Fraudsters stole a million dollars by deceiving two IT companies in correspondence

Check Point experts talked about an interesting case: scammers stole a million dollars, quietly invading the correspondence of two unnamed companies (an Israeli startup and a Chinese venture firm).

“Imagine that you are the owner of a startup and are waiting for the initial round of financing in the amount of one million dollars, but the money fail to appear on your bank account. Or imagine that you are the head of a venture company that believes that it has transferred investment funds to one of the startups in its portfolio, but these funds have never reached the other side”, – describe the researchers.

The ongoing investigation quickly helped startup representatives and their investors identify something strange: the emails that parties exchanged changed, with some of them were written by foreigners. At this stage, cybercriminalists joined investigation of the case, having studied all available logs, letters and computers of employees.

Read also: Amazon Introduces Access Analyzer – Cloud Basket Security Monitoring Service

As it turned out, in this case, the specialists were dealing with not a classic business email compromise (BEC) fraud. Unknown attackers managed to compromise the account of one of the startup employees and, a few months before making a money transaction, found correspondence in which the upcoming multimillion-dollar investments were discussed. Instead of starting to track emails, creating a rule to automatically forward emails (as BEC scammers usually do), the attackers registered two new domains that almost coincided with the real domains of the target companies.

“The first domain was almost identical to the domain of the Israeli startup, but with an additional letter“ S ”at the end. The second domain was similar to the domain of a Chinese venture company, but also had the additional letter “S”, – say Check Point researchers.

Using these domains, the attackers sent two letters to their victims with the same heading that they found in the original message: in one message they pretended to be the CEO of the startup, and in the second, to be the client manager from the venture company. Thus, fraudsters infiltrated the correspondence, carrying out man in the middle attack, so, both parties corresponded with hackers.

The correspondence history came out very long. In total, the attackers sent 18 letters to a Chinese venture company and 14 messages to an Israeli startup, and only after that, was made money transfer: the investments went to an account kindly provided by scammers.

“Moreover, at some point, the client manager from the venture company and the CEO of the startup scheduled a meeting in Shanghai, thereby jeopardizing the entire operation of the attackers. However, the hackers were not at a loss and sent letters to both sides, in each case coming up with plausible reasons and excuses for canceling the upcoming meeting”, – say Check Point experts.

Interestingly, after successfully stealing a million dollars, the hackers did not back down and continued the attack, maintaining contact and allegedly waiting for the next round of investments. So, the researchers say that the finance director of an Israeli startup still receives at least one letter per month sent from a fake account of the CEO, where he is asked to make another transaction.