Facebook And Google Remained Mum At Being Scammed Out Of The $100M Scam

The evolution of phishing techniques by cyber criminals has found a new milestone in the form of the recent scam involving the tech giants Facebook and Google. The scam becoming public after the indictment issued by the US Department of Justice has been based upon consistent defrauding the tech companies of $100 million over a span of two years.

In the interesting case of fraudulent email compromise scheme by a Lithuanian scammer, the indictment statement issued by the court pressed charges:

“for orchestrating a fraudulent business email compromise scheme that induced two U.S.-based internet companies (the “Victim Companies”) to wire a total of over $100 million to bank accounts controlled by RIMASAUSKAS.”

Also Read: Umair Hamid of Axact Diploma Mill Scam Found Guilty Of Committing Wire Fraud

Interestingly, the scheme worked over an elaborate plan, working through proper banking channels. The tech giants, were tricked for a period spanning over two years, into wiring a whopping amount of $100 million to two bank accounts located in Latvia and Cyprus. After the transfer, the poached money was swiftly routed through a variety of bank accounts scattered across different locations throughout the world. The destinations involved banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

It was in March this year that the the scammer Evaldas Rimasauskas was arrested by the local authorities in Lithuania. He was later charged with orchestrating the scam scheme. Interestingly, both the tech companies targeted through the fraud stayed anonymous throughout the case. However, through an investigation study carried out by Fortune revealed the identity of the victim companies.

Also Read: Ministry of IT warns WhatsApp users to beware of fake video calling scam

What emerges out of the proceedings of the case is not one, but two major concerns. Where the immediate concern is, obviously, the safety against the scams involving email phishing and fake suppliers which can successfully target even the tech-lord corporations; the second concern is more subtle in nature. The crime has raised certain questions, whose validity can not be ignored, about why the companies have so far kept mum over the matter. The Fortune report quoted a former head of the Securities and Exchange Commission, Mary Jo White’s observation:

“It triggers an obligation to tell investors about what happened.”

White further said:

“I understand the dynamic. You don’t want to provide a road map to future hackers into your system. But that doesn’t excuse not disclosing an event if it’s material.”

Skype bug allows hackers to execute arbitrary code on victim's machine

Skype flaw opened backdoor

According to Zacharis Alexandros, an independent researcher, a bug in Skype was discovered in January, but it has only recently been bought to light following the successful patch of the problem by Microsoft. He dubbed the bug, Spyke.

In a blog post (at time of publication, the article on LinkedIn (also owned by Microsoft) appears to have disappeared – here is a cached page), Alexandros said the problem mainly affected the Windows version of the VoIP application and to mount an attack, a hacker would need  local access to the login screen of a running Skype instance.

He said that the vulnerability targets the fact that Skype instance contains an embedded Internet Explorer browser used for authentication purposes. An attacker can circumvent the normal authentication process and abuse the login via Facebook function to fingerprint the Internal Browser (IE), execute code in the context of the Skype process, phish credentials, and over communication traces.

“More advanced attacks can use valid exploits of Internet Explorer running inside Skype, to crash Skype and cause code execution of malicious code on the underlying operating system in an attempt to perform local privilege escalation attacks,” said Alexandros.

He added that any system using Skype Client 7.31.0.104 and older versions that allow Facebook Login as an option are vulnerable. “Systems that use Skype and are publicly reachable like info kiosks or smart TV appliances, are particularly more attractive than local private systems (PCs) in order to be used for phishing attacks,” he warned.

The researcher also uploaded a video showing a proof of concept where code can be taken from Facebook’s developer site from inside Skype and crash the app. A hacker could also replace the login with a fake one to phish for a victim’s credentials.

After alerting Microsoft to the problem, the company released a patch to fix the problem on 24 March.

Oliver Pinson-Roxburgh, EMEA director at AlertLogic, told SC Magazine UK that the issue was bad, “because it allows you to get access to malicious tools”.

“Phish users do all sorts through the Facebook developer tools. If the attacker has access to a restricted terminal they can use this flaw to extend access by browsing to exploit kits or download tools,” he said.

“In addition, you could steal local credentials through phishing using this to trick the user.  The other key thing is that a lot of this would look like just normal Skype activity.”

Matan Hart, security researcher at CyberArk Labs, told SC Magazine UK that in many ways, the “Spyke” attack vector has limited power.

“It requires the attacker to have already gained access to the victim’s system, and the attack surface is restricted to the context of the Skype app. However, if Skype is running under administrative credentials this could lead to an effective local privilege escalation. This means attackers could move laterally through the target network to get to a business’s highest value assets and cause irreparable damage,” he said.  

Consumer Watch: Scam terms and what to guard against

Hopefully, no reader felt any unwanted twinges from last week’s scamming procedures. Combine those with today’s list for savvy consumerism.

  •  Ransomeware — a program that almost knocked yours truly upside the head last week — restricts or disables a computer, hijacks and encrypts files, then demands a fee to restore the machine’s functions. As savvy as I like to think I am, I believed most ransomeware hit businesses, rather than individuals. Nope. Luckily, I contract with a smart IT expert (Chris Wesson) who told me to perform the exact opposite instructed by the program. Lesson learned. Anytime you’re remotely suspicious of a computer activity, call your provider immediately before taking other action.
  •  Scareware is a program that gives an on-screen warning saying you’re being infected by nonexistent viruses. Its objective is to trick users into installing malware or buying false antivirus protection.
  • Skimmer is a tiny device that deducts cash from your ATM account and gathers credit card information from a gas pump or restaurant, among other robberies. These aren’t the only scenarios. That little magnetic stripe on credit and debit cards is the skimmer’s target so be cautious about handing over your cards to anyone you don’t know for any service whatsoever, and be extra careful to ensure any slot you slide your card into is vacant. Inspect the card reader to be sure it’s identical to others nearby, is firmly in place and no small camera can be seen around. Never use a debit card at the gas pump so you won’t have to input its PIN.
  •  Smishing is a phishing attempt that goes to your mobile devices via text messages. The assault “advises” the user to call a toll-free number, which often plops lots of change into the pockets of the Smisher.
  •  Spear-phishing uses phishing with personalized email, often appearing to be from someone you know. (Many robocalls with local area codes fit this bill.)
  •  Spoofing allows scammers to disguise themselves as a specific person or, perhaps, a person within a specific agency. Moreover, these fraudsters manipulate your phone’s caller ID to display a false name or number.
  •  Spyware is a type of malware. A scammer installs this bad program on your computer or cellphone to track your actions and collect information without your knowledge.
  •  Vishing, another form of phishing that uses recorded phone messages to trick you into revealing very private info.
  •  Whaling phishes for corporate executives or employees who work in the company’s payroll departments. The scammer poses as the company’s CEO or, perhaps, its attorney or even a vendor to obtain payments or hush-hush data.

We heard great news last week from the Federal Communications Commission (FCC) that it intends to put robocallers out of business. However, until that happens (as well as all other trickery), it’s urgent we never forget that scammers create new schemes and fraudulent activities every day. Whether to burglarize our bank accounts or to steal our personal identities, criminals never rest; therefore, consumers must remain vigilant. No more victims around here, okay?

Contact Ellen Phillips at consumerwatch@timesfreepress.com.