Fraudsters stole a million dollars by deceiving two IT companies in correspondence

Check Point experts talked about an interesting case: scammers stole a million dollars, quietly invading the correspondence of two unnamed companies (an Israeli startup and a Chinese venture firm).

So, in a young Israeli startup firm, they found that for some reason they did not receive their initial funding, and a million dollars disappeared somewhere.

“Imagine that you are the owner of a startup and are waiting for the initial round of financing in the amount of one million dollars, but the money fail to appear on your bank account. Or imagine that you are the head of a venture company that believes that it has transferred investment funds to one of the startups in its portfolio, but these funds have never reached the other side”, – describe the researchers.

The ongoing investigation quickly helped startup representatives and their investors identify something strange: the emails that parties exchanged changed, with some of them were written by foreigners. At this stage, cybercriminalists joined investigation of the case, having studied all available logs, letters and computers of employees.

Read also: Amazon Introduces Access Analyzer – Cloud Basket Security Monitoring Service

As it turned out, in this case, the specialists were dealing with not a classic business email compromise (BEC) fraud. Unknown attackers managed to compromise the account of one of the startup employees and, a few months before making a money transaction, found correspondence in which the upcoming multimillion-dollar investments were discussed. Instead of starting to track emails, creating a rule to automatically forward emails (as BEC scammers usually do), the attackers registered two new domains that almost coincided with the real domains of the target companies.

“The first domain was almost identical to the domain of the Israeli startup, but with an additional letter“ S ”at the end. The second domain was similar to the domain of a Chinese venture company, but also had the additional letter “S”, – say Check Point researchers.

Using these domains, the attackers sent two letters to their victims with the same heading that they found in the original message: in one message they pretended to be the CEO of the startup, and in the second, to be the client manager from the venture company. Thus, fraudsters infiltrated the correspondence, carrying out man in the middle attack, so, both parties corresponded with hackers.

The correspondence history came out very long. In total, the attackers sent 18 letters to a Chinese venture company and 14 messages to an Israeli startup, and only after that, was made money transfer: the investments went to an account kindly provided by scammers.

“Moreover, at some point, the client manager from the venture company and the CEO of the startup scheduled a meeting in Shanghai, thereby jeopardizing the entire operation of the attackers. However, the hackers were not at a loss and sent letters to both sides, in each case coming up with plausible reasons and excuses for canceling the upcoming meeting”, – say Check Point experts.

Interestingly, after successfully stealing a million dollars, the hackers did not back down and continued the attack, maintaining contact and allegedly waiting for the next round of investments. So, the researchers say that the finance director of an Israeli startup still receives at least one letter per month sent from a fake account of the CEO, where he is asked to make another transaction.

Researchers have so far failed to find out anything about the criminals, apart from the fact that they are probably in Hong Kong. Check Point experts recall that it’s not difficult to defend against such attacks: it’s enough to call up and meet with partners at least sometimes, and it is worth keeping audit and access logs to ensure the integrity of the mail infrastructure.
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Check Also

Blue Mockingbird hackers

Blue Mockingbird hackers cracked thousands of corporate systems

According to Red Canary analysts, recently has been discovered a new hack group, operating under …

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.