Darknet Diaries - 124: Synthetic Remittance
Episode Date: September 20, 2022What do you get when you combine social engineering, email, crime, finance, and the money stream flowing through big tech? Evaldas Rimašauskas comes to mind. He combined all these to make hi...s big move. A whale of a move.SponsorsSupport for this show comes from Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and get a special offer.Support for this show comes from Axonius. The Axonius solution correlates asset data from your existing IT and security solutions to provide an always up-to-date inventory of all devices, users, cloud instances, and SaaS apps, so you can easily identify coverage gaps and automate response actions. Axonius gives IT and security teams the confidence to control complexity by mitigating threats, navigating risk, decreasing incidents, and informing business-level strategy — all while eliminating manual, repetitive tasks. Visit axonius.com/darknet to learn more and try it free.
Transcript
Discussion (0)
Hey, this is Jack, host of the show.
I'm a little under the weather this week,
so this will be a short episode.
I don't want to leave you hanging,
but I also don't have it in me to deliver
an hour's worth of stories for you.
So I'm sorry, but I hope you like the episode anyway.
Warren Buffett has been one of the top 10 richest people
in the world for quite a while now.
He got rich mostly from investing,
and his main strategy is to invest in wonderful companies at a fair price.
And one day Jeff Bezos asked him,
well, your investment thesis is so simple,
why doesn't everyone just copy you?
And Warren Buffett said, because nobody wants to get rich slow.
If you look around the internet,
you'll see loads of get-rich-quick schemes,
people claiming to make over $500,000 a year,
and if you buy their training course, you too can learn the secrets of their success. And there's so many others. But this
story is about a guy who had a brilliant get rich quick scheme that actually worked.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Darknet Diaries. This episode is sponsored by Delete.me. I'll see you next time. numbers, addresses, family members, where you work, what kind of car you drive. It's endless, and it's not a fair fight. But I realized I don't need to be fighting this alone anymore.
Now I use the help of Delete.me. Delete.me is a subscription service that finds and removes
personal information from hundreds of data brokers' websites and continuously works to
keep it off. Data brokers hate them because Delete.me makes sure your personal profile
is no longer theirs to sell. I tried it, and they immediately got busy scouring the internet for my name
and gave me reports on what they found.
And then they got busy deleting things.
It was great to have someone on my team when it comes to my privacy.
Take control of your data and keep your private life private
by signing up for Delete.me.
Now at a special discount for Darknet Diaries listeners.
Today, get 20% off your Delete.me plan
when you go to joindeleteme.com slash darknetdiaries and use promo code darknet at checkout. The only way to
get 20% off is to go to joindeleteme.com slash darknetdiaries and enter code darknet at checkout.
That's joindeleteme.com slash darknetdiaries. Use code Darknet.
Support for this show comes from Black Hills Information Security. This is a company that does penetration testing, incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization, give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher.
And he's made it a mission to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing,
securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes
do not need to be expensive,
and they are trying to break down barriers
to get more people into the security field.
And if you decide to pay over $195,
you get six months access to the MetaCTF Cyber Range,
which is great for practicing your skills
and showing them off to potential employers.
Head on over to blackhillsinfosec.com to learn more about what services they offer and find links to their
webcasts to get some world-class training. That's blackhillsinfosec.com. Blackhillsinfosec.com.
Facebook is a company that knows how to make money.
In 2012, their revenue for the year was $5 billion.
That's a lot of money.
They are incredibly profitable.
And it's the kind of money that makes you wish,
maybe I should start a business to get that rich too.
But no.
No, no, no, no, no, no, no.
That's way too hard.
Building a unique website, marketing it,
getting users and waiting for it to grow crazy big,
all that takes a long time and a lot of energy.
And you have to be really lucky too.
Facebook was started in 2004
and it took them over five years
before they began to make any kind of profit.
Who has five years to sit around waiting to get rich?
Facebook does not have a get-rich-quick scheme,
but they did get rich over time, really rich.
Five billion dollars in revenue in 2012 is a lot of money to flow through the coppers
over at One Hacker Way in Silicon Valley.
Who's counting all that money?
Who's got control of that?
Well, a lot of people.
A company like that probably has scores of people who have purchasing power.
Perhaps a lot of employees have company credit cards to pay for travel or training.
Or managers might have a checkbook to buy major things
like renting a new office space,
or leasing company vehicles,
or purchasing another company.
In 2012, we heard this on the ABC Nightly News.
Instagram, a company with only 13 employees,
bought today by Facebook for $1 billion.
Whoa.
How does that make you feel? When you hear that Facebook bought another
company for a billion dollars, what goes through your mind? I mean, news like that makes me stop
and think for a moment. My hand goes up to my chin and I start gazing out the window. That's a lot of money. A guy named Evaldus
Rimasauskas heard that news and it put him in deep thought too. He was 43 years old in 2012
and was living in Vilnius, the capital of Lithuania. The thing that ran through his head
was, who wrote that check? Who's the person in Facebook that has the ability to write a one
billion dollar check? Was it Mark Zuckerberg himself? Surely no. He must have people to do
that. And those people must listen to Mark when Mark says, hey, can you write a check for a
billion dollars? We just bought another company. Yes, Mr. Zuckerberg, right away, Mr. Zuckerberg.
Whoever has that power to write those checks must be really trusted over at Facebook.
See, Avaldis had been learning a lot about how checks work during that time.
He was fascinated with the whole system.
A little piece of paper with the right numbers and signatures on it
is all you need to take money from someone else.
Avaldis was interested in different scams and thefts
that you could do with checks and bank accounts
and money processing centers.
He heard about how some people make bogus checks
and how payroll fraud works
and other ways to steal money from companies.
And I imagine Avaldis had some small wins during all this.
I don't know what, though.
But my guess is that he
probably started where a lot of other people like him start, with buying stolen credit cards online
and then cashing them out and taking the money from them. But these kind of schemes only make
you like a few hundred dollars at a time. You really have to work your tail off to make big
bucks from this. And maybe that's what he was doing when he heard this news.
Bought today by Facebook for $1 billion.
Billion dollars. Billion dollars.
Billion dollars.
$1 billion.
Avaldis didn't want to bother with petty $200 thefts.
He wanted a piece of these big time deals that Facebook was making.
But how?
It's not like he has a wildly popular photo sharing app
that he can sell to Facebook for a billion dollars. Hmm. He began to think about it. With all this
money flowing in and out of Facebook, there has to be a way to somehow steal some of that,
or scam a piece of it for himself. He needed more information.
He rounded up a few people to help him,
and he told them, hey, call up Facebook and try to figure out who's writing these huge checks
and what companies they're writing checks to.
His buddies were like, huh?
Call up Facebook and what?
The end goal seemed impossible.
How can you just call up Facebook and ask,
who's writing the checks over there,
and where are you writing them to?
You can't.
You're going to get nowhere fast if you do that.
So they had to do it piece by piece
and slowly social engineer their way into the company to get this information.
At first, they called up Facebook's customer support
and maybe they asked basic questions like,
what's the number to the accounting department?
Or if I have an unpaid bill and Facebook owes me money, who should I talk to?
Or maybe his team just looked on LinkedIn to see who's working in the finance and accounting departments over at Facebook.
And surely it would be a huge help to know who's who over there.
And maybe from there, you can guess someone's email address.
Like maybe it's just firstname.lastname at facebook.com? I don't know.
But if the email is guessable, you could use that to try to gather more information from someone
there. Maybe by emailing them and asking them just for a basic piece of information. But when they
reply, boom, their phone number might show up right in the footer of the email. And now you can call
them and try social
engineering them to give you more information. This is how Valdis was chipping away at all the
layers of security within Facebook and all these little pieces of information can add up to give
you quite a detailed understanding of the internal operations of their business.
And if you know who Facebook is doing business with, like maybe partners or contractors,
then maybe you can attack this from the other side too.
Like if you hear on social media that Facebook has contracted with company XYZ,
then you can call up company XYZ and try to social engineer them.
Like maybe you ask them, who over at Facebook is paying invoices?
Or something like that.
All these bits of information add up to be really helpful when trying to scam a company.
And the more Avaldis and his team scraped this information together,
the more he understood about what options there were.
After a while, they had a pretty good understanding of the social and accounting infrastructure within Facebook.
And during
all this, Avaldis learned that Facebook does a lot of business with a company called
Quanta Computer. Welcome to the Quanta Resource MFG team. Quanta Manufacturing Nashville repairs
and refurbishes tablets and point-of-sale devices, as well as builds servers and provides cloud computing services. Our customers include
the world's largest online retailer and the world's largest social media company.
This was it. Knowing this gave Avaldis all the information he needed to make his move.
His big idea was that he was going to pose as quanta computing and issue an invoice
to Facebook to pay a bill. And he hoped Facebook would pay him instead of quanta. But in order for
this to work, he had to make everything look really good. All the information he collected
earlier was going to come into play here.
First, he set up a company called Quanta Computer, the exact same name.
See, the real Quanta Computer is in Taiwan.
He set his Quanta Computer company up in Latvia and Cyprus and then opened bank accounts under that name.
Then he somehow got a hold of a real Quanta Computer invoice
and knew exactly who was paying these invoices over at Facebook.
He altered the invoice to simply change where the payment should be sent,
which was to his bank instead of theirs.
Now, you would think this might be enough,
a fake invoice that looks exactly like the real one,
but with one minor thing changed,
and you know exactly who pays these invoices over at Facebook.
But Avaldis took this
a step further, conducting what's called a BEC scam. BEC stands for business email compromise.
But I can't stand that term, because there's nothing actually compromised here. BEC is
basically a phishing attack, but you're posing as someone that the victim knows already. So the problem here is,
if Avaldis just sent an email to Facebook saying, pay this bill, what email address should he use?
He's not going to use his personal email address
because that would be a huge red flag.
You'd hope someone at Facebook would notice
who sent him the invoice
and realize it wasn't someone from Quanta.
And you can't use something like quantacomputer at gmail.com
because that's not what Quanta's emails look like either.
So Avaldis had to figure out who at Quanta typically sends these invoices out
so he could look as close as he could to them.
And I'm not sure exactly what he did here,
but my guess is he probably registered a domain that was very similar to Quanta's actual domain and made his email look super close to it with maybe one letter off.
And once he had all this set up, he was ready.
He had his fake invoice, his fake domain, and fake business all set up. And he put it together and sent the email to the right person at Facebook, telling them to update where payments should be sent when paying bills for Quanta.
And the person at Facebook saw this email and fell for it,
making the change so that the payments are now sent to Avaldis' bank
instead of the real Quanta's bank account.
And not too long after that, he got a notice from his bank that said,
a large deposit has been made into your account from Facebook. It worked. I don't know how much this payment was for, but it was a
lot. Maybe a few hundred thousand dollars, maybe more. This was a huge win for Avaldis and his team.
They got their piece of the Facebook riches. What a rush that must have been. But hey, if it worked once, could it work
a second time? And yeah, sure enough, money kept rolling in from Facebook. Every time they'd go to
pay a quanta bill, they'd end up paying a Valdez instead. Incredible. And then he noticed something.
Quanta also does business with Google.
And Google is also a massive company with billions of dollars going in and out.
So he decided to social engineer his way into Google and learn how their financial infrastructure was set up.
And then he was able to trick someone at Google to send him money instead of Quanta. And because his system was so meticulously detailed
and planned out, Google also fell for it and started paying him too. Talk about a passive
income scheme. Quanta would do all the work and he would get all the pay from it. Now, Quanta also
does a lot of business with Apple and Amazon too. And I'm not sure if Avaldis knew that,
or maybe he tried to get into those companies too.
But at this point, Avaldis and his team had made millions of dollars off of Facebook and Google,
which is just unreal.
This get-rich scheme was working amazingly well.
And it's kind of hilarious to just take a step back for a moment and look at this from a distance.
He sent fake invoices to Facebook and Google, and they just paid them.
And he was making millions of dollars from these fake bills.
It's a crazy story.
Oh, and he had a whole system to clean the money too.
Remember those bank accounts of all this set up in Latvia and Cyprus? Well, after Google and Facebook had wired money to these accounts,
Avaldis would then spring into action,
sending the money to even more accounts in banks around the world.
Slovakia, Lithuania, Hungary, and Hong Kong.
Moving the money around would make it harder to track where it ultimately would end up, which was in Avaldis' pockets.
And if any representative of these banks raised an eyebrow at these massive transfers,
Avaldis would just send them fake legal documents that made it look like his money laundering scheme
was just normal business dealings. So Avaldis was doing great, making tons of money from this
BEC scam that he had set up. Over the next two years, he extracted $23 million from Google
and a whopping $98 million from Facebook. Things were better than good for him. They were going great.
And his system for laundering money
by moving it around different banks was working well too.
Everything felt pretty secure for him.
Until one tiny detail he overlooked came into light.
At some point, someone at Google or Facebook noticed this scam.
I bet it was Quanta calling them up like,
where's our money?
And they must have been like, uh-oh,
when they realized that they'd been tricked
into sending it to the wrong place.
So someone started investigating this
and they were tracing the footsteps.
And they saw that they had wired all the money
to a bank in Cyprus.
Then they looked to see which email it was
that switched banks.
And this made them realize,
oh, it was a domain that wasn't exactly the same when we got this email.
One that looked like Qantas, but really wasn't.
Okay, so the next question then is, who owns this lookalike domain?
To figure that out, you can do a whois lookup on a domain.
It'll tell you who registered it and who controls it.
And this is where Avaldis made his mistake. He registered it under his own personal email address.
And it all unraveled from there.
After consulting internally, the employee notified the FBI,
and with millions of dollars stolen, the FBI jumped right into action,
first freezing Avaldis' funds so they couldn't be transferred anywhere.
And then the FBI started gathering all the evidence they could,
which was actually a vast paper trail of phony invoices and contracts that Avaldis had so
carefully crafted. Avaldis didn't know it, but the paper trail led right to him in Lithuania.
The Lithuanian authorities arrested Avaldis. From there, he was extradited to New York to be tried. Avaldis pleaded
guilty to wire fraud. And two years later, in 2019, he was sentenced to five years in prison,
plus a hefty bill for $26 million. With the help of the government, Google and Facebook were able
to recover a bulk of their losses and hopefully learn some lessons from all this. Oh, and I don't know
what happened to Evaldis' co-conspirators. Well, this scam caused two companies to take a massive
hit. That was only a drop in the bucket. Between 2013 and 2019, the Internet Crime Complaint Center
received reports of over $10 billion in losses from similar BEC scams like this.
We're talking spoofed emails, spear phishing, malware attacks,
all with the intention of getting a company to send payments to the wrong person.
This is not a new attack, but it's certainly becoming a popular one.
And it's adding up to be quite a lot of damage to a lot of businesses.
It's important for businesses of every size to take protective measures to defend against this. And I imagine the more profitable your company is, the more likely
you'll be targeted by thieves trying to steal some of your profits. But what's scary here
is that a small, clever team outsmarted the sophisticated security team at Google,
who sees a massive amount of attacks every day. And you might say, well, this is not a hacking incident,
so how could the security team even help defend against this?
Well, there are a lot of tools that are getting better
at detecting this sort of thing, such as identifying
when a lookalike domain has emailed you,
or tools that just do basic domain reputation checking
and then quarantine any emails that just don't look right.
But this story should also remind us
that security is everyone's responsibility in a company.
This show is made by me, the comptroller, Jack Recider.
This episode was researched and written by the diversified Lydia Horn. Mixing done by Proximity Sound. This is Darknet Diaries.