$1 million in venture capital funding intended for an Israeli startup was diverted to an attacker-controlled bank account in an elaborate wire transfer email scam. The funding was being transferred from a Chinese VC firm and the funds were intended to help the Israeli firm kick start its business.
The scam was uncovered by researchers at Check Point Software who called it the “ultimate man-in-the-middle attack.” The researchers investigated when the funding failed to arrive after the Chinese VC firm confirmed that the money had been sent.
These sorts of scams are fairly common and involve the attacker setting up a forwarding rule so email communications between two parties are intercepted and altered, without the knowledge of either party. In this scam the attackers took this a step further and registered two lookalike domains that differed only slightly from the domains they were spoofing.
One of the domains was exactly the same as the one used by the Israeli start up, albeit with an additional s in the domain name. It was the same case with the second domain. An extra s was added, but otherwise the domain was exactly the same as the one used by the Chinese VC company. Two emails were then sent, one to the Israeli company’s CEO and one to the Chinese VC company’s account manager. The attacker had copied the headline from a message thread from a genuine email conversation between the two companies.
Since the domains were controlled by the attacker, all emails between the CEO and the account manager were actually sent to the attacker, were changed, and then sent on. Both parties believed they were communicating with each other.
In total, 32 messages were sent by the attacker, 18 to the Chinese VC firm and 14 to the Israeli startup. The bank account details for the wire transfer were changed so the payment was directed to an account controlled by the attacker and the wire transfer was performed. The bank account was for a bank in Hong Kong that belonged to a closed business.
The scammers also cancelled a meeting that was scheduled to take place in Shanghai between the CEO of the Israeli start up and the Chinese account owner. This cancellation ensured that the scam was not detected, as at the meeting it would have been likely that the bank account details for the transfer would have been checked.
That would have been that with most heists, but it didn’t stop there. The attacker continued to communicate with both parties in an attempt to obtain yet more funding from the VC firm.
The lesson learned from the attack? Before any sizable bank transfer is made, ensure that the bank account details are double checked and confirmed via the telephone or a medium other than email before any transfer is made.