Google and Facebook were victims of a spearphishing scam in which the attacker stole $100 million.
Paragraph 6 of the indictment details some of the allegations:
… as part of the scheme, fraudulent phishing emails were sent to employees and agents of the Victim Companies. The emails purported to be from employees and agents of Company‑1 [the real supplier], but in truth and in fact, they were not sent or authorized by employees or agents of Company‑1. The fraudulent emails were sent from email accounts that were designed to create the false appearance that they were sent by employees and agents of Company‑1. The fraudulent emails directed that money the Victim Companies owed Company-1 for legitimate goods and services Company‑1 had provided, and which otherwise otherwise was to be transferred by the Victim Companies to Company‑1’s bank accounts in Asia, instead be sent to Company‑2’s [the fake company] bank accounts in Latvia and Cyprus, which were controlled by RIMASAUSKAS.
What were the indicators of compromise to be detected by threat intelligence systems? There were no indicators of compromise because the systems were not compromised. The theft worked by compromising the users of the system.
You can help protect your users from being compromised by using SP Guard.