Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Businesses The Almighty Buck Security The Courts United States Technology

A Lithuanian Phisher Tricked Two Big US Tech Companies Into Wiring Him $100 Million (theverge.com) 129

According to a recent indictment from the U.S. Department of Justice, a 48-year-old Lithuanian scammer named Evaldas Rimasauskas managed to trick two American technology companies into wiring him $100 million. He was able to perform this feat "by masquerading as a prominent Asian hardware manufacturer," reports The Verge, citing court documents, "and tricking employees into depositing tens of millions of dollars into bank accounts in Latvia, Cyprus, and numerous other countries." From the report: What makes this remarkable is not Rimasauskas' particular phishing scam, which sounds rather standard in the grand scheme of wire fraud and cybersecurity exploits. Rather, it's the amount of money he managed to score and the industry from which he stole it. The indictment specifically describes the companies in vague terms. The first company is "multinational technology company, specializing in internet-related services and products, with headquarters in the United States," the documents read. The second company is a "multinational corporation providing online social media and networking services." Both apparently worked with the same "Asia-based manufacturer of computer hardware," a supplier that the documents indicate was founded some time in the late '80s. What's more important is that representatives at both companies with the power to wire vast sums of money were still tricked by fraudulent email accounts. Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money. Rimasauskas has been charged with one count of wire fraud, three counts of money laundering, and aggravated identity theft. In other words, he faces serious prison time of convicted -- each charge of wire fraud and laundering carries a max sentence of 20 years. The court documents don't reveal the names of the two companies. Though, one could surely think of a few candidates that would fit the descriptions provided in the court documents.
This discussion has been archived. No new comments can be posted.

A Lithuanian Phisher Tricked Two Big US Tech Companies Into Wiring Him $100 Million

Comments Filter:
  • Umm, what? (Score:5, Funny)

    by Anonymous Coward on Wednesday March 22, 2017 @10:51PM (#54093383)

    The indictment specifically describes the companies in vague terms.

    Specific and vague simultaneously?

  • Ivan Boesky did. 300 million as I recall. It was transferred to his wife, divorced, she kept it.
    He serves a year in jail, gets out, wife gifts him most of it back.

    • His wife was an heir, along with her sister, to a hotel company which owned a chain and non-chain properties including the Beverly Hills Hotel. She got $123 million from that. When they divorced, she gave him $23 million. So there wasn't anything him giving her hundreds of millions and her giving it back.

      He did pay hundreds of millions in fines and restitution. He may have managed to keep a few million in ill-gotten gains.

  • by ErichTheRed ( 39327 ) on Wednesday March 22, 2017 @11:34PM (#54093515)

    I've worked for big companies most of my career, and regular employees making purchases, signing contracts, etc. takes an act of God. I can't spend $100 on supplies without getting competitive bids. But there are apparently some very stupid people who have full unrestricted access to the bank accounts.

    How do people fall for phishing scams anymore? Everyone has to know this by now -- never trust email requesting you to do anything involving linking to a website, sending money, etc. This could have all been resolved by someone calling and asking if they should really pay this $8 million "invoice" with an irreversible wire transfer.

    It reminds me of how people were talking about the Podesta email incident as some massively complex hacking job. It wasn't -- they found out he still used Yahoo Mail and phished him. I can't believe that (a) one of the most powerful political operatives in the Clinton campaign uses Yahoo Mail, and (b) that he fell for it.

    • by PhunkySchtuff ( 208108 ) <kai&automatica,com,au> on Wednesday March 22, 2017 @11:42PM (#54093529) Homepage

      I've worked for big companies most of my career, and regular employees making purchases, signing contracts, etc. takes an act of God. I can't spend $100 on supplies without getting competitive bids.

      See, that's where you're going wrong. I've actually had clients tell me that a proposal has to be _over_ a certain dollar amount - if it's less than (for example) $50k, it's subject to a lot more oversight than, say, $1M. Small, petty cash type purchases are even more difficult, relatively speaking. Good luck trying to get approval for a new mouse for your workstation!

      • No problem. Just order 100,000 mice. That should equal at least a million dollars, and you'll never want for a mouse again!
      • There are a lot more smaller value purchases than large value. Depending on their distribution (e.g. purchases less than $100 total $1 million/yr, purchases over $100 total $500k/yr), it may make more sense to have more oversight over small value purchases.
      • by g01d4 ( 888748 )

        I've worked for big companies most of my career, and regular employees making purchases, signing contracts, etc. takes an act of God. I can't spend $100 on supplies without getting competitive bids.

        See, that's where you're going wrong. I've actually had clients tell me that a proposal has to be _over_ a certain dollar amount - if it's less than (for example) $50k, it's subject to a lot more oversight than, say, $1M.

        Regular employees don't typically have much involvement with big purchases. Due diligence h

      • by k6mfw ( 1182893 )

        See, that's where you're going wrong. I've actually had clients tell me that a proposal has to be _over_ a certain dollar amount - if it's less than (for example) $50k, it's subject to a lot more oversight than, say, $1M.

        It seems to me procurements are very mysterious. I'm constantly having to justify whatever purchase even for $100. What you suggest is proposal over a certain amount, maybe it is when high level people get this "OMG we need this capability now, buy it!" And then zoom, order screams through. Most of the time it feels technical procurements are as touchy-feely-emotional like a choreographer preparing a dance routine that will resonant with the audience.

    • what about the old sending a fake bill for domain / website services. That some time some secretary may just pay. Or even a fake power bill with some 3rd party energy supplier name on it?

    • It all boils down to the individual(s) actually cutting the checks - - - and they are often in their position simply because they are the lower-class personnel dealing with the day-to-day issues of responding to and acting upon the billing / payment section of the company. No corporate business is going to put a a 'premium salary' individual behind a desk to deal with the day-to-day issues of paying 'legitimately' billed services or 'legitimate' looking bills for services or materials. Provide a legitima

      • You don't have a clue what you're talking about. No purchase order, no payment. That's all it takes.

        • hmmmmm . Interesting. I specifically indicated that a 'bogus' PO would got through like nothing was wrong ! ! !
          WITH a bogus PO, BOS, BOL, then the payment would by pretty much rubber stamped - paid and 'gone with the wind'.
          Perhaps a few less Bud lites, or a more in-depth reading - slowly and out loud, might make my point more obvious.
          Mr (or Ms) Hognoxious as a sig pretty much begs for a 'troll' stamp - but I'll ignore the obvious and assume the best - - -
          PLEASE be a bit more polite and reasonable - and at

          • The PO originates from the customer. How does someone outside issue a bogus one?

          • I specifically indicated that a 'bogus' PO would got[sic] through like nothing was wrong ! ! !

            I don't see "PO" or "purchase order" anywhere in your post.

          • by k6mfw ( 1182893 )
            hey Ricky, maybe you didn't write PO in your original post but I think you are definitely on to something. Others have implied the same pitfalls:
            ErichTheRed writes, "I've worked for big companies most of my career, and regular employees making purchases, signing contracts, etc. takes an act of God. I can't spend $100 on supplies without getting competitive bids. But there are apparently some very stupid people who have full unrestricted access to the bank accounts."
            OrangeTide writes, "Dealing with manuf
    • by Anonymous Coward

      Rules are for little people only. Business, politics, society, you name it. If you're high enough up the food chain they're more like optional guidelines, because why give a fuck when there are no consequences?

    • by Zontar_Thing_From_Ve ( 949321 ) on Thursday March 23, 2017 @07:53AM (#54094539)

      It reminds me of how people were talking about the Podesta email incident as some massively complex hacking job. It wasn't -- they found out he still used Yahoo Mail and phished him. I can't believe that (a) one of the most powerful political operatives in the Clinton campaign uses Yahoo Mail, and (b) that he fell for it.

      Actually the email seemed suspicious to Podesta so he asked his 20-something security "expert" to look at it. Now keep in mind that probably almost all of us know to have a mouse hover over a link in an email to see where it really goes. For example, if a link supposed to go to mycompany.com actually goes to gizshiz.com or mycompanyname.ru, yeah, you should be smart enough to think those are probably not really mycompany.com. The problem was that his "expert" didn't do this. He simply looked at the email, immediately proclaimed it to be legit and insisted that Podesta immediately click on the link and change his password. Insiders refused to name the "expert" or say whether he still has a job. My guess is that he does. But Podesta correctly got suspicious and asked for help, he just put his faith in someone to help him who didn't deserve it. For all the reported use the Democratic Party made of cutting edge analytics when Obama ran for president, they seem to have really weird ideas at the very top about security. I still maintain that had Bill and Hillary used their fortunes to hire real security experts for the foundation's email server and ran something like a hardened form of BSD on it, it could have mitigated a lot of the damage of using a private server, but no, they just had to use some local 2 man operation that was basically a small, local equivalent of Geek Squad and they used them because they were nearby and cheap, not good.

      • There are plenty of stories available [nytimes.com] about the expert, including interviews with the man himself. I'm not sure I believe his story, but he did one thing right, which was provide the real Google link and advised Podesta to change his password AND enable two-factor authentication. Podesta used the link in the phishing email though, so even at best the 'expert' did a very very poor job of communication.
    • How do people fall for phishing scams anymore?

      It wasn't a phishing scam. That's just clickbait. It was fraud, complete with dummy contracts and other fraudulent documents.

    • How do people fall for phishing scams anymore? Everyone has to know this by now -- never trust email requesting you to do anything involving linking to a website, sending money, etc. This could have all been resolved by someone calling and asking if they should really pay this $8 million "invoice" with an irreversible wire transfer.

      I've done the accounting for a $2 million/yr company and I think I can answer that. When you pay your home bills you probably only have one or two dozen every month. The compa

      • by Bert64 ( 520050 )

        Another problem is the way in which legit companies do business... If legitimate companies communicate with their customers/suppliers insecurely, then it becomes easy for scammers to do so as well. The more difficult it is to identify the scams from real requests, the more likely people are to fall for the scams.

    • by Bert64 ( 520050 )

      Because legitimate companies conduct business in the exact same way - emailing invoices around and unexpected phonecalls chasing them up etc...
      Quite often larger companies have a high staff turnover so you're frequently dealing with different people each time so you'll get invoices from names you've never heard of...
      If people do their due diligence and try to verify each one then they end up behind on their work and get in trouble, especially if a payment is late and it ends up causing trouble.

    • Email is "From" the CEO, and says something like "Hey, Bob, this account somehow got missed, it's way overdue and the money has to go out TODAY! I'm in important meetings all day and am unable to talk on the phone, any questions, just reply to this email." Either the From address is to a look-alike domain, or sometimes just a gmail/hotmail/yahoo account, or something at one of the many world.com generic domains, or the From address is the real CEO's address and there's a Reply-To somewhere else.

      It doesn't

  • This wasn't some incompetent scammer with a poor grasp of English. "Rimasauskas even went so far as to create fake contracts on forged company letterhead, fake bank invoices, and various other official-looking documents to convince employees of the two companies to send him money" shows that he went to some length to look legitimate.

  • Sentences (Score:2, Insightful)

    by Anonymous Coward

    I really don't get it.

    You can kill 10 people and go to Jail, rape and kill in there too, and still get a sentence that's a fraction of the above with ability for parole. But trick an idiot company and take their money and you suddenly face up to 80 years jailtime?!

    • by darkain ( 749283 )

      money = power

    • "Up to" doesn't mean mandatory. This is a maximum sentence. The maximum penalty for murder is death. Some states have a minimum of life without parole.
    • Re:Sentences (Score:5, Insightful)

      by Kiuas ( 1084567 ) on Thursday March 23, 2017 @05:48AM (#54094185)

      You can kill 10 people and go to Jail, rape and kill in there too, and still get a sentence that's a fraction of the above with ability for parole. But trick an idiot company and take their money and you suddenly face up to 80 years jailtime?!

      And yet, if instead of scamming some 100 million from a couple of companies the guy had been working for an investment bank or a credit rating agency and created purposefully misleading derivatives to help crash the global economy to the tune of billions in damages, he'd have gotten no jail time at all. Not a single bank executive has seen jailtime for causing the 2008 crisis, even though the extent of damages makes scams like this seem like pickpocketing and it's quite clear that the banks knew exactly what they were doing.when they started creating collateralized debt obligations [wikipedia.org] from the subprime loans to circumvent the credit rating system. Quoting the wiki:

      According to the Financial Crisis Inquiry Report, "the CDO became the engine that powered the mortgage supply chain",[7] promoting an increase in demand for mortgage-backed securities without which lenders would have "had less reason to push so hard to make" non-prime loans.[8] CDOs not only bought crucial tranches of subprime mortgage-backed securities, they provided cash for the initial funding of the securities.[7] Between 2003 and 2007, Wall Street issued almost $700 billion in CDOs that included mortgage-backed securities as collateral.[7] Despite this loss of diversification, CDO tranches were given the same proportion of high ratings by rating agencies[30] on the grounds that mortgages were diversified by region and so "uncorrelated"[31]—though those ratings were lowered after mortgage holders began to default.[32][33]

      The rise of "ratings arbitrage"—i.e. pooling low-rated tranches to make CDOs—helped push sales of CDOs to about $500 billion in 2006,[14] with a global CDO market of over USD $1.5 trillion.[34] CDO was the fastest-growing sector of the structured finance market between 2003 and 2006; the number of CDO tranches issued in 2006 (9,278) was almost twice the number of tranches issued in 2005 (4,706)

      (emphasis mine)

      What it basically means is that if you tried creating a CDO using subprime loans from a single region it would have been rated badly (as it should, it's an extremely high risk product as many of the loans had been granted pretty much without any checks on the ability of the lender to pay for them), but if you take equally shitty loans from several different areas the credit rating agencies put a AAA stamp on it, because according to their logic at the time this means the default risk is now diversified, which is complete bullshit.

      This should showcase the real issue with these cases: the courts - especially in the US but also elsewhere in the West - are keen to protect the interests of corporations. Embezzlement/fraud of corporate funds will lead to heavy jail time when caught. That's why Maddof is in jail: he scammed rich folks and corporations. However at the same time the courts go so far to protect corporate interests that megacorporations themselves can pretty much act with inpunity - cause a massive oilspill or an economic meltdown and you'll get fined, and you can write that down as yet another operational cost and keep doing business as usual.

      I do not have a problem with large scale financial crime being punished heavily, because it has far reaching consequences and fines don't work against people and corporations with massive fortunes. However, the laws should be applied evenly to everyone, including the financial sector itself when it fucks up. Right now the US is basically letting WS do whatever it pleases and if shit hits the fan the costs are externalized to the taxpayer. And the City of London is no better,

      • by Anonymous Coward

        Your logic is quite faulty. If the financial institutions knew this was bad paper they wouldn't have kept hundreds of billions of dollars worth of it on their own books. See Wachovia and BofA. If the people running the financial institutions knew this was bad paper they wouldn't have invested their own money in it. See Lehman Brothers CEO Dick Fuld.

        • Re:Sentences (Score:4, Informative)

          by Kiuas ( 1084567 ) on Thursday March 23, 2017 @09:15AM (#54094969)

          If the financial institutions knew this was bad paper they wouldn't have kept hundreds of billions of dollars worth of it on their own books.

          The institutions responsible for creating said CDOs certainly knew, or at least had all the information required to know. I mean they intentionally took loans they knew would get bad credit rating and then used essentially a loophole in the regulations to get the rating higher than it should be. There's no way to argue that they didn't know what they were doing. At the same time, they obviously have to keep some of the papers themselves to maintain the appearance of it being a safe investment. I mean it'd be impossible to try and sell the subprime 'AAA' CDOs as a completely safe and a risk free product if you yourself kept none of it, it would look highly suspicious and reveal the scam to any potential buyer.

          People like Michael Burry [wikipedia.org] (a mathematician btw) were able to 'predict' the financial crisis simply by going through the contents of these instruments by hand and crunching the numbers. If a single smart investor is able to figure this out just by looking at the data, do you seriously expect me to believe the banks themselves that operated this scheme and agreed to settle and be fined for it were unaware that they were peddling bullshit? Huh? This obviously doesn't mean everyone at the banks knew what was going on, but certainly key people did, because they have to have knowledge on the kind of instruments they're themselves creating/selling. It's de facto impossible to argue that they didn't know.

          Besides, the banks involved, including Bank of America, still made money even after factoring in the settlements they've had to pay since. The six largest players in the scheme have been fined approximately 150 billion for the scandal, while their combined profit over that time (2007-2014) totaled around 700 billion, that's the whole point of the argument I was making: the banks knew what they were up to, provably so, and they also knew they'd be able to turn a profit even if the scheme collapsed because by that time they'd have sold off most of these products.

      • Not a single bank executive has seen jailtime for causing the 2008 crisis, even though the extent of damages makes scams like this seem like pickpocketing and it's quite clear that the banks knew exactly what they were doing.when they started creating collateralized debt obligations [wikipedia.org] from the subprime loans to circumvent the credit rating system.

        I think at least one of the CEOs of the three nationalized Icelandic banks is in prison.

        It's an Icelandic prison, of course, so it's not quite the same as a US prison...

        https://www.bloomberg.com/news... [bloomberg.com]

      • by AmiMoJo ( 196126 )

        Not entirely true, some bankers in Iceland went to jail. So far I think they are the only country with the balls to jail those responsible.

      • by TroII ( 4484479 )

        It's a good thing Trump is putting so many Goldman Sachs executives in his administration. Soon we'll be making recessions great again! We're going to have the biggest financial crisis, folks, it'll be tremendous!

    • Nobody's goling to jail for 80 years; to think he may is to misunderstand American justice at work.

      The 80 years is the stick; the carrot is the plea bargain. If you refuse to cooperate they may try you with whatever relevant charge and with the prosecution's sentencing recommendation of 80 years, but there will be some rather attractive options given the accused. If he pleads guilty and admits his role, they probably will counter with a maximum of ... well, who knows, but for the sake of argument ... ten ye

  • by wkwilley2 ( 4278669 ) on Thursday March 23, 2017 @02:00AM (#54093745)

    I'm betting more on Google and Facebook respectively.

  • From at least in or around 2013 through in or about 2015...

    He was initially successful, acquiring over $100 million in proceeds that he wired to various bank accounts worldwide. But his footprint would eventually lead investigators to the truth,

    So what amount is sufficient to walk away? 100M in two years?
    I guess for some, it's the thrill of the chase, not the actual kill

  • At a former employer I had my financial people well trained. If an email looked even mildly suspicious they'd call we in the I.T. /InfoSec group before doing anything. And I railed on the web developers that having an about page that listed everyone by full name with photo and title was a really BAD idea.
  • Comment removed based on user account deletion
  • that he could do it all alone, without at least some cooperation from inside.
  • I am not surprised that tech companies fall for this. Dealing with manufacturing in Asia is already a process that feels sketchy as hell, and we often wonder if we'll ever see the money again when we setup a manufacturing agreement because the process feels so ad hoc. It wouldn't take much for a conman to insert himself into this process without arousing suspicions.

  • I'm guessing the spoofed company is Quanta. There's a lot of surplus last-gen equipment on eBay (meaning companies would be upgrading), and I believe Facebook used them as an OEM for their Open Compute nodes (Quanta Mindmill). Not sure who else uses Quanta OEM in particular, but some of their switches appear to be reference designs for Dell, etc.

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...