Dubbed the “ultimate” Man-in-the-Middle attack by security researchers at Checkpoint, this CEO fraud attack shows how brazen cybercriminals can be – and how organizations need to be cautions when money is involved.
Picture a tech startup and a foreign VC company ready to invest $1M in seed funding. Post negotiations, all that’s left to do is sign some papers and wire the funds. But what if a bad guy compromised and monitored the email system, and then setup bogus domains representing each party, and played both sides of the transaction so that the investment funds were wired to a fraudulent account?
That’s exactly what happened to an Israeli startup last month. Using lookalike domains, intimate knowledge of the communications and pending transaction, the attacker was able to hijack the email thread. For each email sent to the other party, the hacker captured the email, deleted it from the corporate email system, and used their own lookalike domain email to be the response. This was done for all communications in both directions. In essence, the hacker was playing both sides like a fiddle.
The hacker not only convinced the VC to change bank accounts before money was transferred, but the hacker also cancelled meetings (using different excuses for each side), and even asked for a second round of funding from the VC!!!
According to CheckPoint, organizations need to have procedures in place that validate account details involved in large monetary transactions using a second medium (e.g., a phone call, although Deepfake audio can make even that unreliable…). Additionally, they recommend that employees go through Security Awareness Training to educate them “to the trending threat in the email space.”