Check Point Experts told about an interesting case: the scammers “earned” a million dollars by quietly invading the correspondence of two unnamed companies (an Israeli startup and a Chinese venture firm).
“Imagine that you are the owner of a startup and are waiting for the initial round of financing in the amount of one million dollars, only the money does not appear on your bank account. Or imagine that you are the head of a venture company that believes that it has transferred investment funds to one of the startups in its portfolio, but these funds never reach the other side, ”the researchers describe.
So, in a young Israeli startup, they found that for some reason they did not receive their initial funding, and a million dollars disappeared somewhere. The ongoing investigation quickly helped startup representatives and their investors identify something strange: the emails exchanged between the parties were changed, and some of them were generally written by outsiders. At this stage, cybercriminalists connected to the case, having studied all available logs, letters and computers of employees.
As it turned out, in this case, the specialists were dealing with a not-so-classic business email compromise (BEC) fraud. Unknown attackers managed to compromise the account of one of the startup employees and, a few months before making a money transaction, found correspondence in which the upcoming multimillion-dollar investments were discussed. Instead of starting to track emails, creating a rule to automatically forward emails (as BEC scammers usually do), the attackers registered two new domains that almost coincided with the real domains of the target companies.
The first domain was almost identical to the domain of the Israeli startup, but with an additional letter “S” at the end. The second domain was similar to the domain of the Chinese venture company, but also had the additional letter "S".
Using these domains, the attackers sent two letters to their victims with the same heading that they found in the original message: in one message they pretended to be the CEO of the startup, and in the second, as the client manager from the venture company. Thus, fraudsters infiltrated the correspondence, carrying out an attack in man in the middle (“man in the middle”), that is, both parties now corresponded with hackers.
The correspondence came out very long and thorough. In total, the attackers sent 18 letters to a Chinese venture company and 14 messages to an Israeli startup, and only after that a money transfer was made: the investments went to an account kindly provided by scammers.
Moreover, at some point, the client manager from the venture company and the CEO of the startup scheduled a meeting in Shanghai, thereby jeopardizing the entire operation of the attackers. But the hackers were not at a loss and sent letters to both sides, in each case coming up with plausible reasons and excuses for canceling the upcoming meeting.
Interestingly, after successfully stealing a million dollars, the hackers did not back down and continued the attack, maintaining contact and allegedly waiting for the next round of investments. So, the researchers say that the finance director of an Israeli startup still receives at least one letter per month sent from a fake account of the CEO, where he is asked to make another transaction.
Researchers have so far failed to find out anything about the criminals, apart from the fact that they are probably in Hong Kong. Check Point experts recall that it’s not difficult to defend against such attacks: although it’s enough to call up and meet with partners sometimes, it’s also worth keeping audit and access logs to ensure the integrity of the mail infrastructure.