Internet, IT & e-Discovery Blog

https://www.vogelitlawblog.com

$100M+ guilty plea for Spearphishing (BEC – Business Email Compromise)!

Peter S. Vogel Posted By Peter S. Vogel on Posted in Cyber

The Department of Justice reported that “a Lithuanian citizen, pled guilty today to wire fraud arising out of his orchestration of a fraudulent business email compromise scheme that induced two U.S.-based Internet companies (the “Victim Companies”) to wire a total of over $100 million to bank accounts he controlled.”  The March 20, 2019 press release entitled “Lithuanian Man Pleads Guilty To Wire Fraud For Theft Of Over $100 Million In Fraudulent Business Email Compromise Scheme” included these details about the defendant Evaldas Rimasauskas admitted that:

….he devised a blatant scheme to fleece U.S. companies out of $100 million, and then siphoned those funds to bank accounts around the globe.  Rimasauskas thought he could hide behind a computer screen halfway across the world while he conducted his fraudulent scheme, but as he has learned, the arms of American justice are long, and he now faces significant time in a U.S. prison.

As I blogged earlier this month “Only 47% companies train employees to recognize spear phishing!” so until there is more training spear-phishing will continue to a great business!

The Indictment included these allegations:

From 2013 through 2015, RIMASAUSKAS orchestrated a fraudulent scheme designed to deceive the Victim Companies, including a multinational technology company and a multinational online social media company, into wiring funds to bank accounts controlled by RIMASAUSKAS.  Specifically, RIMASAUSKAS registered and incorporated a company in Latvia (“Company-2”) that bore the same name as an Asian-based computer hardware manufacturer (“Company-1”), and opened, maintained, and controlled various accounts at banks located in Latvia and Cyprus in the name of Company-2.  Thereafter, fraudulent phishing emails were sent to employees and agents of the Victim Companies, which regularly conducted multimillion-dollar transactions with Company-1, directing that money the Victim Companies owed Company-1 for legitimate goods and services be sent to Company-2’s bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.  These emails purported to be from employees and agents of Company-1, and were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company-1, but in truth and in fact, were neither sent nor authorized by Company-1.  This scheme succeeded in deceiving the Victim Companies into complying with the fraudulent wiring instructions.

After the Victim Companies wired funds intended for Company-1 to Company-2’s bank accounts in Latvia and Cyprus, RIMASAUSKAS caused the stolen funds to be quickly wired into different bank accounts in various locations throughout the world, including Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong.  RIMASAUSKAS also caused forged invoices, contracts, and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.

Through these false and deceptive representations over the course of the scheme, RIMASAUSKAS caused the Victim Companies to transfer a total of over $100 million in U.S. currency from the Victim Companies’ bank accounts to Company-2’s bank accounts.

What do you think?

Don’t we need Federal Privacy Laws for IoT?

Peter S. Vogel Posted By Peter S. Vogel on Posted in Internet Privacy; IoT

Darkreading.com reported “For the third time in as many years, lawmakers have introduced a bill that would require Internet of Things (IoT) products sold by federal contractors and vendors to abide by government guidelines to ensure a baseline of cybersecurity.”  The March 18, 2019 article entitled “New IoT Security Bill: Third Time’s the Charm?” included these comments about the proposed law called “Internet of Things Cybersecurity Improvement Act of 2019” that the “National Institute of Standards and Technology (NIST) to develop security guidelines for IoT devices sold to the US government”:

…tasks NIST with creating requirements for federal agencies that consider the secure development, identity management, patching and configuration management of IoT devices. In addition, NIST is also tasked with developing recommendations on the management and use of IoT devices by March 31, 2020.

What do you think?

15 Easy Steps to Vanish (including only carrying cash)!

Peter S. Vogel Posted By Peter S. Vogel on Posted in Cryptocurrency; Internet Privacy

The New York Times reported that a Bitcoin security person “had long been obsessed with the value of privacy, and he set out to learn how thoroughly a person can escape the all-seeing eyes of corporate America and the government. But he wanted to do it without giving up internet access and moving to a shack in the woods.”  The March 12, 2019 article entitled “How a Bitcoin Evangelist Made Himself Vanish, in 15 (Not So Easy) Steps” included these comments about #3 to “Carry cash”:

The most anonymous way to buy things, of course, is to simply use cash…. enough to handle most daily transactions.

Here are details on #8 to “Create a V.P.N. for home internet use”:

In order to shield his internet address and his location, he turned his home internet router into a virtual private network, or V.P.N., that made all his internet traffic appear to come from different internet addresses in different places.

All 15 Easy Steps:

  1. Create a new corporate identity.
  2. Set up new bank accounts and payment cards.
  3. Carry cash.
  4. Get a new phone number.
  5. Stop using the phone for directions.
  6. Move.
  7. Make up a fake name for casual interactions.
  8. Create a V.P.N. for home internet use.
  9. Buy a boring car.
  10. Buy a decoy house to fool the D.M.V.
  11. Set up a private mailbox and remailing service.
  12. Master the art of disguise.
  13. Work remotely.
  14. Encrypt devices when traveling remotely.
  15. Hire private investigators to check your work.

Does this give you any ideas?

Privacy Concerns- Should facial recognition tracking your buying habits in stores be regulated?

Peter S. Vogel Posted By Peter S. Vogel on Posted in Internet Privacy

eMarketer.com reported “that more than 60% of respondents thought the technology was “creepy””…that was used in…”tracking buying habits, and alerting sales people to shoppers’ preferences and previous purchases as soon as they enter stores.” The March 7, 2019 article entitled “Facial Recognition Brings Opportunity … and Privacy Concerns” included these comments:

Regulators and advocacy groups have also voiced opposition.

Lawmakers haven’t needed encouragement to begin regulating the technology; in February, San Francisco became the first US city to impose a ban on the use of facial recognition by government agencies.

Washington state Sen. Reuven Carlyle proposed a bill to require companies that make facial recognition tech to obtain consumer consent, and notify those consumers when they walk into a store or access a website where it’s in use.

What do you think?

Only 47% companies train employees to recognize spear phishing!

Peter S. Vogel Posted By Peter S. Vogel on Posted in Cyber

Darkreading.com reported about the results of the February 2019 report from the Ponemon Institute and commissioned by Experian “Is Your Company Ready for a Big Data Breach?” which “polled 643 professionals in IT and IT security on their organizations’ data breach response practices…[less] than half (47%) educate employees on spear-phishing.”  The March 5, 2019 report entitled “Incident Response: Having a Plan Isn’t Enough” included these comments:

Most (92%) companies have a data breach notification plan in place.

The problem is, most companies with a breach response plan fail to adapt to change.

Forty-two percent of respondents have “no set time period” for reviewing and updating their response plans, and 23% haven’t reviewed or updated their plans since it was put in place.

Some types of security incidents pose a greater challenge than others. Only 21% of respondents expressed confidence in their ability to handle ransomware attacks, and 24% said the same for spear-phishing, researchers found.

What do you think about the results of Ponemon’s report?