How BEC scammer stole £94 m from Google & Facebook

News by Doug Olenick

Invoices from a fake supplier tallied into the tens of millions of dollars and electronic payments were made by Google and Facebook into Latvian and Cyprian bank accounts controlled by Rimasauskas.

A Lithuanian man plead guilty in the US District Court Southern District of New York earlier this week to using an advanced business email compromise campaign to defraud Google and Facebook out of an estimated £94 million.

Evaldas Rimasauskas was indicted in December 2016 then arrested in Lithuania in March 2017 and extradited to the United States.

The indictment states Rimasauskas used the classic BEC scam of posing as a vendor and sending the two internet giants invoices for computer equipment. Court documents state Rimasauskas registered and incorporated a company in Latvia using the same name as a well-known Taiwanese-based computer products vendor which added credibility to the emails he sent to the two companies.

According to a Tripwire report, the company copied was Quanta, which is a legitimate supplier of equipment to Google and Facebook.

The scam lasted from 2013 to 2015 during which time Rimasauskas, and possibly some compatriots, sent fake invoices requesting payment under the name of the fake company he registered, but posing as Quanta.

"Forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the victim companies, and which bore false corporate stamps embossed with the victim companies’ names, were used in furtherance of the fraudulent scheme orchestrated by Evaldas Rimasauskas," the indictment read.

The invoices tallied into the tens of millions of dollars which and electronic payments were made by Google and Facebook and some of their subsidiaries into Latvian and Cyprian bank accounts controlled by Rimasauskas. These deposits were then quickly shifted to other bank accounts spread around the world all of which were owned by Rimasauskas.

Under the plea agreement Rimasauskas must pay restitution of US$ 49,738,559.41 (£38 million) and he faces up to 30 years in prison upon sentencing.

While the type of attack perpetrated by Rimasauskas is certainly not new nor rare, it is particularly effective. A recent study by Barracuda found 83 percent of spear phishing attacks use brand impersonation to confuse and trick their victims. BEC attacks based on spear phishing endeavors are not widely used, but are amazingly lucrative more than US$ 12.5 billion (£9.5 billion) in losses since 2013.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop