VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

Who needs an elevator pitch when you have man-in-the-middle attack?


A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment.

The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel.

It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.

As it turned out, however, the attack was a bit more complicated.

"Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it," explained Check Point analyst Matan Ben David.

"Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains."

Using those lookalike domains (one for the VC firm and one for the startup), the bad guys then sent each side an email claiming to be from the other. Having a spoofed email account on each side, the attacker then forwarded the messages to the actual startup and VC email accounts, as needed.

"This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination," Ben David said.

"Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success."

At one point, it was found, the attacker even managed to cancel a scheduled face-to-face meeting between the two sides.

FinCEN_logo

Email scammers extract over $300m a month from American suits' pockets

READ MORE

Finally, after the two companies had agreed on the $1m investment, the attacker provided the VC side with their own account number before again modifying that message and sending it back to the Israeli firm. This caused the VC to send the attacker the money, while also making the startup believe the money was on the way.

"In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," mused Ben David.

"If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."

We have to say, that's better support than some VCs get when they hand seven figures to a bogus operation. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading

Biting the hand that feeds IT © 1998–2022