US officials have charged a 48-year-old Lithuanian man in connection with attacks on two big US tech companies that cost them $100m.
Evaldas Rimasauskas allegedly masqueraded as an Asian-based computer hardware manufacturer to trick the companies’ employees into transferring money into accounts that he controlled, said the US Attorney’s office for the southern district of New York.
The unsealed indictment didn’t name names, identifying the victim companies only as “a multinational technology company” and “a multinational online social media company”.
According to the Department of Justice (DOJ), Rimasauskas, from Vilnius, was arrested in Lithuania last week. Between at least 2013 until sometime in 2015, he allegedly registered and incorporated a company in Latvia that had the same name as the Asian-based vendor, which was a legitimate business partner of the two victimized companies.
Rimasauskas allegedly had the funds wired to bank accounts in Latvia and Cyprus. From there, he allegedly shuffled the funds quickly into banks throughout the world, including in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.
It was a thorough scam: he allegedly came up with forged invoices, contracts, and letters that looked like they’d been executed and signed by executives and agents of the two companies.
The documents also bore fake corporate stamps embossed with the companies’ names that were submitted to banks to corroborate the big sums that were fraudulently transmitted via wire transfer. In total, Rimasauskas is charged with swindling more than $100,000,000.
Rimasauskas was charged on Tuesday with one count of wire fraud and three counts of money laundering. Maximum sentences are rarely handed out, but each of those charges carries a maximum sentence of 20 years in prison. If he’s convicted, he’ll serve time: Rimasauskas is also charged with one count of aggravated identity theft, which carries a mandatory minimum sentence of two years in prison.
The attacks Rimasauskas has been charged with are called whaling attacks or CEO email scams. The FBI calls them Business Email Compromise, because they use phony emails that appear to come from a colleague or from a trusted supplier.
Whatever you call them, they’re a type of phishing attack targeted at the biggest fish, with carefully crafted emails sent to senior executives, managers, financial controllers or others who might hold the purse strings at large, lucrative organizations.
In the 10 months leading up to August 2015, whaling attacks cost businesses around the world more than $1.2bn, according to the FBI.
We don’t know which multinational tech behemoth got whaled this time around, but we know of plenty of other companies who’ve been harpooned.
Mattel was one: last year, the toymaker wired out $3m to a hacker’s Chinese bank account and got it back thanks to sheer dumb luck and the good timing of a bank holiday.
As The Register reports, other victims include Ubiquiti, which lost $46.7m in June last year; Belgian bank Crelan, which lost $78m in January; Accenture, Chanel, Hugo Boss, HSBC, and countless smaller victims.
How do I get this harpoon out of my blubber?
The FBI recommends that any company victimized by a whaling attack act quickly.
Regardless of where you are, you should contact your own financial institution immediately and request that they contact the financial institution where the fraudulent transfer was sent.
Then, report it to your country’s cybercrime authorities.
If you’re in the US, contact the FBI and file a complaint, regardless of dollar loss, with the Internet Crime Center (IC3).
Oh, and consider getting your top executives to use two-factor authentication (2FA) for their email accounts, to make it harder for crooks to dig into their email traffic remotely, or to send emails right from their account.
Your execs will find that it takes very slightly longer to login when they’re on the road, and we all know that time is money…
…but, then, unexpected money transfers of seven-digit girth are money, too.
💡 READ NOW: Tips to avoid phishing and spear-phishing – stay #CyberAware! ►