A series of spoofed emails enabled a Hong Kong-based hacker to make off with a million dollars

Researchers at Check Point, the leading cyber-security company, have revealed how Chinese hackers were able to steal $1 million from a Chinese venture capital firm using a simple but convincing business email compromise (BEC) scam.

The $1M was seed funding and was intended for an Israeli start-up company.  Neither the VC nor the start-up suspected anything. It was only when the start-up realized they hadn’t received the funding. Both sides then got on the phone and quickly realized that the money had been stolen.

The companies, reached out to Check Point’s incident response team once they were aware of the theft. After analyzing the server logs, emails, and the computers involved in correspondence between the companies, Check Point uncovered a carefully-planned and executed man-in-the-middle attack. Some of the emails between the VC firm and the start-up had been intercepted and modified. Others hadn’t even been written by either organization.

After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action, creating two lookalike domains.  The first domain was essentially the same as the Israeli start-up domain, but with an additional ‘s’ added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.

The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli start-up’s CEO.

Image from Check Point’s blog(https://research.checkpoint.com/2019/incident-response-casefile-a-successful-bec-leveraging-lookalike-domains/)[/caption]

The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.  This infrastructure gave the attacker the ability to conduct the attack.

Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.  Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.

At one point, the VC account manager and start-up CEO scheduled a meeting in Shanghai, putting the hijack at risk. So, the hacker sent emails to both sides, making up different excuses to cancel the meeting.

The origin of the attack has been traced to Hong Kong, but the attacker is still at large with the stolen $1M and continues to send emails to both parties, urging them to make more wire transactions.

Check Point recommends six actions companies can take to avoid a similar case.

1. Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
2. Educate your employees about the trending threat in the email space.
3. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
4. Ensure your email infrastructure is able to keep audit & access logs for at least six months. In start-up mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
5. Always capture as much forensic evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also ensure important logs and evidence are not overwritten.
6. Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.

Roca Networks is a next-generation Managed IT & Security Service Provider. Experienced in IT Security and Cloud, Roca Networks helps companies grow their business by recommending, implementing and maintaining the best technologies available on the market today. As a managed security service provider we only partner with top solutions providers like Check Point Software Technologies. We are a Value-Added Reseller of Check Point and we can provide turn-key deployments and managed security services. If you need any assistance concerning IT Security, leave us an email at info@rocanetworks.com. We will make sure one of our experts will contact and assist you.

‍