tried to pull this on us too. They said that was the billing info the customer gave them. I give them the benefit of the doubt - I assume it was a mixup between billing address and shipping address.
• Information harvesting. These aren't a direct financial attack. I think they're just collecting marketing info so they can sell it. The most memorable one I got was by phone. They claimed to be from the DMV and asked some basic information about our company (size, revenue). Some of our vehicles are registered with the DMV for off-road-only use (i.e. on our property only) so it's not unusual for us to get a call from the DMV about this. But when they started asking about our payroll info, the alarm bells went off. I asked why the DMV needed that info, and they hung up. Thinking back, I think they actually said they were calling from the "DNV" not the "DMV".
• These can come by mail too. I've gotten one designed to look like the Bureau of Labor Statistics forms our company was sometimes randomly chosen to fill out. Only difference was the destination fax number. I only noticed it because while I was prepping the report, I noticed I had already sent the report for that month. That's when I dug into it a little more and discovered the fax number was different.
• Designed to look like another bill. I've gotten two of these - one mimicking a utility bill, one saying I had to pay something for my Google account. The Google one was an obvious fake. The one mimicking my electric bill was really good. If I had been paying it by hand, it might have slipped through. I caught it because according to my accounting program, I had already paid the electric bill that month. I think they were counting on people making the payment check out to "SCE" instead of "Southern California Edison", and mailing it in that handily provided return envelope with pre-printed address.
• Standard fake IRS notices, telling you to call a phone number to pay. The phone number goes to the scammer, not the IRS.

Taken individually, these attacks are usually pretty easy to spot. But when you're hit with so many of them over the years, even if you catch 99% of them, a few will slip through.

Re:Common

[jandrese]

What is frustrating about this is how easy it would be for the cops to roll these guys up if they wanted to. I mean they're providing a mailing address, even if it is a PO Box that isn't going to keep them anonymous for long. I bet it wouldn't even take too many arrests before the volume of mail really dropped. The people who do this need to mail fraud thousands of times every week just to get a few bites.

For the scam to work at all they need a US address. Ain't nobody gonna fill out a SCE "bill" and then mail it in an international envelope to Belarus or something. I guess they could be using a remailing service, but at the least the cops could get their account shut down.

Re:Common

fucking line breaks, how do they work?

Re:Common

[tehcyder]

Letters masquerading as subscription renewals for things you haven't actually subscribed to. They're hoping someone in accounting doesn't know you haven't actually subscribed to it, assume it's a renewal so they won't investigate it to see if it's legit, and just pay it. /quote Back in the day "International Fax Directories" were always a popular one. If the scammer had enough chutzpah, they would almost immediately follow up with a "legal letter" demanding payment, on the basis that they hadn't received a cancellation notice. This can be surprisingly effective if you direct it at law-abiding businesses who are paranoid about getting on some sort of credit blacklist.

Yes!!!!!

Fuck yeah !!!

Insiders busted yet?

To know the office to whom to send such bills, to know the sort of tech that was purchased there, and to know how to spoof each companies' purchase orders, an insider was required. Caught 'em yet?

Flying under the radar?

[Pascoea]

$100M? Seems like someone got greedy. Wouldn't it make more sense to keep the amounts smaller, maybe fly under the radar? To quote Hans Gurber "Well, when you steal $600, you can just disappear. When you steal 600 million, they will find you..."

How much would it take to live comfortably for the rest of your life in Lithuania? Given that the median annual income is $5,000, $100M seems a bit overkill.

Re:Flying under the radar?

[rainer_d]

To the contrary: go big or go home.

As the post from Solandri above points out: small scammers ask for 200 dollars.
Those are easily caught because The Big G probably don't buy small quantities of anything.

But send an invoice for 3 million and... "Hey, I'm not supposed to tell you this but manager X needs this gear for this super-secret, super-important project. You know, he's reporting directly to Sergej and Larry on this one. No red tape, no fuzz. Now do the needful and approve the payment so we both don't get into trouble for delaying this thing any further. I'll tell Eric you saved the day the next time we go golfing."

Etc.

This man obviously knew how to press the right buttons with people. Hall of fame indeed.

Of course, as long as it was working, he couldn't quit.

Encryption?

[Areyoukiddingme]

According to the Justice Department, he forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business.

Of all the companies in the world, I expected Google to have established some method of identification of their suppliers more secure than email addresses, invoice formats, and corporate stamps. PGP is now 26 years old, and the algorithms it implemented are older yet. It's really really time for businesses to start using those algorithms, if not PGP itself.

I'm envisioning a system where, during the meeting when a contract is signed, the principals exchange public keys, maybe going so far as printing them out as QR codes that are included beneath the signatures on the signature page. It takes a fairly dense QR code to represent 4096 bits with any redundancy, but there is a standard that can accommodate it.. These keys are specific to the contract; no reason to create a One True Corporate key, that if compromised, all is lost. Generating keys is cheap and easy, so make new ones at some convenient level of granularity. Per contract is best, per relationship is tolerable, per division is less good but might work, per organization should be avoided, but maybe if you're a small business it's ok. Store the private keys on one of those tamper-resistant secure storage thingies with a USB interface. (Google already uses those things internally. Why weren't they using them for invoices?)

When invoicing, sign the invoice with the correct private key. The system should preferably also encrypt with that private key, and encrypt with the recipient's public key already on file. This prevents interception of invoices in transit, and also makes it extremely clear to the recipient's Accounts Payable department whether or not an invoice is legitimate. If it won't decrypt, Accounts Payable won't try to be helpful and pay the invoice anyway, since all they'll see is guck. Maybe allow signing only, but it should be buried deep in the options, and default to off.

What needs to be done, which as far as I know is missing, is software integration to make this process as frictionless and foolproof as possible. PGP (and gpg) have email client integration, but last I looked, it worked only indifferently well, and wasn't available in all clients. What's missing, and what really needs to exist, is integration with accounting software. The relevant public keys should be on file inside the accounting software, and plugins should be written to know what to do with them, be it GnuCash, Peachtree Accounting, Quicken, or (heaven help you) SAP. The private keys (locked with a pass phrase) should be carried on the secure storage physical device by the authorized signer, and plugged in and unlocked only when that person is actually submitting invoices.

This is where I see a business opportunity. In order to be accepted, the system must be ubiquitous, reliable, and as unintrusive as possible. That means writing, testing, and seriously grinding the rough edges off of plugins, helpers, and apps to support every version of every OS, every version of every accounting package, and every device. This requires dozens of individual pieces of software, and integration work with existing code that is only barely friendly at best, and outright hostile at worst. A customer should be able to buy into the system and get whatever they need to work with the systems and software they already use, be it a small business running a seven year old version of Peachtree on Macs to a billion dollar behemoth with a tailored SAP Solution(TM)(R)(May God Have Mercy On Your Soul). When two small business owners meet in a bar to sign a ten thousand dollar contract, their smart phones should have apps that can offer up appropriate QR codes, and take pictures of them, to be funneled into the accounting software when they get home. (Etiquette suggests that the invoicer should present her QR code first, followed by

Re: Encryption?

[Brockmire]

What's with these epic posts? tl;dr.

Creative tax evasion

Is it possible that Facebook and Google found some people to give money to that their employees wouldn't suspect to avoid taxes? I know companies like that wouldn't need to, but maybe just to see if it could work if they ever did?

Nope. Can't.

You can't upvote comments from a story over a month ago. On Reddit you can upvote comments for a few months, but that's Reddit.