[Cryptography] that endangered species, the email mitm, spotted in the wild

iang iang at iang.org
Thu Dec 5 17:18:23 EST 2019

Being one of those who has said repeatedly for decades that we got the 
whole threat model thing precisely backwards, because there is 
approximately zero evidence of that mythical beast, the MITM, can only 
present myself for castigation - here's an actual MITM over email 
spotted in the wild.  Which of course now justifies 3 decades of trying 
and failing to secure email... We must try & fail harder.


Tech by VICE <https://www.vice.com/en_us/section/tech>
Hackers Trick Venture Capital Firm Into Sending Them $1 Million

A Chinese VC firm and an Israeli startup had the money stolen right out 
from under their noses thanks to spoofed emails and bogus domains.
by Karl Bode <https://www.vice.com/en_us/contributor/karl-bode>
Dec 5 2019, 1:00pm

Security researchers at Check Point say the company has uncovered 
evidence that Chinese hackers managed to hijack $1 million in seed money 
during a wire transfer between a Chinese venture capital firm and an 
Israeli startup—without either side realizing anything was wrong.

The VC firm and the startup, whose names Check Point hasn’t released, 
reached out to the security firm after the funds failed to arrive. Once 
Check Point dug into the details, it discovered a man in the middle 
attack that took a lot of planning and plenty of patience.

After analyzing the server logs, emails, and the computers involved in 
correspondence between the companies, Check Point noticed some 
abnormalities. Some of the emails, analysts discovered, had been 
modified. Others hadn’t even been written by either organization.

After seeing the original email thread announcing the upcoming 
multi-million dollar seeding fund, the hacker took action. Instead of 
monitoring subsequent emails by creating an auto forwarding rule 
(standard practice in traditional attacks), the hacker started by 
creating two lookalike domains.

“The first domain was essentially the same as the Israeli startup 
domain, but with an additional ‘s’ added to the end of the domain name,” 
Check Point said. “The second domain closely resembled that of the 
Chinese VC company, but once again added an ‘s’ to the end of the domain 

 From there, the attacker sent two emails with the same subject header 
as the original email—one posing as the starup’s CEO from the copycat 
startup domain—and a second sent to the Israeli startup from the copycat 
Chinese VC firm domain, spoofing the email address of the VC account 

That opened the door to a man in the middle attack whereby every email 
sent by each side of the exchange was in reality sent to the attacker, 
who then edited the emails to include bogus information and banking 
details, then forwarded them from each lookalike domain to its original 

Throughout this process, the hacker sent a total of 18 emails to the 
Chinese VC firm and 14 to the Israeli startup ahead of the compromised 
bank transfer. At one point, the VC account manager and startup CEO 
scheduled a meeting in Shanghai, putting the hijack at risk. So the 
hacker sent emails to both sides, making up different excuses to cancel 
the meeting:


“Patience, attention to detail and good reconnaissance on the part of 
the attacker made this attack a success,” Check Point said.

After successfully using the man in the middle attack to hijack the 
funds, the attacker, who still hasn’t been identified beyond his origins 
in Hong Kong, tried to go after another round of VC investment money. 
The CFO of the Israeli startup continues to receive one email a month 
from the spoofed CEO account, urging him to conduct another wire 
transaction, Check Point said.

The security firm says there’s several things companies can do to avoid 
a similar fate.

That includes adding a second verification by calling the person who 
asked for the transfer, keeping audit and access logs for at least six 
months to ensure the integrity of your email infrastructure, retaining 
as much evidence as possible when dealing with suspected hackers, and 
using tools to help spot duplicative, phony domains.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20191206/3d1261c1/attachment.htm>

More information about the cryptography mailing list