dcn-as logo
Story image

How to steal $1 million by email: Check Point researchers detail million-dollar fraud against Chinese VC firm

09 Dec 2019

Researchers at cybersecurity company Check Point have revealed how Chinese hackers were able to steal $1 million from a Chinese venture capital firm through a simple but convincing business email compromise (BEC) scam.

The $1M was seed funding that was intended for an Israeli startup company.

Neither the VC nor the startup suspected anything was wrong until the startup realized they hadn’t received the funding.

Both sides then got on the phone and quickly realised that the money had been stolen.

The companies (not named by Check Point), reached out to Check Point’s incident response team once they were aware of the theft.

After analysing the server logs, emails, and the computers involved in correspondence between the companies, Check Point uncovered a carefully-planned and executed man-in-the-middle attack.

Some of the emails between the VC firm and the startup had been intercepted and modified.

Others hadn’t even been written by either organization.

After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action, creating two lookalike domains.

The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name.

The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.

The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO.

The second email was sent to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.

This infrastructure gave the attacker the ability to conduct the attack.

Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side.

Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.

At one point, the VC account manager and startup CEO scheduled a meeting in Shanghai, putting the hijack at risk.

So the hacker sent emails to both sides, making up different excuses to cancel the meeting.

The origin of the attack has been traced to Hong Kong, but the attacker is still at large with the stolen $1M, and continues to send emails to both parties, urging them to make more wire transactions.

Check Point says there are six actions companies can take to avoid a similar fate.

  1. Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
     
  2. Educate your employees about the trending threat in the email space.
     
  3. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
     
  4. Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
     
  5. Always capture as much forensic evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
     
  6. Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.
Story image
Server market and ESS revenues slump as COVID-19 spreads - IDC
The enterprise storage systems market as well as server markets will see declines in the first two quarters of 2020, but are expected to recover near the end of the year, according to IDC.More
Story image
Asia home to half of the world's internet users
Asia has 2.3 billion internet users, which equated to 50.3% of the world’s internet user population.More
Story image
Energy efficiency, decent budgets and strong teams crucial for data centre projects
“Having the key personnel and external partners is critical to the long-term success of any data centre project, so the time required to assemble that team needs to be factored into any transformation project.”More
Story image
Kingsoft reports rise in revenue during 'turbulent' time
"Looking ahead, we see a clear momentum of growth across all our business segments driven by increasing customer demand. We are confident to meet our performance targets in the coming year and create long-term value for our shareholders."More
Story image
CompTIA launches COVID-19 resources forum for tech industry
IT and tech industry forum CompTIA has created an interactive online forum dedicated to serving technology firms and workers during the COVID-19 pandemic.More
Story image
China's cloud companies support fight against COVID-19
Canalys states that all three cloud companies have responded quickly to COVID-19, providing governments, businesses, research institutions and students access to services such as on-demand compute and artificial intelligence.More