The U.S. Department of Justice announced on March 21 that it is charging a lone individual in connection with a business email compromise scam that resulted in the theft of more than $100 million from a pair of U.S. corporations. The DOJ charges come as new research indicates that business email compromises are an increasingly growing problem.
Charged in the case is 48-year-old Evaldas Rimasauskas of Vilnius, Lithuania. Lithuanian authorities arrested Rimasauskas on a provisional arrest warrant. The DOJ alleges that Rimasauskas conducted his criminal activities from 2013 through 2015 using a BEC scam. With a BEC scam, an attacker uses email to trick a company into paying fraudulent invoices and accounts payable requests.
The DOJ claims that Rimasauskas specifically targeted two unnamed U.S.-based internet companies. The only identifying aspects of the companies are that one is a multinational technology company and the other is a multinational online social media company.
"From half a world away, Evaldas Rimasauskas allegedly targeted multinational internet companies and tricked their agents and employees into wiring over $100 million to overseas bank accounts under his control," acting U.S. Attorney Joon H. Kim said in a statement.
To get the victim companies to send him so much money, Rimasauskas allegedly used a scheme that involved the use of forged invoices, contracts and letters that appeared to be from executives of those companies.
In addition, the DOJ alleges that Rimasauskas registered and incorporated a company in Latvia that had the same name as an Asian-based computer hardware manufacturer. Using the fraudulently registered company as a front, Rimasauskas allegedly sent emails to the victim companies, which normally did business with the Asian-based computer hardware manufacturer that he was impersonating.
While the scale of the fraud in the case is perhaps surprising, it is part of a larger, growing trend, according to security firm Proofpoint. On March 23, Proofpoint released new research into the state of BEC that showed that there was a significant increase in such attacks at the end of 2016.
Ryan Kalember, senior vice president of Cybersecurity Strategy at Proofpoint, said this incident is the latest example of just how costly a successful BEC attack can be.
"Attackers are relentlessly working to exploit the email communication channel—regardless of their level of sophistication, motivation or country," Kalember told eWEEK. "Email is their top vector because it is easy to impersonate someone else, it can reach virtually anyone at any organization and it is commonly used to make these types of requests.”
Proofpoint's research found that BEC attacks increased by 45 percent in the last three months of 2016 over the prior three-month period. Proofpoint examined approximately 45,000 attack attempts between July and December 2016, Kalember said.
"We tracked these attacks by examining a sample of BEC messages sent to customers that we detected," he said. "BEC threats look just like normal business email, do not feature malware, are highly targeted and cannot be detected using most traditional techniques."
As to why BEC attacks grew at the end of 2016, Kalember noted simply that criminals will always follow the money. If an attack tactic is working, hackers will continue to pursue it, and Proofpoint's research shows that BEC attacks are not slowing down, he added.
"BEC attacks are unique in that they are highly personalized, very socially engineered and don’t feature malware," Kalember said. "Because these attacks do not require expensive malware or advanced techniques, the cybercriminal barrier to entry is low, but the cost to organizations is high."
Aside from human vigilance against fraud, there are several practical technical steps that organizations can take to reduce the risk of a BEC attack. Kalember suggests that organizations reduce the number of inbound messages that target their users via detection technologies and implement email authentication. With email authentication technology, business partners and customers can differentiate legitimate emails from malicious spoofing.
"Employees also need to understand the value of the information they process and become educated on email phishing attack tactics and dangers," Kalember said. "While education will help, there will be human errors, so organizations must also augment their approach with security technologies."