back to article VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed

A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment. The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel. It was believed …

  1. IceC0ld Silver badge

    Not sure whether to laugh or cry at this ........

    the bad guys noted that the Co were letting it be known that they were up far a substantial investment from VC's

    so the attack vector appears to be one straight out of WWII with the posters all exclaiming that Loose Lips Sink Ships

    yet again proving that the real hackers go after people - Social Engineering 101

    the fact they are STILL trying to go after more money is just sheer Hollywood, although I doubt a script writer would dare to add that as a twist :o)

    1. Pier Reviewer

      “ yet again proving that the real hackers go after people - Social Engineering 101”

      Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)

      Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.

      Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.

  2. Steve Aubrey
    Meh

    It's a fine line

    Disapproving of the crime while admiring the resourcefulness and attention to detail.

  3. Aristotles slow and dimwitted horse Silver badge

    Considering it's $1m...

    Considering we're talking about $1m i.e. not a small amount of money, I'm surprised at no point did they pick up the phone and talk about it to validate the details?

    1. Venerable and Fragrant Wind of Change
      Holmes

      Re: Considering it's $1m...

      I expect they did, but that "we'll confirm that by email" figured regularly in 'phone conversations. Language barriers may have played a role, too.

      Note - the report is silent on whether there was a MITM on the phone. If they were filtering email it would've presented opportunities to tamper with phone numbers and other contact details.

      To think that PGP has only been with us since 1991!

      1. Anonymous Coward
        Anonymous Coward

        Re: Considering it's $1m...

        Even without messing with the phones, so long as the attackers only made minor tweaks to the emails in each direction I doubt a phone call would help. Calling to confirm that the payment details have been sent or that payment has been made wouldn't help, since each side had received appropriate emails. To spot it each side would need to read out their email's to the other side, most importantly including the exact bank details, to confirm what they'd sent/received matched, but that seems unlikely to happen, especially when for most scams like this (at least until now!) a simple "did you send me this email?" is enough to spot the fake.

      2. Anonymous Coward
        Anonymous Coward

        Re: Considering it's $1m...

        Also not sure how PGP would help. The attacker would just need to setup PGP on their own fake domain, then encryption/decryption would still work since both ends are encrypting their emails for the fake MITM addresses, not the addresses of the other end, so the attacker would be able to read them no problem.

        1. FrogsAndChips Silver badge

          Re: Considering it's $1m...

          But both ends would need to set up PGP keys for the fake addresses, which is likely to raise some flags.

        2. Stoneshop Silver badge
          Holmes

          PGP

          The only safe way to exchange PGP keys is in a face-to-face meeting, with both sides verifying the other's identities and only then accepting their public keys.

          Any other method is spoofable in some way.

  4. Efer Brick
    Alien

    Have to admit

    that is clever!

    1. FrogsAndChips Silver badge

      Re: Have to admit

      Clever, skillful, yes, but also pretty lucky.

      if either party had initiated a new email chain instead of replying to the one started by the hacker, it could have been game over. He had compromised the Israeli account, so he had some degree of control (like replacing the Chinese VC contact address with the spoofed one to ensure no direct contact), but there was little he could do about the Chinese side.

      1. Mr Humbug

        Re: Have to admit

        With the way most e-mail clients work these days (start typing address and let the autocomplete finish it) a new e-mail chain would have probably gone to the bogus domain anyway

  5. Pascal Monett Silver badge

    Well, someone has learned an important lesson

    Never settle on only using email when dealing with money. Get a phone number, arrange a meeting, and get the financial details there, face to face.

    It's the only way to be sure.

  6. Anonymous Coward
    Anonymous Coward

    DKIM?

    Wonder if SPF / DKIM / DMARC would have prevented this?

    1. Sir Awesome

      Re: DKIM?

      Not if you're sending to a different domain - which is what happened here. Those technologies can only help for those attempting to impersonate existing domains.

    2. EnviableOne Silver badge

      Re: DKIM?

      look-a-like domains can have all three and pass automated checks as the system checks the look-a-likes dns.

      the only way to catch it is for the recipients to notice its the look alike not the real, or for the orgs to have look-a-like protection....

  7. Blackjack

    Guys calling a verified phone number is not rocket science.

    Hi, we just got a request for a million bucks from your e-mail.account, It is really you?

    Yes call to verify makes things slower, but you can do things fast or safe, pick one.

  8. Grinning Bandicoot

    Knock off acomin'

    This guy showed originality and as noted followed a good tight script. How many idiot copycat attempts will be made in the next six months?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020