Security Market Segment LS
Friday, 06 December 2019 10:31

Man-in-the-middle attack used to steal money sent from VC to start-up Featured

By
Man-in-the-middle attack used to steal money sent from VC to start-up Image by mohamed Hassan from Pixabay

Researchers at security firm Check Point have managed to track down the perpetrator(s) of a man-in-the-middle attack that was used to steal money sent from a venture capital firm in China to a start-up in Israel.

A blog post by Matan Ben David, an incident response analyst at the Israel-based company, said the Chinese venture capital firm was alerted by their bank that there was an issue with a wire transaction.

"A few days later, a young Israeli start-up realised they didn’t receive their US$1 million seed funding. Both sides got on the phone and quickly realised that their money was stolen," he wrote.

"Once both sides realised the money was gone, they also noticed something strange with the emails between the two parties, as some of the emails were modified and some were not even written by them."

The task of tracking down the attack was made more difficult by the fact that the customer's mailboxes were hosted on GoDaddy and showed only the five last logins to the server. The head of the Israeli start-up engaged Check Point to investigate.

Apart from the lack of logs, Check Point's investigators also had to reckon with the fact that all emails relating to the transaction had been deleted and only screenshots were available from mobile accounts. A third factor that complicated things was the lack of any direct communication with the Chinese company involved.

"We realised that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used," Matan said.

"We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails."

With these emails, the Check Point team was able to discover that the attacker had probably gained knowledge of the impending transaction from an email thread and registered two lookalike domains. In a normal case of business email compromise, the attacker tends to monitor emails by adding forwarding rules.

Matan pointed out that one of lookalike domains had essentially the same name as the Israeli start-up, but included an additional "s" at the end. Similarly, the second lookalike domain closely resembled that of the Chinese VC company, but once again added an "s" at the end.

"The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s chief executive," Matan explained.

"The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain, spoofing the VC account manager who handled this investment."

After this, every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Matan said the attacker appeared to have had great patience and was also very experienced. "At one point during the attack, the Chinese account owner and the CEO of the Israeli start-up scheduled a meeting in Shanghai," he pointed out. "At the last moment, the attacker sent an email to both sides cancelling the meeting, providing a different excuse for why they couldn’t meet to each."

He said that, had the meeting taken place, then there would have been suspicions about the changes in the emails. "Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made," Matan said.

The brazenness of the attacker was underlined by the fact that he/she did not stop with this. "Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," Matan wrote.

"And if that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."

Matan said Check Point had learned a great deal from the experience, listing the following points:

  • "Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
  • "Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
  • "When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
  • "Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
  • "Always capture as much forensic evidence as possible when dealing with suspected or confirmed cyber security incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
  • "Leverage a tool to identify newly registered domains that are look-alikes to your own domain name."
Read 2463 times

Please join our community here and become a VIP.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here
BACK TO LATEST NEWS here




ELASTICON SYDNEY 2024 LATEST ADVANCEMENTS IN GENERATIVE AI

On 20 February, keynote addresses from NAB, Canva, AWS, and Google Cloud, among others, will feature at ElasticON Sydney 2024.

This event will explore the latest advancements in generative AI

The one-day conference, hosted by leading search analytics company Elastic, will include networking drinks, hands-on labs, technical sessions and a stellar line-up of keynote speakers from finance, technology, and government e=sectors.

ElasticON Sydney 2024 promises to be an enriching experience with a comprehensive exploration of the latest developments in security, observability, generative AI and their real world applications

Don't miss out on this opportunity to network and find answers for what's next from your industry peers and leaders


Register for ElasticON Sydney 2024

REGISTER HERE!

PROMOTE YOUR WEBINAR ON ITWIRE

It's all about Webinars.

Marketing budgets are now focused on Webinars combined with Lead Generation.

If you wish to promote a Webinar we recommend at least a 3 to 4 week campaign prior to your event.

The iTWire campaign will include extensive adverts on our News Site itwire.com and prominent Newsletter promotion https://itwire.com/itwire-update.html and Promotional News & Editorial. Plus a video interview of the key speaker on iTWire TV https://www.youtube.com/c/iTWireTV/videos which will be used in Promotional Posts on the iTWire Home Page.

Now we are coming out of Lockdown iTWire will be focussed to assisting with your webinars and campaigns and assistance via part payments and extended terms, a Webinar Business Booster Pack and other supportive programs. We can also create your adverts and written content plus coordinate your video interview.

We look forward to discussing your campaign goals with you. Please click the button below.

MORE INFO HERE!

BACK TO HOME PAGE
Sam Varghese

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

Share News tips for the iTWire Journalists? Your tip will be anonymous

Subscribe to Newsletter

*  Enter the security code shown:

WEBINARS & EVENTS

CYBERSECURITY

PEOPLE MOVES

GUEST ARTICLES

Guest Opinion

ITWIRETV & INTERVIEWS

RESEARCH & CASE STUDIES

Channel News

Comments