Transcription performed by Leah Hervoly
[START OF RECORDING]
JACK: Hey, it’s Jack, host of the show. I’m a little under the weather this week, so this will be a short episode. I don’t want to leave you hanging, but I also don’t have it in me to deliver an hour’s worth of stories for you. So, I’m sorry, but I hope you like the episode anyway. Warren Buffet has been one of the top ten richest people in the world for quite a while now. He got rich mostly from investing, and his main strategy is to invest in wonderful companies at a fair price. One day, Jeff Bezos asked him well, your investment thesis is so simple; why doesn’t everyone just copy you? Warren Buffet said because nobody wants to get rich slow. If you look around the internet, you will see loads of get-rich-quick schemes, people claiming to make over $500,000 a year, and if you buy their training course, you too can learn the secrets of their success. There’s so many others, but this story is about a guy who had a brilliant get-rich-quick scheme that actually worked.
(INTRO): [INTRO MUSIC] These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries. [INTRO MUSIC ENDS]
JACK: Facebook is a company that knows how to make money. In 2012, their revenue for the year was $5 billion. That’s a lot of money. They are incredibly profitable, and it’s the kind of money that makes you wish maybe I should start a business to get that rich, too. [MUSIC] But no; no, no, no. That’s way too hard. Building a unique website, marketing it, getting users, and waiting for it to grow crazy big? All that takes a long time and a lot of energy, and you have to be really lucky, too. Facebook was started in 2004 and it took them over five years before they began to make any kind of profit. Who has five years to sit around waiting to get rich? Facebook does not have a get-rich-quick scheme, but they did get rich over time, really rich. $5 billion in revenue in 2012 is a lot of money to flow through the coffers over at 1 Hacker Way in Silicon Valley. Who’s counting all that money? Who’s got control of that? Well, a lot of people. A company like that probably has scores of people who have purchasing power. Perhaps a lot of employees have company credit cards to pay for travel or training, or managers might have a checkbook to buy major things like renting a new office space or leasing company vehicles or purchasing another company. In 2012, we heard this on the ABC Nightly News.
HOST: Instagram, a company with only thirteen employees, bought today by Facebook for one billion dollars.
JACK: [MUSIC] Whoa. How does that make you feel? When you hear that Facebook bought another company for a billion dollars, what goes through your mind? I mean, news like that makes me stop and think for a moment. My hand goes up to my chin and I start gazing out the window. That’s a lot of money. A guy named Evaldas Rimasauskas heard that news, and it put him in deep thought, too. He was forty-three years old in 2012 and was living in Vilnius, the capital of Lithuania. The thing that ran through his head was who wrote that check? Who’s the person in Facebook that has the ability to write a one-billion-dollar check? Was it Mark Zuckerberg himself? Surely no; he must have people to do that, and those people must listen to Mark when Mark says hey, can you write a check for a billion dollars? We just bought another company. Yes, Mr. Zuckerberg, right away, Mr. Zuckerberg.
Whoever has that power to write those checks must be really trusted over at Facebook. See, Evaldas had been learning a lot about how checks work during that time. He was fascinated with the whole system; a little piece of paper with the right numbers and signatures on it is all you need to take money from someone else. Evaldas was interested in different scams and thefts that you could do with checks and bank accounts and money-processing centers. He heard about how some people make bogus checks and how payroll fraud works and other ways to steal money from companies. I imagine Evaldas had some small wins during all this. I don’t know what, though, but my guess is that he probably started where a lot of other people like him start, with buying stolen credit cards online and then cashing them out and taking the money from them. But these kind of schemes only make you a few hundred dollars at a time. You really have to work your tail off to make the big bucks from this, and maybe that’s what he was doing when he heard this news.
HOST: …bought today by Facebook for one billion dollars. [‘BILLION DOLLARS’ ECHOING]
JACK: One billion dollars. Evaldas didn’t want to bother with petty $200-thefts. He wanted a piece of these big-time deals that Facebook was making. But how? It’s not like he has a wildly popular photo-sharing app that he can sell to Facebook for a billion dollars. Hm. He began to think about it. With all this money flowing in and out of Facebook, there has to be a way to somehow steal some of that or scam a piece of it for himself. He needed more information. He rounded up a few people to help him and he told them hey, call up Facebook and try to figure out who’s writing these huge checks and what companies they’re writing checks to. His buddies were like, huh? Call up Facebook and what? The end goal seemed impossible. How can you just call up Facebook and ask who’s writing the checks over there and where are you writing them to? You can’t.
You’re gonna get nowhere fast if you do that. [MUSIC] So, they had to do it piece by piece and slowly social-engineer their way into the company to get this information. At first they called up Facebook’s customer support, and maybe they asked basic questions like what’s the number to the Accounting department? Or if I have an unpaid bill and Facebook owes me money, who should I talk to? Or maybe his team just looked on LinkedIn to see who’s working in the Finance and Accounting departments over at Facebook. Surely it would be a huge help to know who’s who over there, and maybe from there you can guess someone’s e-mail address. Maybe it’s just email@example.com? I don’t know. But if the e-mail is guessable, you could use that to try to gather more information from someone there, maybe by e-mailing them and asking them just for a basic piece of information, but when they reply, boom, their phone number might show up right in the footer of the e-mail, and now you can call them and try social-engineering them to give you more information.
This is how Evaldas was chipping away at all the layers of security within Facebook, and all these little pieces of information can add up to give you quite a detailed understanding of the internal operations of their business. If you know who Facebook is doing business with, like maybe partners or contractors, then maybe you can attack this from the other side, too. Like, if you hear on social media that Facebook has contracted with Company XYZ, then you can call up Company XYZ and try to social-engineer them. Like, maybe you ask them who over at Facebook is paying invoices, or something like that. All these bits of information add up to be really helpful when trying to scam a company. The more Evaldas and his team scraped this information together, the more he understood about what options there were. After a while, they had a pretty good understanding of the social and accounting infrastructure within Facebook. [MUSIC] During all this, Evaldas learned that Facebook does a lot of business with a company called Quanta Computer.
HOST2: Welcome to the Quanta Resource MFGT. Quanta Manufacturing Nashville repairs and refurbishes tablets and point-of-sale devices as well as bill servers, and provides Cloud computing services. Our customers include the world’s largest online retailer and the world’s largest social media company.
JACK: This was it. Knowing this gave Evaldas all the information he needed to make his move. His big idea was that he was going to pose as Quanta Computing and issue an invoice to Facebook to pay a bill, and he hoped Facebook would pay him instead of Quanta. But in order for this to work, he had to make everything look really good. All the information he collected earlier was going to come into play here. [MUSIC] First, he set up a company called Quanta Computer, the exact same name. See, the real Quanta Computer is in Taiwan. He set his Quanta Computer company up in Latvia and Cypress, and then opened bank accounts under that name. Then he somehow got ahold of a real Quanta Computer invoice and knew exactly who was paying these invoices over at Facebook. He altered the invoice to simply change where the payment should be sent, which was to his bank instead of theirs. Now, you would think this might be enough; a fake invoice that looks exactly like the real one but with one minor thing changed, and you know exactly who pays these invoices over at Facebook. But Evaldas took this a step further, conducting what’s called a BEC scam.
BEC stands for Business E-mail Compromise, but I can’t stand that term because there’s nothing actually compromised here. BEC is basically a phishing attack, but you’re posing as someone that the victim knows already. So, the problem here is if Evaldas just sent an e-mail to Facebook saying pay this bill, what e-mail address should he use? He’s not gonna use his personal e-mail address because that would be a huge red flag. You’d hope someone at Facebook would notice who sent him the invoice and realize it wasn’t someone from Quanta. He can’t use something like firstname.lastname@example.org because that’s not what Quanta’s e-mails look like, either. So, Evaldas had to figure out who at Quanta typically sends these invoices out so he could look as close as he could to them. I’m not sure exactly what he did here, but my guess is he probably registered a domain that was very similar to Quanta’s actual domain and made his e-mail look super close to it, with maybe one letter off. Once he had all this set up, he was ready.
He had his fake invoice, his fake domain, and fake business all set up. He put it together and sent the e-mail to the right person at Facebook, telling them to update where payments should be sent when paying bills for Quanta, and the person at Facebook saw this e-mail and fell for it, making the change so that the payments are now sent to Evaldas’ bank instead of the real Quanta’s bank account. Not too long after that, he got a notice from his bank that said a large deposit has been made into your account from Facebook. [MUSIC] It worked. I don’t know how much this payment was for, but it was a lot; maybe a few hundred thousand dollars, maybe more. This was a huge win for Evaldas and his team. They got their piece of the Facebook riches. What a rush that must have been. But hey, if it worked once, could it work a second time? Yeah, sure enough, money kept rolling in from Facebook. Every time they’d go to pay a Quanta bill, they’d end up paying Evaldas instead. Incredible. Then he noticed something; Quanta also does business with Google, and Google is also a massive company with billions of dollars going in and out.
So, he decided to social-engineer his way into Google and learn how their financial infrastructure was set up. Then he was able to trick someone at Google to send him money instead of Quanta. Because his system was so meticulously detailed and planned out, Google also fell for it and started paying him, too. Talk about a passive income scheme; Quanta would do all the work and he would get all the pay from it. Now, Quanta also does a lot of business with Apple and Amazon, too, and I’m not sure if Evaldas knew that, or maybe he tried to get into those companies, too. But at this point, Evaldas and his team had made millions of dollars off of Facebook and Google, which is just unreal. This get-rich scheme was working amazingly well. It’s kind of hilarious to just take a step back for a moment and look at this from a distance. He sent fake invoices to Facebook and Google, and they just paid them. He was making millions of dollars from these fake bills. It’s a crazy story. Oh, and he had a whole system to clean the money, too.
Remember those bank accounts Evaldas set up in Latvia and Cypress? Well, after Google and Facebook had wired money to these accounts, Evaldas would then spring into action, sending the money to even more accounts in banks around the world; Slovakia, Lithuania, Hungary, and Hong Kong. Moving the money around would make it harder to track where it ultimately would end up, which was in Evaldas’ pockets. If any representative of these banks raised an eyebrow at these massive transfers, Evaldas would just send them fake legal documents that made it look like his money laundering scheme was just normal business dealings. So, Evaldas was doing great, making tons of money from this BEC scam that he had set up. Over the next two years, he extracted $23 million from Google and a whopping $98 million from Facebook. Things were better than good for him; they were going great, and his system for laundering money by moving it around different banks was working well, too. Everything felt pretty secure for him, [MUSIC] until one tiny detail he overlooked came into light.
At some point, someone at Google or Facebook noticed this scam. I bet it was Quanta calling them up, like where’s our money? They must have been like ‘uh-oh’ when they realized that they’d been tricked into sending it to the wrong place. So, someone started investigating this, and they were tracing the footsteps. They saw that they had wired all the money to a bank in Cypress, then they looked to see which e-mail it was that switched banks, and this made them realized oh, it was the domain that wasn’t exactly the same when we got this e-mail, one that looked like Quanta’s but really wasn’t. Okay, so the next question then is who owns this lookalike domain? To figure that out, you can do a WHOIS lookup on a domain. It’ll tell you who registered it and who controls it. This is where Evaldas made his mistake. He registered it under his own personal e-mail address. It all unraveled from there.
After consulting internally, the employee notified the FBI, and with millions of dollars stolen, the FBI jumped right into action; first freezing Evaldas’ funds so they couldn’t be transferred anywhere, and then the FBI started gathering all the evidence they could, which was actually a vast paper trail of phony invoices and contracts that Evaldas had so carefully crafted. Evaldas didn’t know it, but the paper trail led right to him in Lithuania. The Lithuanian authorities arrested Evaldas. From there, he was extradited to New York to be tried. Evaldas pleaded guilty to wire fraud, and two years later, in 2019, he was sentenced to five years in prison, plus a hefty bill for $26 million. With the help of the government, Google and Facebook were able to recover a bulk of their losses and hopefully learn some lessons from all this. Oh, and I don’t know what happened to Evaldas’ co-conspirators. While this scam caused two companies to take a massive hit, that was only a drop in the bucket. Between 2013 and 2019, the Internet Crime Complaint Center received reports of over $10 billion in losses from similar BEC scams like this.
We’re talking spoofed e-mails, spear phishing, malware attacks, all with the intention of getting a company to send payments to the wrong person. This is not a new attack, but it’s certainly becoming a popular one, and it’s adding up to be quite a lot of damage to a lot of businesses. It’s important for businesses of every size to take protective measures to defend against this. I imagine the more profitable your company is, the more likely you’ll be targeted by thieves trying to steal some of your profits. But what’s scary here is that a small, clever team outsmarted the sophisticated security team at Google who sees a massive amount of attacks every day. You might say well, this is not a hacking incident, so how could the security team even help defend against this? Well, there are a lot of tools that are getting better at detecting this sort of thing, such as identifying when a lookalike domain has e-mailed you, or tools that just do basic domain reputation checking and then quarantine any e-mails that just don’t look right. But this story should also remind us that security is everyone’s responsibility in a company.
(OUTRO): [OUTRO MUSIC] This show is made by me, the comptroller, Jack Rhysider. This episode was researched and written by the diversified Lydia Horne, mixing done by Proximity Sound, and our theme music is by the liability known as Breakmaster Cylinder. What does a baby computer call its father? Data. This is Darknet Diaries.
[END OF RECORDING]