Security Market Segment LS
Friday, 06 December 2019 10:31

Man-in-the-middle attack used to steal money sent from VC to start-up Featured

By
Man-in-the-middle attack used to steal money sent from VC to start-up Image by mohamed Hassan from Pixabay

Researchers at security firm Check Point have managed to track down the perpetrator(s) of a man-in-the-middle attack that was used to steal money sent from a venture capital firm in China to a start-up in Israel.

A blog post by Matan Ben David, an incident response analyst at the Israel-based company, said the Chinese venture capital firm was alerted by their bank that there was an issue with a wire transaction.

"A few days later, a young Israeli start-up realised they didn’t receive their US$1 million seed funding. Both sides got on the phone and quickly realised that their money was stolen," he wrote.

"Once both sides realised the money was gone, they also noticed something strange with the emails between the two parties, as some of the emails were modified and some were not even written by them."

The task of tracking down the attack was made more difficult by the fact that the customer's mailboxes were hosted on GoDaddy and showed only the five last logins to the server. The head of the Israeli start-up engaged Check Point to investigate.

Apart from the lack of logs, Check Point's investigators also had to reckon with the fact that all emails relating to the transaction had been deleted and only screenshots were available from mobile accounts. A third factor that complicated things was the lack of any direct communication with the Chinese company involved.

"We realised that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used," Matan said.

"We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails."

With these emails, the Check Point team was able to discover that the attacker had probably gained knowledge of the impending transaction from an email thread and registered two lookalike domains. In a normal case of business email compromise, the attacker tends to monitor emails by adding forwarding rules.

Matan pointed out that one of lookalike domains had essentially the same name as the Israeli start-up, but included an additional "s" at the end. Similarly, the second lookalike domain closely resembled that of the Chinese VC company, but once again added an "s" at the end.

"The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s chief executive," Matan explained.

"The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain, spoofing the VC account manager who handled this investment."

After this, every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Matan said the attacker appeared to have had great patience and was also very experienced. "At one point during the attack, the Chinese account owner and the CEO of the Israeli start-up scheduled a meeting in Shanghai," he pointed out. "At the last moment, the attacker sent an email to both sides cancelling the meeting, providing a different excuse for why they couldn’t meet to each."

He said that, had the meeting taken place, then there would have been suspicions about the changes in the emails. "Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made," Matan said.

The brazenness of the attacker was underlined by the fact that he/she did not stop with this. "Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," Matan wrote.

"And if that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."

Matan said Check Point had learned a great deal from the experience, listing the following points:

  • "Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
  • "Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
  • "When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
  • "Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
  • "Always capture as much forensic evidence as possible when dealing with suspected or confirmed cyber security incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
  • "Leverage a tool to identify newly registered domains that are look-alikes to your own domain name."

CHIEF DATA & ANALYTICS OFFICER BRISBANE 2020

26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments