'Ultimate' MiTM Attack Steals $1M from Israeli Startup

Hackers pulled off an elaborate man-in-the-middle campaign to rip off an Israeli startup by intercepting a wire transfer from a Chinese venture-capital firm intended for the new business.

New research by Check Point Software details how the security vendor uncovered the wire-transfer heist, in which an attacker used unique tactics—including communicating through email and even canceling a critical in-person meeting–to fool both parties on either end of the transfer, researchers said.

Check Point became involved in the incident when a $1 million wire-transfer made between the two parties never reached the startup, researchers said in a report posted online Thursday.

Typically in this type of cybercrime, a criminal will keep track of emails between the two parties arranging a wire transfer by creating an auto-forwarding rule to intercept them. In this case, the attacker went a above and beyond this, registering two new lookalike domains to get more closely involved in the action, researchers said.

Check Point researchers collected and analyzed the available logs, e-mails and PCs involved in the transfer, they said. What they discovered was that it was obvious upon examining the emails involved in the transfer that something was amiss, observing the activity between the lookalike domains and the two companies.

“The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name,” researchers wrote. “The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.”

To appear as if communication with the companies was legitimate, the attacker then sent two emails with the same headline as the original thread. The first was to the VC from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO, and the second to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled the investment, researchers said.

“This infrastructure gave the attacker the ability to conduct the ultimate man-in-the-middle attack,” researchers wrote. “Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.”

Indeed, the attackers sent 18 emails to the VC firm and 14 to the startup in the course of the campaign to disrupt the transaction and modify bank details so the wire eventually was sent to an account that attackers could access. Check Point traced the stolen money to a bank account belonging a closed business in Hong Kong, researchers said.

Attackers even managed to use this communication to cancel a meeting that was scheduled in Shanghai between the Chinese owner of the account where the transfer was headed and the CEO of the Israeli startup, researchers said. The hackers sent separate emails to each party that used different excuses for the cancellation, according to Check Point.

“Without this crucial act from the attacker’s side, the whole operation would probably have failed,” researchers said. “It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.”

This act in and of itself showed that the attackers had experience, but what they did after they successfully pulled off their heist showed another level of arrogance, researchers said.

“Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,” they wrote in their report.

Even after the parties affected by the attack remediated it, the CFO of the Israeli startup continues to receive one email every month from the spoofed CEO account that asks him to perform a wire transaction, researchers added.

The attack is a cautionary tale to anyone using wire transfers to send significant sums of money to put safeguards in place before the transaction goes through to ensure it can’t be intercepted by a third party, and then to have incident response in place after to handle any crisis scenario immediately, researchers said.

Check Point offered a number of recommendations to avoid scenarios like the one they uncovered, including: adding a second verification to ensure the transaction made it to the intended party directly after sending it; keeping audit and access logs; maintaining all evidence of the transaction in case an investigation is needed; and using tools to identify any look-alike domains that may have been registered and appear suspect.

Threatpost Webinar:_Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. _Join us on Dec. 18th at 2 pm EST_ as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. _Click here to register.