Image default
Fraud Investigations

Man-in-the-middle attacks continue to threaten companies of all sizes

Think your company information is secure because you practice proper password etiquette and operate behind a firewall within a secure network?

Think again.

Times may have changed, communication grown faster, and digital security become increasingly important, but the same old-school methods of fraud used decades ago are still likely the biggest point of vulnerability within many organizations.

It is unclear how many data-breaches in recent years have been a result of various social engineering techniques, with companies unlikely to reveal such vulnerabilities, but fraudsters certainly must be seeing results as phishing attacks continue to rise. In addition, the attacks themselves have grown in sophistication, moving from mis-translated email scams featuring grammatical mistakes and poor spelling, to  modern scams that have defrauded giants such as Facebook and Google of more than $100 million.

Phishing attacks even hitting tech savvy firms

Phishing attacks themselves can often be no more than an opening into a more sophisticated attack. An excellent example of this occurred just this last year, when a fraudster intercepted $1 million dollars of seed money sent by a Chinese venture capital firm to an Israeli startup. Israeli cyber security firm Check Point Research detailed the incident in a report last month, leaving out the names of both companies.

“Imagine that you’re the owner of a startup and waiting for a million-dollar seed round of funding, only it never shows up in your bank account,” wrote analyst Matan Ben David, “Or imagine you’re the head of a venture capital firm who believes you’ve wired investment funds to one of the startups in your portfolio, yet the funds never appeared on the other side.”

This exact nightmare is the product of a man-in-the-middle attack: an attack where two parties who believe they are communicating directly are actually communicating through a third party. This third party, imitating both sides, is then free to alter any messages, or even skip delivery entirely.

In this case, the middleman even managed to disrupt a physical meeting in Shanghai, offering each side different excuses for cancellation. Had the parties actually met, the attack would have been thwarted as the victims realized the disparity between their perceived and actual communications.

So how did this middleman insert himself into the email chain?

By registering two new domains, one for each company. Each domain was identical to the company domain, but with an added ‘s’. He then used these fake domains to initiate a phishing attack, imitating key players on both sides and beginning an email chain over which he had total control. From there it was relatively simple to route the seed funding wherever he desired.

But it wasn’t over yet.

“In a brazen move, instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,” said Ben David in his analysis, “If that wasn’t enough, even after the attack was remediated, the Israeli CFO continues to receive one email every month from the spoofed CEO account, asking him to perform a wire transaction.”

So man-in-the-middle attacks can be deceptively easy to fall for over email.

Voice also exposed to man-in-the-middle

But what happens when we can no longer trust voice communication?

In March of 2019, fraudsters used AI deep-learning to mimic the voice of a senior executive at a UK energy firm. They then used the spoofed “credentials” to manipulate the CEO, asking him to send $243,000 to a Hungarian supplier. As the day went on, the same fraudsters called back two more times, requesting additional payment using the same impersonation software (the CEO became suspicious and did not transfer any additional funds).

Although this attack is not itself a “man-in-the-middle”, it does open the door to an unsavory potential. If hackers can spoof a voice, then couldn’t they tamper with voice communications between two companies? Given that hackers can only use domain names that are similar to the actual domains they are imitating, phone-based man-in-the-middle attacks could be devastating by comparison: caller ID spoofing is readily available to anyone with a credit card and internet.

Although technology to detect fakes is in development, it will be a good while longer before the latest security measures are adopted. Meanwhile, in this age of constant innovation, the criminal element seems to be staying ahead of the curve.

Expect the unexpected.

This article was written by KYC Israel, a company providing due diligence and corporate investigations in Israel.

Related posts

Manual Review for CNP Transactions in Europe

Ronen Shnidman

Investigating Pink Collar Crime with Kelly Paxton

PJ Rohall

ThetaRay Raises $30M in Quiet July for Fraud Prevention

Ronen Shnidman