Check Point researchers uncover how to steal $1 million by email
Researchers at cybersecurity company Check Point have revealed how Chinese hackers were able to steal $1 million from a Chinese venture capital firm through a simple but convincing business email compromise (BEC) scam.
The $1M was seed funding that was intended for an Israeli startup company.
Neither the VC nor the startup suspected anything was wrong until the startup realized they hadn’t received the funding.
Both sides then got on the phone and quickly realised that the money had been stolen.
The companies (not named by Check Point), reached out to Check Point’s incident response team once they were aware of the theft.
After analysing the server logs, emails, and the computers involved in correspondence between the companies, Check Point uncovered a carefully-planned and executed man-in-the-middle attack.
Some of the emails between the VC firm and the startup had been intercepted and modified.
Others hadn’t even been written by either organization.
After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action, creating two lookalike domains.
The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name.
The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.
The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO.
The second email was sent to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.
This infrastructure gave the attacker the ability to conduct the attack.
Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.
Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side.
Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.
At one point, the VC account manager and startup CEO scheduled a meeting in Shanghai, putting the hijack at risk.
So the hacker sent emails to both sides, making up different excuses to cancel the meeting.
The origin of the attack has been traced to Hong Kong, but the attacker is still at large with the stolen $1M, and continues to send emails to both parties, urging them to make more wire transactions.
Check Point says there are six actions companies can take to avoid a similar fate.
- Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
- Educate your employees about the trending threat in the email space.
- When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
- Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
- Always capture as much forensic evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
- Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.