A “Man-in-the-Middle” attack, spoofed emails, bogus domains, lots of planning, plenty of patience, and bingo!

Security researchers at cybersecurity firm Check Point relate how Chinese hackers hijacked $1 million of seed money that was supposed to travel from a Chinese venture capital firm to an Israeli startup.

However, Check Point found after an exhaustive investigation that the attacker had tampered with the emails between the two organizations. They also found emails that had not been written by either of them but received by one or the other.

Check Point reveals hacker’s modus operandi (MO)

Aware of emailed plans for the imminent wire transfer, the hacker set up two lookalike domains. One was of the Chinese VC firm and the other of the startup. The domains were exactly the original domain names, except that the hacker added an ‘s’ at the end of each.

Next, the attacker sent two emails with the same subject header as the original email to each firm. These mails looked as if they originated from the other party. In reality, the bad actor sent these emails from the fake domains.

Therefore, subsequent emails in the thread now passed through the attacker’s domains. Unknown to the two parties, the attacker had now firmly ensconced himself as the man in the middle. The emails landed up at these fake domains, and it was a cinch for him to alter and edit information such as bank accounts details and resend to the intended recipient.

Once the bank details were tampered with, it was a simple matter to wait for the funds to arrive at the fraudulent bank account and then to vanish with the proceeds.

“Patience, attention to detail, and good reconnaissance on the part of the attacker made this attack a success,” Check Point said.

[Related Story: ZecOps Raises $10.2 Million Seed To Exploit Cyber-Attackers’ Mistakes ]