A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment.
The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel.
It was believed that the attack was down to a compromised email account that had been used to re-route the payment to an account controlled by the attacker, a rather cut-and-dry business email compromise (BEC) operation.
As it turned out, however, the attack was a bit more complicated.
"Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it," explained Check Point analyst Matan Ben David.
"Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains."
Using those lookalike domains (one for the VC firm and one for the startup), the bad guys then sent each side an email claiming to be from the other. Having a spoofed email account on each side, the attacker then forwarded the messages to the actual startup and VC email accounts, as needed.
"This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination," Ben David said.
"Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success."
At one point, it was found, the attacker even managed to cancel a scheduled face-to-face meeting between the two sides.
Email scammers extract over $300m a month from American suits' pocketsREAD MORE
Finally, after the two companies had agreed on the $1m investment, the attacker provided the VC side with their own account number before again modifying that message and sending it back to the Israeli firm. This caused the VC to send the attacker the money, while also making the startup believe the money was on the way.
"In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment," mused Ben David.
"If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction."
We have to say, that's better support than some VCs get when they hand seven figures to a bogus operation. ®
Sponsored: Ransomware has gone nuclear