Hackers Trick Venture Capital Firm Into Sending Them $1 Million

Security researchers at Check Point say the company has uncovered evidence that Chinese hackers managed to hijack $1 million in seed money during a wire transfer between a Chinese venture capital firm and an Israeli startup -- without either side realizing anything was wrong. From a report: The VC firm and the startup, whose names Check Point hasn't released, reached out to the security firm after the funds failed to arrive. Once Check Point dug into the details, it discovered a man in the middle attack that took a lot of planning and plenty of patience. After analyzing the server logs, emails, and the computers involved in correspondence between the companies, Check Point noticed some abnormalities. Some of the emails, analysts discovered, had been modified. Others hadn't even been written by either organization. After seeing the original email thread announcing the upcoming multi-million dollar seeding fund, the hacker took action. Instead of monitoring subsequent emails by creating an auto forwarding rule (standard practice in traditional attacks), the hacker started by creating two lookalike domains.

Inside job

[zlives]

News at 11

Re: Inside job

[Way Smarter Than You]

When you buy a house and do the down payment the good lenders will go out of their way to send encrypted emails, passwords via phone, etc, with lots of warnings about how to do safe(safer) large money transfers to avoid exactly this. Not an inside job. This is SOP for some criminals who have latched on to how easy it can be steal walk off with huge cash with little risk.

Re:

[anonymouscoward52236]

Did the VC company get the Bitcoin address incorrect? Oh, wait, you're telling me the old fashioned banking system has problems too?

You think that's impressive?

[Trailer Trash]

Look at what Elizabeth Holmes did.

https://en.wikipedia.org/wiki/... [wikipedia.org]

"Theranos raised more than US$700 million from venture capitalists and private investors,"

These guys are pikers compared to her.

Re: You think that's impressive?

[Way Smarter Than You]

She did it eight in front of their faces, boldly lying about what her company does or doesn't do. She's a sociopath. Her VC's could have easily verified her company's capabilities but greed got in the way so they turned a blind eye. In this case they were sloppy and used unsafe communications to arrange the transfer. Lazy and stupid. An entirely different crime.

Re:

[Aighearach]

If you show people how it works, then it isn't a Trade Secret anymore.

They should have been able to learn enough about the testing of liquids and the required volumes and why those volumes are required to at least be able to analyze the demonstrations given. I agree they should have been able to tease out the truth in that case. But it isn't because they could have "easily verified" anything. They would have had to carefully analyze all the main questions around the technology, and make both quantitative an

Re: You think that's impressive?

[Way Smarter Than You]

Easily. "Let's go into your lab right now and show me how it works. You can use my blood sample". Then they are forced to admit they send samples out to another real lab or use the in-house equipment they bought from a standard industry equipment maker. Done. And if I was giving you hundreds of millions of dollars and wanted to know the trade secret you are god damned well going to show it to me and anyone else I want or go fuck yourself. At that point I own your ass.

Re:

[spacerodent]

And now she's marrying a billionaire who will probably divorce her while in jail and she'll get half his stuff. Say what you will but her con game is epic.

Re: You think that's impressive?

[Way Smarter Than You]

As shitty as community property is for men, she only is entitled to half of what was earned during the marriage. I'm sure his accountants can prove he lost a ton of money. Side note: marriage is for women. Men receive no benefit from marriage. You can get everything you want from life without it.

Re:

[pnutjam]

benefits of marriage:
* favorable treatment in tax, inheritance, and insurance status
* immigration rights
* rights in adoption and custody
* decisional and visitation rights in health care and burial
* the spousal privilege exemption when giving testimony in court
* lower fees and other discounts ( ie. married couple rate for insurance or rental application)

Re:

[cusco]

It also meant that she can't dump me for someone richer and better looking without a lot of work. So far it's been a winning strategy for me for the last 30 years.

Re: You think that's impressive?

[Way Smarter Than You]

As a man you are still better off giving up all those secondary benefits to not give up more than half of your life's savings as well as future earnings potentially forever when you divorce. She gets all those same benefits, too. None of that is specific to the man. Men pay, women take, it's all legal. Get a long term live in girl friend. If it works,out, you're fine, if not, shrug, sad, but your only cost is hiring movers. My ex wife cost me a few million. My ex gf cost me $1000 in moving expenses I

Summary

[fred911]

A Chinese VC deposited funds into an account that wasn't the account they intended to. The hack was social, surely the transfer of funds was accurate. The sender provided transfer data and funds were transferred according to the instructions of the person responsible for the account and the transfer executed properly, correct?

Re:

[jbmartin6]

Fair enough, not really a technology hack. More of a process hack. There wasn't any social engineering in the sense of tricking or scamming someone. They inserted emails into an ongoing conversation and since the two parties kept hitting Reply the attacker just sat in the middle and altered the messages to suit before forwarding them on. Bad on the sender party for not having basic verification procedures on large transfers. Although they may have been fooled since all the emails, except for the edited acco

Re:

[fred911]

''Although they may have been fooled since all the emails, except for the edited account details, were the actual emails written by either side.''

But obviously not from the same domain, nor the same sender.

The real question is how exactly was the transfer made. You can't easily initiate a SWIFT transfer from China for that amount of money. And, where did it get transferred to. How does a recipient of that type of wire make it liquid. It would be hard to believe that there is no easily documented r

Re:

[cusco]

All of the major international banks have 'private banking' offices (aka money laundries) that are some of their most profitable divisions. In exchange for an exorbitant fee they will arrange automated transfers something like the following:

If account #1234 balance exceeds $1,000,000 then
Transfer $500,000 to account #4567 at CitiCorp of the Cayman Islands
Transfer $300,000 to account #7890 at First Boston of Luxembourg
Transfer $200,000 to acc

Re:

[fred911]

'It's long gone before anyone knows its missing.'

Interesting point, and it's obvious that the most profitable part [with no risk] of banking is profit from 'order flow', 'spread', and 'fees'. Bankers have consistently and willfully provided services for the profit of criminal activity for years. HSBC, Deutsche Bank are just a few of the recent companies who paid fines to be able to not accept culpability for their actions.

It's advantageous for the bankers not assist investigations as to where these transfe

Re:

[Areyoukiddingme]

The real question is how exactly was the transfer made. You can't easily initiate a SWIFT transfer from China for that amount of money.

Most money doesn't reside very near its owner. Chinese VC is trying to make money outside the Chinese system using money that's already outside the Chinese system, for very specific reasons. See Hong Kong news for details.

How does a recipient of that type of wire make it liquid. It would be hard to believe that there is no easily documented route for settlement of this type of transfer.

Remember this [reuters.com]? The money was never recovered. The international banking system has a thousand boltholes into which money can vanish in a matter of minutes, never to be seen again. At least, not as recognizable money. International money laundering is highly efficient, and it's enable

Re:

[jellomizer]

Social hacks are still the most effective method. Although they tend to be more resources intensive to pull off.

The key is constant vigilance and don’t trust cold calls.

I can feel it

[AlanObject]

I sense a new business opportunity.

Is that what investors call 'stupid money'?

[nospam007]

I guess so.

Process people

[planckscale]

You'd think someone would have picked up the phone and called to confirm the bank/routing numbers prior to sending a million frickin dollars. Also, I'd tend to recognize when someone added a frickin "S" to the end of my frickin domain name. Jeez what a colossal hose job - and they have the audacity to try for more transfers, isn't a million dollar score enough?

Re:

[Aighearach]

Sure, just make an international telephone call and read out all the account details, that'll keep your account safe! LMFAO!

This is how easy it is to get scammed. This planckscale person is even rehearsing how to help the attackers steal his shit. And probably doesn't know it.

Re:

[BranMan]

If you do it right, you give nothing away and can verify everything over the phone. Account number - break the number up into N 2 digit numbers, add them up, tell me the total. I get 693. You get 546? OK, we have a problem.

Lessons to learn

[dskoll]

1. SIgn emails with PGP/GnuPG and verify signatures. (Yeah, right. Like that's ever gonna happen...)

2. Don't accept bank details via email without verifying them out-of-band. Pick up the phone, fer chrissakes.

3. Don't send $1M without a face-to-face meeting.

Re:

[Aighearach]

Don't accept bank details via email without verifying them out-of-band. Pick up the phone, fer chrissakes.

Even a skype call made on a smart phone would somehow be more secure.

Never read out confidential information on the telephone. Better yet, simply
never read out confidential information.

If you mix and match good security advice with bad security advice, the end result is not security. Maybe you encrypted everything in writing, but you still read it out over the telephone and got screwed.