VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

Who needs an elevator pitch when you have man-in-the-middle attack?


A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment.

The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel.

It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.

As it turned out, however, the attack was a bit more complicated.

"Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it," explained Check Point analyst Matan Ben David.

"Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains."

Using those lookalike domains (one for the VC firm and one for the startup), the bad guys then sent each side an email claiming to be from the other. Having a spoofed email account on each side, the attacker then forwarded the messages to the actual startup and VC email accounts, as needed.

"This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination," Ben David said.

"Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success."

At one point, it was found, the attacker even managed to cancel a scheduled face-to-face meeting between the two sides.

FinCEN_logo

Email scammers extract over $300m a month from American suits' pockets

READ MORE

Finally, after the two companies had agreed on the $1m investment, the attacker provided the VC side with their own account number before again modifying that message and sending it back to the Israeli firm. This caused the VC to send the attacker the money, while also making the startup believe the money was on the way.

"In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," mused Ben David.

"If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."

We have to say, that's better support than some VCs get when they hand seven figures to a bogus operation. ®


Other stories you might like

  • Verizon: Ransomware sees biggest jump in five years
    We're only here for DBIRs

    The cybersecurity landscape continues to expand and evolve rapidly, fueled in large part by the cat-and-mouse game between miscreants trying to get into corporate IT environments and those hired by enterprises and security vendors to keep them out.

    Despite all that, Verizon's annual security breach report is again showing that there are constants in the field, including that ransomware continues to be a fast-growing threat and that the "human element" still plays a central role in most security breaches, whether it's through social engineering, bad decisions, or similar.

    According to the US carrier's 2022 Data Breach Investigations Report (DBIR) released this week [PDF], ransomware accounted for 25 percent of the observed security incidents that occurred between November 1, 2020, and October 31, 2021, and was present in 70 percent of all malware infections. Ransomware outbreaks increased 13 percent year-over-year, a larger increase than the previous five years combined.

    Continue reading
  • Slack-for-engineers Mattermost on open source and data sovereignty
    Control and access are becoming a hot button for orgs

    Interview "It's our data, it's our intellectual property. Being able to migrate it out those systems is near impossible... It was a real frustration for us."

    These were the words of communication and collaboration platform Mattermost's founder and CTO, Corey Hulen, speaking to The Register about open source, sovereignty and audio bridges.

    "Some of the history of Mattermost is exactly that problem," says Hulen of the issue of closed source software. "We were using proprietary tools – we were not a collaboration platform before, we were a games company before – [and] we were extremely frustrated because we couldn't get our intellectual property out of those systems..."

    Continue reading
  • UK government having hard time complying with its own IR35 tax rules
    This shouldn't come as much of a surprise if you've been reading the headlines at all

    Government departments are guilty of high levels of non-compliance with the UK's off-payroll tax regime, according to a report by MPs.

    Difficulties meeting the IR35 rules, which apply to many IT contractors, in central government reflect poor implementation by Her Majesty's Revenue & Customs (HMRC) and other government bodies, the Public Accounts Committee (PAC) said.

    "Central government is spending hundreds of millions of pounds to cover tax owed for individuals wrongly assessed as self-employed. Government departments and agencies owed, or expected to owe, HMRC £263 million in 2020–21 due to incorrect administration of the rules," the report said.

    Continue reading
  • Internet went offline in Pakistan as protestors marched for ousted prime minister
    Two hour outage 'consistent with an intentional disruption to service' said NetBlocks

    Internet interruption-watcher NetBlocks has reported internet outages across Pakistan on Wednesday, perhaps timed to coincide with large public protests over the ousting of Prime Minister Imran Khan.

    The watchdog organisation asserted that outages started after 5:00PM and lasted for about two hours. NetBlocks referred to them as “consistent with an intentional disruption to service.”

    Continue reading
  • Suspected phishing email crime boss cuffed in Nigeria
    Interpol, cops swoop with intel from cybersecurity bods

    Interpol and cops in Africa have arrested a Nigerian man suspected of running a multi-continent cybercrime ring that specialized in phishing emails targeting businesses.

    His alleged operation was responsible for so-called business email compromise (BEC), a mix of fraud and social engineering in which staff at targeted companies are hoodwinked into, for example, wiring funds to scammers or sending out sensitive information. This can be done by sending messages that impersonate executives or suppliers, with instructions on where to send payments or data, sometimes by breaking into an employee's work email account to do so.

    The 37-year-old's detention is part of a year-long, counter-BEC initiative code-named Operation Delilah that involved international law enforcement, and started with intelligence from cybersecurity companies Group-IB, Palo Alto Networks Unit 42, and Trend Micro.

    Continue reading

Biting the hand that feeds IT © 1998–2022