<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p><tt><font size="+1">Being one of those who has said repeatedly
for decades that we got the whole threat model thing precisely
backwards, because there is approximately zero evidence of
that mythical beast, the MITM, can only present myself for
castigation - here's an actual MITM over email spotted in the
wild. Which of course now justifies 3 decades of trying and
failing to secure email... We must try & fail harder.<br>
</font></tt></p>
<p><tt><font size="+1"><br>
</font></tt></p>
<p><tt><font size="+1"><a class="moz-txt-link-freetext" href="https://www.vice.com/en_us/article/mbmmaq/hackers-trick-venture-capital-firm-into-sending-them-dollar1-million">https://www.vice.com/en_us/article/mbmmaq/hackers-trick-venture-capital-firm-into-sending-them-dollar1-million</a></font></tt></p>
<p><tt><font size="+1"><br>
</font></tt></p>
<p><tt><span>
<div class="article-heading-v2__heading-bumper m-t-4--xs"><a
class="primary-topic primary-topic--image
article-heading-v2__primary-topic dsp-inline-block ff--hed
lh--headline fw--bold size--4 size--3-md bb--link"
href="https://www.vice.com/en_us/section/tech"><img
alt="Tech by VICE" class="primary-topic__section-image"
src="https://video-images.vice.com/sections/5cae7020ee584a00089537dd/brand_attribution_svg/1556813252025-article-logo-motherboard.svg"></a></div>
Hackers Trick Venture Capital Firm Into Sending Them $1
Million
<div class="article-heading-v2__header-dek-wrapper"><span
class="lazy-vice-ad"><span class="vice-ad"></span></span><br>
A Chinese VC firm and an Israeli startup had the money
stolen right out from under their noses thanks to spoofed
emails and bogus domains.
<div class="article-heading-v2__contributions ff--body
size--5 lh--body">
<div class="article-heading-v2__contributors
dsp-inline--xs"><span class="contributor__by">by </span><a
class="contributor__link bb--link fw--bold"
title="Karl Bode"
href="https://www.vice.com/en_us/contributor/karl-bode">Karl
Bode</a></div>
<div class="article-heading-v2__contributors-rest
m-t-2--xs">
<div class="short-form-v2__body__content p402_premium">Dec
5 2019, 1:00pm
<div class="article-keep-reading">
<div class="article-keep-reading__children-container
m-t-5--xs" tabindex="-1">
<div data-type="body-text" class="article__body
article__body dsp-block-xx ff--body-article
size--article lh--body">
<p> Security researchers at Check Point say the
company has uncovered evidence that Chinese
hackers managed to hijack $1 million in seed
money during a wire transfer between a Chinese
venture capital firm and an Israeli
startup—without either side realizing anything
was wrong. </p>
<p> The VC firm and the startup, whose names
Check Point hasn’t released, reached out to
the security firm after the funds failed to
arrive. Once Check Point dug into the details,
it discovered a man in the middle attack that
took a lot of planning and plenty of patience.<br>
<br>
After analyzing the server logs, emails, and
the computers involved in correspondence
between the companies, Check Point noticed
some abnormalities. Some of the emails,
analysts discovered, had been modified. Others
hadn’t even been written by either
organization. <br>
<br>
After seeing the original email thread
announcing the upcoming multi-million dollar
seeding fund, the hacker took action. Instead
of monitoring subsequent emails by creating an
auto forwarding rule (standard practice in
traditional attacks), the hacker started by
creating two lookalike domains.<br>
<br>
“The first domain was essentially the same as
the Israeli startup domain, but with an
additional ‘s’ added to the end of the domain
name,” Check Point said. “The second domain
closely resembled that of the Chinese VC
company, but once again added an ‘s’ to the
end of the domain name.”<br>
<br>
From there, the attacker sent two emails with
the same subject header as the original
email—one posing as the starup’s CEO from the
copycat startup domain—and a second sent to
the Israeli startup from the copycat Chinese
VC firm domain, spoofing the email address of
the VC account manager. <br>
<br>
That opened the door to a man in the middle
attack whereby every email sent by each side
of the exchange was in reality sent to the
attacker, who then edited the emails to
include bogus information and banking details,
then forwarded them from each lookalike domain
to its original destination. <br>
<br>
Throughout this process, the hacker sent a
total of 18 emails to the Chinese VC firm and
14 to the Israeli startup ahead of the
compromised bank transfer. At one point, the
VC account manager and startup CEO scheduled a
meeting in Shanghai, putting the hijack at
risk. So the hacker sent emails to both sides,
making up different excuses to cancel the
meeting:</p>
<div class="article__media"><img
src="https://video-images.vice.com/_uncategorized/1575502799028-image1.png"
alt="1575502799028-image1" class=""
data-src="https://video-images.vice.com/_uncategorized/1575502799028-image1.png"></div>
<p>“Patience, attention to detail and good
reconnaissance on the part of the attacker
made this attack a success,” Check Point said.
</p>
<p> After successfully using the man in the
middle attack to hijack the funds, the
attacker, who still hasn’t been identified
beyond his origins in Hong Kong, tried to go
after another round of VC investment money.
The CFO of the Israeli startup continues to
receive one email a month from the spoofed CEO
account, urging him to conduct another wire
transaction, Check Point said. </p>
<div class="ad-unit__container__container">
<div class="article-iac__wrapper"><span
class="lazy-vice-ad"><span class="vice-ad"></span></span></div>
</div>
<p> The security firm says there’s several
things companies can do to avoid a similar
fate. <br>
<br>
That includes adding a second verification by
calling the person who asked for the transfer,
keeping audit and access logs for at least six
months to ensure the integrity of your email
infrastructure, retaining as much evidence as
possible when dealing with suspected hackers,
and using tools to help spot duplicative,
phony domains. <br>
</p>
<p><br>
</p>
<p>--END<br>
</p>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</span></tt><tt><span></span></tt></p>
</body>
</html>