A Chinese venture capital firm lost US$1 million to scammers who successfully came between a deal the firm had with an Israeli startup. The business email compromise (BEC) campaign used by the attackers consisted of 32 emails and look-alike domains to trick both parties of their authenticity.
Check Point conducted the investigation on behalf of the Israeli startup and found that the account of one of the startup’s employees had been compromised. The attackers likely noticed the email thread regarding the seed fund from the Chinese firm to the Israeli startup months before the scheduled transaction. Since the transaction involved a large sum of money, the attackers prepared for the lucrative opportunity.
They first created two domains which spoofed the official domains of the Chinese firm and the Israeli startup. The fake domains were simply the original domain names with an added “s” at the end.
The attackers then used the domains to send two emails with the same header as the original thread. On the one sent to the Chinese firm, they used the spoofed domain of the Israeli startup and vice versa. They assumed the identities of the CEO of the Israeli startup and the manager in charge of the transactions from the Chinese firm.
Both firms replied normally to the attacker, not suspecting the changes in the email addresses. Successfully coming between the two parties allowed the attackers not only visibility over the transaction but also a large degree of control. The attackers tweaked the replies of each party to suit their agenda (e.g., changing bank account details) before sending it to the intended recipient.
The attackers behind this BEC went as far as cancelling a physical meeting between the two parties that was set to happen in Shanghai. They made different excuses for both parties at the very last minute to avoid being discovered and ultimately failing their operation.
After 14 emails to the Israeli startup and 18 to the Chinese firm, the campaign paid off with the attackers receiving the million-dollar seed funding.
In a few days, the Israeli startup realized that they had not in fact received the funding. After a call to the Chinese firm, both groups realized that the money had been stolen. The discovery prompted the investigation into the scam.
Defending against similar campaigns
BEC, despite being a well-known tactic against corporations, continues to cause huge losses for organizations. In August, one such scam cost the U.K.-based affiliate of heavy equipment manufacturer Caterpillar US$11 million. For this case, the attackers had utilized spoofed domains to strengthen their assumed identities, another common technique that has been used in phishing schemes.
Moving forward, BEC campaigns will involve both old and new tricks to make it harder for organizations to see through the schemes. Trend Micro’s predictions report for 2020 foresees BEC scams involving new technologies like deepfakes that will make it harder to separate truth from deception.
This is why organizations must be wary of such schemes, and use best practices especially when it comes to dealing with large sums of money. Here are a few steps they can take to avoid similar schemes:
- Fund transfer and payment requests should always be verified preferably through phone calls confirming the transaction.
- Look out for red flags when it comes to business transactions. For example, a change in bank account information with no prior notice.
- Employees should always scrutinize received emails for any suspicious elements — for example, the use of unusual domains or changes in email signatures.
Enterprises can also consider using a security technology designed to fight against BEC scams, such as Writing Style DNA, which is used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™. It can help detect email impersonation tactics used in BEC and similar scams. It uses artificial intelligence (AI) to recognize the DNA of a user’s writing style based on past emails and then compares it to suspected forgeries. The technology verifies the legitimacy of the email content’s writing style through a machine learning model that contains the legitimate email sender’s writing characteristics.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.