A 48-year-old man from Lithuania has been charged with allegedly stealing more than $100 million from two multinational internet corporations through an email phishing scheme between 2013 and 2015.
Making the case notable is that the two corporations are a social media company and a technology company, both of which might have been expected not to fall victim to such a scheme. The names of the companies were not released by law enforcement officials.
The defendant, Evaldas Rimasauskas, of Vilnius, Lithuania, has been charged by federal prosecutors in the U.S. Attorney's Office for the Southern District of New York with one count of wire fraud and three counts of money laundering, according to a March 21 announcement by the U.S. Department of Justice.
Rimasauskas allegedly set up a fake company which used the same name as a real computer hardware maker in Asia to pull off his scheme, which involved wiring large amounts of money from the two companies to his fake company, according to prosecutors.
"From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control," acting U.S. Attorney Joon H. Kim, said in a statement. "This case should serve as a wake-up call to all companies – even the most sophisticated – that they too can be victims of phishing attacks by cyber criminals. And this arrest should serve as a warning to all cyber criminals that we will work to track them down, wherever they are, to hold them accountable."
A spokesman in the U.S. Attorney's office declined to comment further on the case when asked by ITPro.com.
For IT security administrators, the case is a reminder of the need for vigilance against such attacks, according to several IT analysts who spoke with ITPro.com.
"Part of the problem is a reliance on email security technology that has not kept up with the shift in threat landscape to include hackers with increasing sophistication, nation-state connections and motivation by monetized cyber intrusions," Neil Wynne, a secure business enablement analyst with Gartner, wrote in an email reply. "Attackers are easily bypassing these traditional prevention mechanisms."
Business email attacks have been occurring with significantly higher frequency in recent years, said Wynne. "In this type of attack, a message is sent that doesn't have any URLs or attachments but rather uses social engineering to exploit a vulnerability in the human recipient. Ultimately, the fact remains that human beings are the most vulnerable point of any information system."
To battle these kinds of phishing attacks, IT security teams must take a multipronged approach that spans technical, procedural and educational controls, he wrote. "Newer technology can be deployed to thwart messages like this from landing in an inbox, but it still should be combined with procedural and educational improvements as well."
A key tool in the security arsenal to fight such attacks is a secure email gateway (SEG), wrote Wynne. It should include anti-spam and signature-based antivirus; network sandboxing and/or content disarm and reconstruction (CDR) for advanced attachment-based threat defense; and rewriting and time-of-click analysis for advanced URL-based threat defense. It also should include detection for anomalies and display name spoofing and cousin domains as part of an advanced impostor-based threat defense (like Business Email Compromise). To satisfy corporate and regulatory policy requirements, it should also include data loss prevention (DLP) and encryption capabilities for outbound content, he wrote.
Rob Enderle, principal analyst at research firm Enderle Group, said recurring training for employees about recognizing phishing attacks can also help reduce the problem "but, over time, people tend to start thinking it will never happen to them, reducing its effectiveness."
Ultimately, companies "really need to address this with systems that prevent the activity not just attempts at behavior modification," said Enderle.