Researchers at leading cyber-security company Check Point have revealed how Chinese hackers were able to steal $1 million from a Chinese venture capital firm through a simple but convincing business email compromise (BEC) scam.
The $1M was seed funding that was intended for an Israeli start-up company. Neither the VC nor the start-up suspected anything was wrong, until the start-up realized they hadn’t received the funding. Both sides then got on the phone and quickly realised that the money had been stolen.
The companies (not named by Check Point), reached out to Check Point’s incident response team once they were aware of the theft. After analysing the server logs, emails, and the computers involved in correspondence between the companies, Check Point uncovered a carefully-planned and executed man-in-the-middle attack. Some of the emails between the VC firm and the start-up had been intercepted and modified. Others hadn’t even been written by either organization.
After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action, creating two lookalike domains. The first domain was essentially the same as the Israeli start-up domain, but with an additional ‘s’ added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.
The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli start-up’s CEO.
The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment. This infrastructure gave the attacker the ability to conduct the attack.
Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination. Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.
At one point, the VC account manager and start-up CEO scheduled a meeting in Shanghai, putting the hijack at risk. So the hacker sent emails to both sides, making up different excuses to cancel the meeting.
The origin of the attack has been traced to Hong Kong, but the attacker is still at large with the stolen $1M, and continues to send emails to both parties, urging them to make more wire transactions.
Check Point says there are six actions companies can take to avoid a similar fate.