Check Point released materials on the investigation of the theft of $ 1 million, which was successfully committed by a hacker using a MITM attack


A very hardworking attacker, having forged electronic correspondence and writing a total of 32 emails in both directions, was able to redirect a large money transfer from the Chinese venture fund to the Israeli startup to his details. This real-life incident was reported by Israeli information security experts at Check Point in this publication. Moreover, the Check Point Incidence Response Team (CP IRT) was involved in the investigation of this incident earlier in 2019 some time after its commission, and many of its digital traces were destroyed by both the contractor and the injured party through negligence or negligence .    Problem situation The owner of an Israeli startup, some time after the start of a fruitful and promising collaboration with a large venture fund, was able to agree to transfer $ 1 million to his bank account as financing for the initial stage of project development.   The head of the Chinese venture fund successfully made the first investment of $ 1 million in a new startup in his financial portfolio.   Some time after the payment was made, representatives of the bank servicing the venture fund informed their partners that there was a problem with one of their recent transactions. And a few days later, the owner of the startup did not receive the expected money transfer. Here, finally, both parties contacted each other by telephone, and not as before by email, and realized that the transaction was completed, but not for the actual purpose, which means that $ 1 million was somehow stolen by a third party .   After the injured parties realized that the money was lost, only then did their employees notice something strange in the electronic correspondence between the foundation and the startup. It turned out that some of their emails sent from the fund to the startup were changed and did not match those that they actually received in the startup. And some of the parties did not write some letters at all, but someone else answered them. It was only then that the CEO of the Israeli startup involved in the investigation of the incident involving a successful fraudulent money transfer to a third party, information security experts of the Check Point Incidence Response Team (CP IRT). (Approx. Author – Check Point is also an Israeli company).    Start of investigation of the Check Point Incidence Response Team (CP IRT) Check Point specialists began to study and analyze all the data on this incident – the available logs and magazines of IT systems of companies, emails and computers of both parties and immediately encountered three problems:         The client’s electronic mailboxes were located on the GoDaddy mail server, which, unsurprisingly, did not provide any information to assist in the investigation, and only the last five server entries were shown in the mail server logs, all of which were from the Israeli startup. It became clear that if the user account was compromised on the Israeli side, then it is probably not possible to determine the exact time to connect to the attacker’s server or what IP address it used.   in fact, it turned out that for some time there was no direct correspondence between company employees;   Also, clients or an attacker deleted all key emails related to the incident. I had to keep track of the original letters to examine their headers. Screenshots (from mobile phones) of sent and received emails were also received. Thus, CP IRT specialists had to study all the mailboxes of users of both companies that were compromised in correspondence. And by searching for keywords in the screenshots, the original emails were found.    The first results of the investigation After a meticulous collection of original emails between the companies, it became clear how the attacker was able to carry out this attack. Apparently, a few months before the first big money transaction, the attacker was able to notice letters regarding the upcoming multi-million contact in the email of one of the companies, and decided to use this information for his own purposes. It is likely that it all started with the fact that the attacker had data (they were compromised in a certain way) about the mail server or user of one of the companies.   The attacker registered two new domains on the network, the first domain being almost the same as the Israeli startup domain, but with additional characters at the end of the domain name. The second domain is very similar to the domain of the Chinese venture capital fund, but “s” was added there at the end of the domain name.   Then the attacker sent two emails with the same headers as in the original correspondence he had previously seen. The first email was sent to a Chinese venture company with a fake Israeli domain