An elaborate phishing attack swindled as much as $100 million from Facebook and Google, with the hackers posing as vendor companies.
The phishing attack targeted employees at Facebook and Google and tricked them into transferring up to $100 million to offshore bank accounts.
Evaldas Rimasauskas, a Lithuanian national and mastermind behind the phishing attack, was recently arrested by the Justice department. It is alleged that for two years between 2013 and 2015, Rimasauskas impersonated a vendor company named Quanta Computer and demanded payments for goods and services from Google and Facebook employees. He interacted with them via phishing e-mails.
Once he received the said payments, he transferred it to a number of banks located in countries like Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. Revealed in detail by Fortune, the successful phishing attack not only revealed that even large firms like Google and Facebook are vulnerable, but also the fact that they kept silent about it even after they discovered that they were tricked.
Facebook and Google eventually recovered the lost money and are now cooperating with law enforcement to complete the investigation. However, questions are being raised on why the two companies didn’t disclose the fact to their investors after the swindling was discovered.
While the Securities Exchange Commission requires firms to disclose significant events to their investors within four days of discovering such events, both Facebook and Google decided that the events weren’t significant enough to merit disclosure, according to anonymous sources who spoke to Fortune.
“I think companies need to be looking more broadly than that – not just at operational direct loss. Here’s the possibility of reputational damage. What does this say about internal controls over assets?” said Mary Jo White, a former head of the SEC to Fortune.
“I understand the dynamic. You don’t want to provide a road map to future hackers into your system. But that doesn’t excuse not disclosing an event if it’s material,” she added.
A recent Verizon Data Breach Investigations Report revealed that phishing attacks across the world are on the rise, and now constitute 21% of all security incidents, thanks to an encouraging success rate of 7.3 per cent and the fact that several victims fell for the trap not once, but twice.
“Cybercriminals concentrate on four key drivers of human behaviour to encourage individuals to disclose information: eagerness, distraction, curiosity and uncertainty. And as our report shows, it is working, with a significant increase in both phishing and pretexting this year,” said Bryan Sartin, executive director, Global Security Services, Verizon Enterprise Solutions.
“Social engineering is a common means for cybercriminals to establish a foothold. And employees are making this easy by using easy-to-guess passwords. Users, and even IT departments, are even often guilty of not changing the default passwords that devices come with, and can easily be looked up online. This means a lot of the breaches we’ve seen were avoidable, if organizations had put in place some basic security measures,” the report added.
Considering that large firms like Facebook and Google who can afford the toughest security protocols and encryption mechanisms are vulnerable to phishing attacks, what does that say about smaller firms who cannot afford large investments on data security? The Verizon report revealed that hackers are mostly targeting smaller businesses with less than 1,000 employees and are majorly exploiting weak or stolen passwords and poor security protocols.