Evaldas Rimasauskas, a Lithuanian national who targeted employees at Google and Facebook with spear-phishing attacks by impersonating a vendor company and swindled $121 Million (£92 million) from both companies between 2013 and 2015, has pleaded guilty in a U.S. District Court in Manhattan for his crimes.
Between 2013 and 2015, Rimasauskas impersonated a vendor company named Quanta Computer and demanded payments for goods and services from Google and Facebook employees. He interacted with them via phishing e-mails.
Once he received the said payments, he transferred the money to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. The successful phishing attack not only revealed that even large firms like Google and Facebook are vulnerable, but also the fact that they kept silent about it even after they discovered that they were tricked.
Google and Facebook eventually recovered the lost money and have since been cooperating with law enforcement to complete the investigation. However, questions are being raised on why the two companies didn't disclose the fact to their investors after the swindling was discovered.
Rimasuskas pleads guilty for conning Google and Facebook
Appearing at the U.S. District Court, Rimasauskas agreed to forfeit $49.7 million even though he wasn't charged with carrying out these crimes alone. The prosecutors told the court that Rimasauskas "created the infrastructure to further the fraudulent transfers" by opening bank accounts in Latvia and Cyprus and signing fake contracts and documents to enable the wire transfers.
The extradition, arrest, and subsequent incarceration of Rimasauskas should serve as a shot in the arm for international efforts to bring cyber criminals to book who use the safety of international borders to carry out large-scale fraud and other cyber crimes.
The approach adopted by Rimasauskas to swindle large companies out of millions in cash is one that is frequently used by cyber criminals who rely on phishing tactics to lure employees into making wire transfers rather than using brute-force attacks to steal money.
Phishing continues to remain hackers' weapon of choice
In September 2017, a scammer conned MacEwan University in Canada of 11.8 million CAD after he convinced employees to change payment details for a vendor using email communications. After the phishing attack was discovered, the university said that "controls around the process of changing vendor banking information were inadequate, and that a number of opportunities to identify the fraud were missed."
Last year, Action Fraud sounded an alert about an elaborate domain-spoofing operation carried out by cyber criminals who created duplicate web domains of well-known UK universities and used such domains to defraud British and European supply companies out of vast sums of money.
"Fraudsters are registering domains that are similar to genuine university domains such as xxxxacu-uk.org, xxxxuk-ac.org and xxxacu.co.uk. These domains are used to contact suppliers and order high-value goods such as IT equipment and pharmaceutical chemicals in the university’s name," the watchdog said.
According to Action Fraud, fraudsters behind the operation caused losses of over £350,000 to unsuspecting suppliers. "This type of fraud can have a serious impact on businesses. This is why it’s so important to spot the signs and carry out all the necessary checks, such as verifying the order and checking any documents for poor spelling and grammar," said Pauline Smith, director of Action Fraud.