Security Market Segment LS
Friday, 06 December 2019 10:31

Man-in-the-middle attack used to steal money sent from VC to start-up Featured

Man-in-the-middle attack used to steal money sent from VC to start-up Image by mohamed Hassan from Pixabay

Researchers at security firm Check Point have managed to track down the perpetrator(s) of a man-in-the-middle attack that was used to steal money sent from a venture capital firm in China to a start-up in Israel.

A blog post by Matan Ben David, an incident response analyst at the Israel-based company, said the Chinese venture capital firm was alerted by their bank that there was an issue with a wire transaction.

"A few days later, a young Israeli start-up realised they didn’t receive their US$1 million seed funding. Both sides got on the phone and quickly realised that their money was stolen," he wrote.

"Once both sides realised the money was gone, they also noticed something strange with the emails between the two parties, as some of the emails were modified and some were not even written by them."

The task of tracking down the attack was made more difficult by the fact that the customer's mailboxes were hosted on GoDaddy and showed only the five last logins to the server. The head of the Israeli start-up engaged Check Point to investigate.

Apart from the lack of logs, Check Point's investigators also had to reckon with the fact that all emails relating to the transaction had been deleted and only screenshots were available from mobile accounts. A third factor that complicated things was the lack of any direct communication with the Chinese company involved.

"We realised that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used," Matan said.

"We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails."

With these emails, the Check Point team was able to discover that the attacker had probably gained knowledge of the impending transaction from an email thread and registered two lookalike domains. In a normal case of business email compromise, the attacker tends to monitor emails by adding forwarding rules.

Matan pointed out that one of lookalike domains had essentially the same name as the Israeli start-up, but included an additional "s" at the end. Similarly, the second lookalike domain closely resembled that of the Chinese VC company, but once again added an "s" at the end.

"The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s chief executive," Matan explained.

"The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain, spoofing the VC account manager who handled this investment."

After this, every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Matan said the attacker appeared to have had great patience and was also very experienced. "At one point during the attack, the Chinese account owner and the CEO of the Israeli start-up scheduled a meeting in Shanghai," he pointed out. "At the last moment, the attacker sent an email to both sides cancelling the meeting, providing a different excuse for why they couldn’t meet to each."

He said that, had the meeting taken place, then there would have been suspicions about the changes in the emails. "Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made," Matan said.

The brazenness of the attacker was underlined by the fact that he/she did not stop with this. "Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," Matan wrote.

"And if that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."

Matan said Check Point had learned a great deal from the experience, listing the following points:

  • "Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
  • "Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
  • "When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
  • "Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
  • "Always capture as much forensic evidence as possible when dealing with suspected or confirmed cyber security incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
  • "Leverage a tool to identify newly registered domains that are look-alikes to your own domain name."


As part of our Lead Machine Methodology we will help you get more leads, more customers and more business. Let us help you develop your digital marketing campaign

Digital Marketing is ideal in these tough times and it can replace face to face marketing with person to person marketing via the phone conference calls and webinars

Significant opportunity pipelines can be developed and continually topped up with the help of Digital Marketing so that deals can be made and deals can be closed

- Newsletter adverts in dynamic GIF slideshow formats

- News site adverts from small to large sizes also as dynamic GIF slideshow formats

- Guest Editorial - get your message out there and put your CEO in the spotlight

- Promotional News and Content - displayed on the homepage and all pages

- Leverage our proven event promotion methodology - The Lead Machine gets you leads

Contact Andrew our digital campaign designer on 0412 390 000 or via email



Security requirements such as confidentiality, integrity and authentication have become mandatory in most industries.

Data encryption methods previously used only by military and intelligence services have become common practice in all data transfer networks across all platforms, in all industries where information is sensitive and vital (financial and government institutions, critical infrastructure, data centres, and service providers).

Get the full details on Layer-1 encryption solutions straight from PacketLight’s optical networks experts.

This white paper titled, “When 1% of the Light Equals 100% of the Information” is a must read for anyone within the fiber optics, cybersecurity or related industry sectors.

To access click Download here.


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments