The million-dollar heist - How scammers defrauded a VC company over email
An Israeli startup and Chinese VC firm were scammed to the tune of $1 million through a series of spoofed emails and fake domains
When you think of cyber attacks, you would imagine highly-skilled hackers huddled in a dark room using extremely high-tech tools to sneak their way past sophisticated security protocols. The reality, however, is usually much more mundane.
A case in point is a recent incident involving a Chinese venture capital firm, an Israeli startup and an ill-fated $1 million wire transfer. And all it took was two web domains, 32 emails and a little social engineering.
Security researchers at Check Point explained how hackers hijacked $1 million by intercepting a wire transfer between a venture capital firm in China and an Israeli startup—without triggering any red flags.
The firms in question, whose names haven’t been made public, first realised something was wrong when the promised funds never came through. Further investigations of the server logs, emails, and the computers involved revealed that some emails had been modified, while others were never written by either party.
It turns out that the email exchange between the two companies were being secretly monitored by a middle man. On seeing the original email thread about the upcoming multi-million dollar funding, the hacker took action.
Instead of just monitoring further emails by creating an auto-forwarding rule (fairly standard for traditional attacks), the hacker went about creating two lookalike domains.
“The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name,” Check Point said. “The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.”
From there, the attacker sent fake emails to each party, posing as representatives of the other side. They edited the emails to include bogus information and banking details, then forwarded them from each lookalike domain to its original destination.
Throughout this process, the hacker sent dozens of emails to both parties, setting the stage for a compromised bank transfer. At one point, the VC account manager and startup CEO even scheduled a face-to-face meeting in Shanghai, which the hacker managed to avoid by making up a string of excuses. In any event, the initial fund transfer of $1 million was carried out with the hacker-supplied banking details.
Scams like this show why technology solutions need human awareness and support to be fully effective. All companies need to have secondary protection mechanisms like verbal confirmation in place, especially when a large amount of money or highly sensitive information is at stake.
For any organisation, cybersecurity is a cultural challenge as much as it is a technical one, which is why cyber awareness and training need to be baked into the company’s culture. People are your greatest cybersecurity asset and every little bit of training goes a long way in improving your overall cybersecurity posture.