A blog post by Matan Ben David, an incident response analyst at the Israel-based company, said the Chinese venture capital firm was alerted by their bank that there was an issue with a wire transaction.
"A few days later, a young Israeli start-up realised they didn’t receive their US$1 million seed funding. Both sides got on the phone and quickly realised that their money was stolen," he wrote.
"Once both sides realised the money was gone, they also noticed something strange with the emails between the two parties, as some of the emails were modified and some were not even written by them."
Apart from the lack of logs, Check Point's investigators also had to reckon with the fact that all emails relating to the transaction had been deleted and only screenshots were available from mobile accounts. A third factor that complicated things was the lack of any direct communication with the Chinese company involved.
"We realised that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used," Matan said.
"We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails."
With these emails, the Check Point team was able to discover that the attacker had probably gained knowledge of the impending transaction from an email thread and registered two lookalike domains. In a normal case of business email compromise, the attacker tends to monitor emails by adding forwarding rules.
Matan pointed out that one of lookalike domains had essentially the same name as the Israeli start-up, but included an additional "s" at the end. Similarly, the second lookalike domain closely resembled that of the Chinese VC company, but once again added an "s" at the end.
"The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s chief executive," Matan explained.
"The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain, spoofing the VC account manager who handled this investment."
After this, every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.
Matan said the attacker appeared to have had great patience and was also very experienced. "At one point during the attack, the Chinese account owner and the CEO of the Israeli start-up scheduled a meeting in Shanghai," he pointed out. "At the last moment, the attacker sent an email to both sides cancelling the meeting, providing a different excuse for why they couldn’t meet to each."
He said that, had the meeting taken place, then there would have been suspicions about the changes in the emails. "Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made," Matan said.
The brazenness of the attacker was underlined by the fact that he/she did not stop with this. "Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," Matan wrote.
"And if that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."
Matan said Check Point had learned a great deal from the experience, listing the following points:
- "Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
- "Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
- "When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
- "Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
- "Always capture as much forensic evidence as possible when dealing with suspected or confirmed cyber security incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
- "Leverage a tool to identify newly registered domains that are look-alikes to your own domain name."