GlobalSign Blog

Cyber Autopsy Series: Facebook & Google Targeted in BEC Scheme

Cyber Autopsy Series: Facebook & Google Targeted in BEC Scheme

Editor's Note: October marks National Cybersecurity Month, a full month dedicated to creating a more cyber-secure world for us all. Previously, we gave you 31 tips to help you #becybersmart. This year, to bring attention to this important matter, we’re introducing you to four huge cybersecurity incidents that could have possibly been prevented, had there been better defenses in place and more awareness. Join us every Thursday in October to read about one of these notorious cyber attacks and stick around for insights and learnings that may just prevent your case from being added to the file.

Cyber Victim 

Facebook and Google – you may have heard of them. 

Case Details 

A business email compromise scheme, also known as invoice fraud or invoice theft, that targeted two of the largest tech companies in the world over a period of two years. Millions were secured in the scheme, until the perpetrator was identified and indicted by the US Department of Justice. 

According to the FBI’s Internet Crime Complaint Center (IC3), Business Email Compromise (BEC) and Email Account Compromise (EAC) accounted for $1.7 billion in losses in 2019 alone. 

Cyber History

As if we needed another reminder, no company is too big to be targeted in a cyber attack. Despite having access to top-of-the-line threat intelligence and security resources, it won’t surprise you that Facebook and Google each have a storied history when it comes to cybersecurity. In fact, many hackers are drawn to the challenge of going after these tech giants. While not every service outage can be linked to an attack, there are a few instances where the companies were forced to disclose details of the event. 

In 2018, for example, Facebook copped to a major security vulnerability when a bug made it possible for hackers to access the data of 50 million (or more) users. 

Google has had its fair share of notorious attacks, too, not to mention all of the thwarted attempts over the last two decades. In 2009, Google China was infiltrated by hackers who “gained access to several Google’s corporate servers and intellectual property was stolen. In a blog, Google said it has ‘evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinse human rights activists’. As the company dug deeper, they found numerous Gmail of users from US, China and Europe had been routinely been accessed without permission.” 

The Google Threat Analysis Group now works to “counter government-based attacks,” providing regular updates of their research and findings on their blog.

Description of Events

Per CPO Magazine, “[Evaldas] Rimasauskas, a citizen of Lithuania…posed as Quanta Computer, a Taiwan-based computer hardware manufacturer that does substantial business with most of the world’s big tech names. Using email spoofing and forged paperwork, Rimasauskas convinced each company to pay fraudulent invoices worth tens of millions of dollars.” While there were likely co-conspirators, the indictment from the DOJ singled out Rimasauskas despite his lawyer claiming he was “far from the major actor in this matter.” 

The scam took place over several years – from 2013 to 2015 – which is how Rimasauskas was able to get away with millions. 

Systems /Parties Impacted

Unfortunately, with this kind of invoice fraud, the impact is a direct financial hit on the company in question. Amazingly, Google ended up paying out $23 million to the hacker, while Facebook handed over an incredulous $100 million to the cybercriminal. The companies were able to recover the stolen funds, not always the case with an attack like this. There are plenty of well-publicized stories about businesses that went under completely or lost millions due in large part to invoice scams. 

Probable Mode of Entry

In this case, we know exactly how Rimasauskas was able to secure the stolen funds. Not only did he send fraudulent invoices to Facebook and Google, he also allegedly “forged documents to explain the large transfers of money” to bank accounts in “various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong” according to the Indepedent

Final Diagnosis

But get away, Rimasauskas did not. In addition to a sentence of 5 years in prison, he was ordered “to serve two years of supervised release, to forfeit $49,738,559.41, and to pay restitution in the amount of $26,479,079.24.”  

The only bright side of an attack as public as this is that it brings awareness to the very real – and ever-present threat – of invoice theft. Choosing to not do business over email isn’t an option for companies that want to stay competitive in today’s digital world. So, what can your company do to play it safe and protect its well-earned dollars from eager cybercriminals?

In this article from CNBC, the FBI and Department of Homeland Security give helpful tips for preventing a scenario like this. As with every other type of cyber attack, education and awareness are key. Everyone in your organization should undergo cybersecurity training, and those employees who handle especially sensitive documents – financial teams, HR, legal – should be educated on how invoice fraud works and warning signs to look for, including “when the terms of payment suddenly change or a vendor asks for funds to be sent to a different bank account than usual.”

One relatively simple way to protect documents – especially as you move to 100% digital operations – is to use trusted digital signatures on all important paperwork, such as contracts and invoices. A digital signature is more secure than a standard electronic signature, which does not prove the signer’s identity or protect the integrity of a document’s contents. Luckily, digital signatures are easier than ever to implement and apply, thanks to cloud-based solutions that don’t require hardware or public key infrastructure (PKI) expertise. You can read about how UK-based IRIS Software Group enables customers to securely sign tax returns and other sensitive financial documents without sacrificing the end user experience. 

You should also consider protecting your emails with S/MIME, or Secure/Multipurpose Internet Mail Extensions, which allow you to digitally sign and encrypt email communications. 

For more information specific to invoice security, download our free eBook Tackling the e-Invoicing Directive

iStock-466365997.jpg

Share this Post