VCs find exciting new way to blow $1m: Wire it directly to hackers after getting spoofed A group of hackers used a compromised email account to steal a start-up's $1m venture capital payment. The incident response team at security house Check Point says it was called in to investigate the case of money that a Chinese VC firm had reported missing after it was supposedly sent to a startup in Israel. It was believed …
Not sure whether to laugh or cry at this ........
the bad guys noted that the Co were letting it be known that they were up far a substantial investment from VC's
so the attack vector appears to be one straight out of WWII with the posters all exclaiming that Loose Lips Sink Ships
yet again proving that the real hackers go after people - Social Engineering 101
the fact they are STILL trying to go after more money is just sheer Hollywood, although I doubt a script writer would dare to add that as a twist :o)
“ yet again proving that the real hackers go after people - Social Engineering 101”
Rarely a truer word said. 99% of external infrastructure engagements we do result in breach (ie access to the internal network). The other 1% refuse to include O365, S4B, Outlook Web Access, VPN endpoints etc in the scope :)
Its not about 0-days. It’s a numbers game. Someone in your organisation has a $#!% password. Just a matter of finding who. A bit of OSINT, a bit of time (usually a few hours, occasionally a day or two) and you’ve got shell. Bit slower if you care about not being detected.
Plenty of talk of encryption etc to fix this problem, when mandating MFA and a half decent password policy + training will make the attacker’s job hundreds of times more difficult.
I expect they did, but that "we'll confirm that by email" figured regularly in 'phone conversations. Language barriers may have played a role, too.
Note - the report is silent on whether there was a MITM on the phone. If they were filtering email it would've presented opportunities to tamper with phone numbers and other contact details.
To think that PGP has only been with us since 1991!
Even without messing with the phones, so long as the attackers only made minor tweaks to the emails in each direction I doubt a phone call would help. Calling to confirm that the payment details have been sent or that payment has been made wouldn't help, since each side had received appropriate emails. To spot it each side would need to read out their email's to the other side, most importantly including the exact bank details, to confirm what they'd sent/received matched, but that seems unlikely to happen, especially when for most scams like this (at least until now!) a simple "did you send me this email?" is enough to spot the fake.
Also not sure how PGP would help. The attacker would just need to setup PGP on their own fake domain, then encryption/decryption would still work since both ends are encrypting their emails for the fake MITM addresses, not the addresses of the other end, so the attacker would be able to read them no problem.
Clever, skillful, yes, but also pretty lucky.
if either party had initiated a new email chain instead of replying to the one started by the hacker, it could have been game over. He had compromised the Israeli account, so he had some degree of control (like replacing the Chinese VC contact address with the spoofed one to ensure no direct contact), but there was little he could do about the Chinese side.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
