More detail here: <a href="https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested-theft-over-100-million-fraudulent-email-compromise-scheme" rel="nofollow">https://www.justice.gov/usao-sdny/pr/lithuanian-man-arrested...</a> There's a download link for the actual indictment as well.<p>He registered a company with a name very similar to an existing, legitimate computer hardware manufacturer. Then targeted companies that already had a relationship and already regularly paid invoices to the company with the similar name.<p>It mentions the victims were "multinational internet companies". The indictment goes farther, saying:<p><i>"Victim-1 was a multinational technology company, specializing in Internet-related services and products, with headquarters in the United States"</i><p>and<p><i>"Victim-2 was a multinational corporation providing online social media and networking services, with headquarters in the United States"</i><p>Edit: It mentions that both victims already regularly paid multi-million dollar invoices to the computer hardware company being impersonated. So, if you're trying to guess who the victims are, they are large enough that they run on their own purchased hardware, in fairly large quantities.
I have a friend who's father is very, very wealthy. He purchases a lot of art and often actually finalizes the sales by emailing someone who works for him something to the effect of "please transfer X dollars to Y party for Z piece of artwork." A few years ago someone got access to his gmail account in what appeared to be a mass phishing attack and saw several of these emails in his sent email folder. The intruder was able to have a few million dollars successfully transferred to himself. It was several months before it was noticed and the guy was never caught.<p>My friend's father now uses two factor auth and has whoever receives those emails confirm via phone call the next day.
People would legitimately be surprised to learn how low tech ordering/invoicing/remittances remain in 2017 even for half billion dollar contracts.<p>There's very little automation, even EDI is the exception rather than the rule (particularly for one off orders), most are either still paper, fax, or insecure email.<p>Email remains pretty broken. You'll be lucky to get end to end encryption, and once it arrives it is hard to make assurances that the sender really sent it (or even the sender's domain).<p>People have tried to fix email but nothing as ambitious as TLS/HTTPS has been. And getting people to use a more secure platform built on top of HTTPS is likely a non-starter...<p>So what can be done? I legitimately don't know. Even snail mail can be "hacked" via sending a plausible sounding invoice to the right address at the right time.
The funny thing is that these incidents are probably what it takes for those <i>particular</i> companies to beef up their security culture. Everyone else will likely keep their heads down: "How asinine of them! This dumb thing could <i>never</i> happen to us." The truth is that without the right security processes and culture in place, it could really happen to anyone dealing with substantial value and overworked mid-level managers, a form of the principal–agent problem[1].<p>Security incidents have a stark resemblance to emergency room visits. People are so hard to sell on prevention, and they end up paying big for an ER visit.<p>[1] <a href="https://en.wikipedia.org/wiki/Principal%E2%80%93agent_problem" rel="nofollow">https://en.wikipedia.org/wiki/Principal%E2%80%93agent_proble...</a>
To me, the surprising thing is that they managed to get the bank transferred to the "correct" fraudulent accounts.<p>If you send an existing customer another invoice, but with a changed bank account number, chances are that the money goes to the same bank account as they used previously. Even if you explicitly add a note about the changed account number, chances are still very high that they use the old one.
The important bit of this for HN is that he got these companies to pay by using their sales order, invoice, payment process, and that process is common to most companies.<p>If you have a small or an open source project you're going to struggle to get companies to pay unless you can fit their process.<p>This means that it's probably worth while offering a "professional" licence. This grants no extra functionality, but allows the company to put in a sales order, and allows you to deliver something and allows you to issue an invoice.
This happened to Ubiquiti a while back<p><a href="https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffers-46m-cyberheist/" rel="nofollow">https://krebsonsecurity.com/2015/08/tech-firm-ubiquiti-suffe...</a>
Ironic we nearly went under a few times during the early days because our customers (tier 1 telecoms and financial firms) would drag their heels for months and months over invoices many magnitudes less than this.<p>Makes me wonder what's up with the process at these firms - wish we knew enough to say whether they're the exception or the rule.
There is quite a bit that could be mined from this story, but just as a start:<p>1) The most zealous and persistent phishing awareness campaigns/training I've encountered has been at large corporations. I can imagine a series of articles, if not an entire career, that is based on exploring the psychology of employees in varying organization sizes being influenced by their perceptions of the stake they feel they hold in the performance of the organization (i.e., their "ownership") and how much their actions, positive and negative, might bear notable influence.<p>Not confident I made my point clear, but the idea being I'm going to think differently about jumping up and down on a cruise ship vs. a row boat...<p>2) Putting aside the questionable application of it in this specific case, "cybercriminal" is an outmoded term that I believe actually undermines the mundane and routine nature of these crimes. Regardless of magnitude, it imbues the perpetrator and their activities with some 90s-era aura of mystery and preternatural skill—an exceptional event executed by exceptional individuals under exceptional circumstances.
This aligns well with my 2017 Nicholl Fellowship screenplay entry called "Do Unto Others" where in Act III the protagonists use their insider knowledge of International Banking and Wire Transfers to clean out the hidden stash of illicit monies hidden by disgraced Enron executives[1].<p>To me, plausibility is important in fictional works that reach for meaning or defined structure, at least where possible. I mean, I love <i>Hackers</i> but of course groan at scenes inside "The Gibson" and whatnot. This guy actually made it work - I'm impressed.<p>[1] <a href="https://www.scriptrevolution.com/scripts/do-unto-others" rel="nofollow">https://www.scriptrevolution.com/scripts/do-unto-others</a>
I saw speculation on Twitter that it was Google or Apple and Facebook. But to me, it seems like it could be any of dozens of companies based on "Internet-related services and products" and "multinational ... online social media/networking".<p>See also: affidavit [1]<p>[1] <a href="https://www.scribd.com/document/342639731/Rimasauskas-Affidavit" rel="nofollow">https://www.scribd.com/document/342639731/Rimasauskas-Affida...</a>
I would think a simple 2nd factor check, by phone to the actual vendor would have prevented this. For such large amounts the time involved would be worth it
Similar scams have targeted (medium-large, funded) startups as well.<p>Typically the attacker starts by phishing an employee, then uses information discovered through that to trick someone else in the company to initiate a wire.