Hacker Evaldas Rimasauskas, 48, of Vilnius, Lithuania, was arrested last month and charged with stealing more than $100 million from Facebook and Google, according to a Fortune report.
The U.S. Department of Justice announced the arrest on March 21 without naming the companies affected.
According to the Justice Department, Rimasauskas incorporated a company in Latvia that had the same name as an Asian hardware manufacturer, then targeted the two victim companies, both of which regularly conducted transactions with the hardware manufacuter, with phishing emails.
The phishing attacks successfully tricked the victims into wiring over $100 million in funds to the Latvian company.
Rimasaukas then transferred the stolen funds into separate bank accounts in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.
A Wake-Up Call for Companies
“This case should serve as a wake-up call to all companies — even the most sophisticated — that they too can be victims of phishing attacks by cyber criminals,” Acting U.S. Attorney Joon H. Kim said in a statement. “And this arrest should serve as a warning to all cyber criminals that we will work to track them down, wherever they are, to hold them accountable.”
Fortune identified the two companies as Google and Facebook, both of which confirmed that they had been targeted.
“Facebook recovered the bulk of the funds shortly after the incident and has been cooperating with law enforcement in its investigation,” a Facebook spokesperson told Fortune.
“We detected this fraud against our vendor management team and promptly alerted the authorities,” a Google spokesperson said. “We recouped the funds and we’re pleased this matter is resolved.”
Rimasauskas is currently in Lithuania, awaiting extradition to the United States. His lawyer, Linas Kuprusevicius, told Fortune that he denies the allegations and believes he can’t expect a fair trial in the U.S.
“The uncertainty is further increased taking into account the behavior of FBI agents during the interrogations of Mr. Rimasauskas, frightening him with long years in U.S. prisons, and the transfer of computers to U.S. law enforcement officials, which was made without the presence of the owner,” Kuprusevicius said.
The Importance of Security Training
Tripwire senior systems engineer Paul Norris told eSecurity Planet by email that phishing continues to be an effective attack method because both humans and software have trouble identifying a well-crafted phishing email.
“However, the bigger problem across the board is user awareness,” Norris said. “Organizations should implement training programs that help their users understanding aspects of spam, phishing and malware. A little bit of training can go a long way in this area.”
A recent CompTIA survey of business and technology executives at 350 U.S. companies found that 58 percent of companies offer security training during new employee orientation, 46 percent perform random audits, and 35 percent offer “live fire” hands-on labs.
Only half of all companies offer training on an ongoing basis, and just 33 percent feel that they have a very high level of security understanding within the organization.
“In a rapidly changing environment, simple one-time efforts such as new employee orientation or posting security policies for review will have low efficacy,” the CompTIA report states. “Instead, businesses must consider comprehensive security training programs; ideally, these programs will assess the level of security awareness and will be customizable for industry and job role.”