Facebook and Google were the victims of a $100M phishing scam. According to the Justice Department, the crook forged email addresses, invoices, and corporate stamps in order to impersonate a large Asian-based manufacturer with whom the tech firms regularly did business. The point was to trick companies into paying for computer supplies. IT security experts from AlienVault, ESET, Tripwire, Comparitech.com and FireMon commented below.
Javvad Malik, Security Advocate at AlienVault:
The concept of this heist is identical, albeit at a much higher level, with a lot more foundational work being put in place beforehand.
Therefore, it is not unexpected that many of the mitigation strategies would be similar in nature, these would include, better third party identification and verification process, more stringent payment authorisations, and not solely relying on email as an authority to process.”
Mark James, IT Security Specialist at ESET:
Paul Norris, Senior Engineer at Tripwire:
Lee Munson, Security Researcher at Comparitech:
While technical controls have a small part to play in reducing the likelihood of such an attack being successful, it is staff awareness training that is key here.
That a non-technical business could be attacked in this way is, perhaps, forgivable but the same cannot be said for firms operating in the tech sector.
If the companies behind the $100 million loss are indeed Facebook and Google, it would be a surprise as, even if their teams are not completely alert to this sort of ruse, they should have a security department that can generate awareness around this type of financial fraud.
Thus, while current disclosure laws may not require the victims in this case to come clean about what happened – from a financial point of view – I certainly believe there is a public interest angle.
Investors in technology firms have a right to know that the business is managing its systems and people in an effective way that minimises risks that can have a significant impact – and CEO Fraud is relatively easy to identify and avoid – especially in this case, where the scam was allowed to continue unchecked over a two-year period.”
Paul Calatayud, Chief Technology Officer at FireMon:
The issue at hand is whether or not these types of events warrant disclosure. Given that both these companies have significant amounts of money in the bank and some was recovered, as the law stands, I don’t feel reporting it was necessary. I do feel that we are lacking federal level breach disclosure laws that center around eliminating public vs. private or material vs. immaterial conditions. We need to drive awareness; and these notifications can serve to benefit other companies. Until we do that, we will remain debating in Board rooms whether or not cyber investments are necessary or how likely attacks may be. Like other debates on social forums, many crimes go unreported and this only benefits the criminals by being able to operate in the shadows.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.