Losing a million dollars to fraudsters via business email compromise (BEC) is no joke. Here’s what happened…

Imagine that you’re the owner of a startup and waiting for a million dollar seed round of funding, only it never shows up in your bank account. Or imagine you’re the head of a venture capital firm who believes you’ve wired investment funds to one of the startups in your portfolio, yet the funds never appeared on the other side.

This is a real case that was investigated by the Check Point Incidence Response Team (CP IRT) earlier this year (2019).

A Chinese venture capital firm was alerted by their bank that there was an issue with one of their recent wire transactions. A few days later, a young Israeli startup realized they didn’t receive their one million dollars seed funding. Both sides got on the phone and quickly realized that their money was stolen. 

Once both sides realized the money was gone, they also noticed something strange going on with the emails between the two parties, as some of the emails were modified and some were not even written by them.

At this point the CEO of the Israeli startup engaged CP IRT to investigate the fraudulent money transfer. What started as a normal Business Email Compromise (BEC) quickly turned into something else.

Lookalike domains

Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it. Instead of just monitoring the emails by creating an auto forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains.

The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.

The attacker then sent two emails to both companies with the same headline as the original thread. This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.

Smart intervention

At one point during the attack, the Chinese account owner and the CEO of the Israeli startup scheduled a meeting in Shanghai. At the last moment, the attacker sent an email to both sides canceling the meeting, providing a different excuse for why they couldn’t meet to each. 

Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.

This was an unacceptable risk for the attacker, and so, he took steps to make sure it wouldn’t happen. This is the sign of an experienced attacker.

What would you do if you realized you just managed to steal one million dollars? Go on a vacation? Buy a nice car? Not our attacker – In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment. 

If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction.

Lessons learned

1. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer, or calling the receiving party.

2. Ensure your emails infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.

3. Always capture as much forensics evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also ensure important logs and evidence are not overwritten.

4. Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.

5. Have an Incident Response Plan and Tactical IR Playbooks ready ahead of time! Knowing what to do before a crisis arises streamlines response activity and decreases the time it takes to remediate.

For full details of the challenges the Check Point team faced, and other details of the investigation, please click here.