Application security, Malware, Phishing

Facebook and Google hit with $100M BEC scam

Google and Facebook both fell victim to a scam that swindled $100 million from the two tech firms.

In March, the Justice Department announced the arrest of a man who allegedly impersonated an Asian supplier in order to swindle the money from two then unnamed U.S. tech giants who have since been revealed as Facebook and Google, according to Fortune.

Authorities arrested 40-something Lithuanian named Evaldas Rimasauskas and charged him with one count of wire fraud and aggravated identity theft and three of money laundering and said he could face in excess of 20 years in US prison. 

Rimasauskas allegedly launched an elaborate scheme involving a whaling attack, or business email compromise (BEC), which included invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business with in order to swindle money from them.

Authorities say over a two year span he tricked the companies into making transfers to him worth tens of millions of dollars which were promptly stashed in bank accounts across Eastern Europe.

"Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation," a company spokesperson told Fortune.

Google was able to resolve the incident in a similar fashion.

"We detected this fraud against our vendor management team and promptly alerted the authorities,” a Google spokesperson to Fortune “We recouped the funds and we're pleased this matter is resolved."

These kind of attacks prey more on finance departments rather than the cyber or engineering "talent," so any company - no matter how innovative - can become a victim, FireMon CTO Paul Calatayud told SC Media.   

“The issue at hand is whether or not these types of events warrant disclosure,” Calatayud said. “Given that both these companies have significant amounts of money in the bank and some was recovered, as the law stands, I don't feel reporting it was necessary.”

Calatayud said there are lack federal level breach disclosure laws that focus on eliminating public vs. private or material vs. immaterial conditions and that we need to drive more awareness of the issue.

“We need to drive awareness; and these notifications can serve to benefit other companies,” he said. “Until we do that, we will remain debating in board rooms whether or not cyber investments are necessary or how likely attacks may be.”

He added that like other debates on social forums, many crimes go unreported and this only benefits the criminals by making it easier for them to operate in the shadows.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.