Sophsticated Spoof Leaves Israeli Startup $1M Short
Even in the high-stakes world of venture capitalists and startups, one million dollars gone missing will be noticed. That’s what happened recently when a planned payment from a Chinese VC company to an Israeli startup for seed funding was never concluded. Instead, it disappeared along the way.
Whether called “spoofing” or “man-in-the-middle (MITM),” electronic attacks like this have long ago graduated from being simple annoyances to creating real-world damages for the victims. The problem is – they’re becoming more sophisticated.
What exactly is a spoof attack? In simple terms, a spoof occurs when a bad actor disguises a communication to appear as if it came from a trusted source. A spoof’s goal is to pretend to be a person or organization that the victim knows. This can be done via email, a fake website, and even fake phone calls in some instances.
The goal is to do whatever it takes to convince the recipient that the communication is legitimate. Once that is accomplished, the rest is as easy as slipping in between a million-dollar transaction and intercepting the loot for yourself.
Don’t Talk About Big Money
Here’s a bit of advice. Pay attention to the little things before they become the big things. It turns out that the hacker had been monitoring communications between the startup and VC for a while but took a real interest when they noticed several references to an upcoming million dollar transfer.
The lesson here is to keep that kind of money talk on the down-low. Make a phone call to iron out the details of the payment. Alternatively, if you’re going to use email for this topic, choose an encrypted service. In case you were wondering, the startup’s vendor of choice had no encryption. Not to slander any particular company, because all of the well-known ones operate basically the same, but in the hacker zone, it’s a relatively common practice to keep their eye on personal data zooming back and forth in case anything interesting shows itself.
When something interesting does show up, you get what we have here – a million dollars channeled into the wrong place. It’s probably crypto by now and losing value fast in the midst of the Bitcoin plummet. But that’s beside the point.
Beware the Spoofing Bit
Once the bad actor deciphered the pending transfer, it was a small matter to put the spoof into motion by registering two domains, one the same as the VC and the other the same as the startup, except with an extra “s” tagged onto the end of each. This silly little trick works more than you might expect in slipping past inattentive employees for each side. From there, the hacker sent an email to the startup from the spoofed VC domain and a spoofed email to the VC from the spoofed startup domain. Once each side replied, the sting was on.
Over the next few months, the hacker served as the MITM controlling the conversation. They received and responded to a total of 32 emails from both parties to the upcoming transaction, guiding, massaging, editing the content as needed – even aborting a planned meeting in Shanghai that would have blown up the whole scheme.
This might be a good point to stop and state the obvious. The above process to hijack a transaction can only work when both sides of the scam fail to notice details like the extra “s” on the domain names or email address discrepancies. Spoofs like this are a strange mix of simplicity and sophistication that has driven some companies to implement specialized employee training for the sole purpose of catching spoofs and other online attacks before they cause any damage.
Companies involved in regular online financial transactions and wire transfers have taken a special interest in this case. Breene Murphy, Vice-President of Strategy and Marketing for Carbon Collective, a financial company that specializes in green investing noted, “I recently came across the most sophisticated spoof I’ve seen in a decade. Obviously, this is something that isn’t going away.” A rise in the number and the advancement of current attacks has led Carbon Collective to implement quarterly security training for employees and require all new hires to be trained within 30 days as part of the official on-boarding process.
Expect this kind of attention to security to become the norm.
Living Unhappily Ever After
As of the time of this article, the theft has not been solved and the money has not been recovered. Though cybercrime fighters have made some progress in recent years in being able to track down online heists, the odds are still greater that the money has disappeared into the cryptocurrency universe and now lies permanently hidden behind blockchain technology for the thief to convert into traditional currency at their leisure.
The Israeli startup (unnamed) had intended to use the million dollars as seed money. It seems not a leap of logic to think its operations will be hindered while it looks for alternate funding. As for the Chinese VC, hopefully, its pockets are deep enough to survive a million-dollar swindle. Maybe they had cyber insurance, but that’s a topic for a different day.
For now, the takeaways for a company hoping to avoid this kind of catastrophe are as follows:
- Get a better email solution that involves encryption
- Ongoing employee education in the trending threat cyberspace
- Verify wire transfers with a voice call
- Keep six months of audit and access logs for email
- In the event of a penetration, don’t delete records
- Deploy a tool that detects when lookalike domains are registered
Final Thoughts
If you haven’t fallen victim to a swindle like the unfortunate companies in this article, don’t wait until something bad happens to get proactive. We’ve told you the problem, how it works, and what you can do about it. All that’s left is for you to get serious about the reality that it can, indeed, happen to you.