Incident Response Casefile – A successful BEC leveraging lookalike domains

By Matan Ben David, Incident response Analyst

Imagine that you’re the owner of a startup and waiting for a million-dollar seed round of funding, only it never shows up in your bank account. Or imagine you’re the head of a venture capital firm who believes you’ve wired investment funds to one of the startups in your portfolio, yet the funds never appeared on the other side.

This is a real case that was investigated by the Check Point Incidence Response Team (CP IRT) earlier this year (2019).
A Chinese venture capital firm was alerted by their bank that there was an issue with one of their recent wire transactions. A few days later, a young Israeli startup realized they didn’t receive their one million dollars seed funding. Both sides got on the phone and quickly realized that their money was stolen.

Once both sides realized the money was gone, they also noticed something strange going on with the emails between the two parties, as some of the emails were modified and some were not even written by them.

At this point, the CEO of the Israeli startup engaged CP IRT to investigate the fraudulent money transfer. What started as a normal Business Email Compromise (BEC) quickly turned into something else.

CP IRT collected and analyzed the available logs, e-mails, and PCs involved.
During the evidence collection phase, CP IRT faced 3 challenges that any customer-facing Incident Responder has probably encountered at some point.

CHALLENGES

The customer’s mailboxes were hosted on GoDaddy’s email server which, not surprisingly, didn’t provide any information to help the investigation.

The audit logs only showed the five last logins to the server and all of them were for the Israeli startup employee

We realized that if the user account was compromised on the Israeli side, we probably wouldn’t be able to determine the exact times the attacker was logged in or which IP was used.

We had to track down the original emails so we could investigate the email headers. As we only had screenshots (from a mobile) of the emails in question, we decided to collect the mailbox archives from all the people that were CC’ed in the original thread. By searching for keywords from the screenshots, we were able to locate the original emails.

THREAT ACTOR IN THE MIDDLE

Now that we had the original emails, the bigger picture became clearer and we could see how the attacker was able to carry out this attack.

Apparently, a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it.

Instead of just monitoring the emails by creating an auto-forwarding rule, as is seen in the usual BEC cases, this attacker decided to register 2 new lookalike domains.

The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.

The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO.

The second email was sent to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.

This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack.

Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.

Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side. Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.

ELECTRONIC DIVERSIONS OF PHYSICAL MEETINGS

At one point during the attack, the Chinese account owner and the CEO of the Israeli startup scheduled a meeting in Shanghai. At the last moment, the attacker sent an email to both sides canceling the meeting, providing a different excuse for why they couldn’t meet to each.

Without this crucial act from the attacker’s side, the whole operation would probably have failed. It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.

This was an unacceptable risk for the attacker, and so, he took steps to make sure it wouldn’t happen. This is the sign of an experienced attacker.

What would you do if you realized you just managed to steal one million dollars?

Go on a vacation? Buy a nice car?

Not our attacker:

In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment.

If that wasn’t enough, even after the attack was remediated, the Israeli CFO  continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction. The content of the email is as follows:

Lessons learned / Key Takeaways

1. Automatically prevent – Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
2. Educate your employees – On top of that, proper and ongoing education of employees to the trending threat in the email space.
3. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
4. Ensure your email infrastructure is able to keep audit & access logs for at least six months. In startup mode, it’s easy to quickly build infrastructure with security and logging dealt with only as an after-thought.
5. Always capture as much forensic evidence as possible when dealing with suspected or confirmed cybersecurity incidents. Deleting a piece of evidence only assists the attacker. Timely evidence captures when the incident occurs can also insure important logs and evidence are not overwritten.
6. Leverage a tool to identify newly registered domains that are look-alikes to your own domain name.

Have an Incident Response Plan and Tactical IR Playbooks ready ahead of time! Knowing what to do before a crisis arises streamlines response activity and decreases the time it takes to remediate.

For the email security vector, Check Point’s Artificial Intelligence based security engines include an advanced anti-phishing engine, which relies on behavioral analysis, designed to prevent precisely attacks similar to the one in our story.