On February 19th, venture capital giant Sequoia disclosed to its investors that it has been the victim of a data breach. A few days later additional information became available, indicating that it was targeted in a Business E-mail Compromise (or BEC) attack. According to the company, attackers gained access to one of their employees’ corporate E-mails, then used this access to send a false wire transfer request, supposedly from the employee. As BEC fraud is an incredibly popular scam, one may think that Sequoia has simply been another victim in a long line of attacks which impacts companies of all industries. Many cyber attacks are opportunistic, attempting to exploit vulnerabilities that attackers happen to find, instead of targeting a specific company. However, that may not be the case here, as there’s evidence that venture capitals are being targeted by at least one group of hackers.
What is BEC Fraud?
BEC fraud is a type of social engineering attack in which an attacker sends an E-mail trying to bait a recipient into sending them money. The attack has many “flavours”, the most popular of which is sending a fake wire transfer request to the CFO or accounts payable team of a company, masquerading as a legitimate request from the CEO, other executive of that company, or from one of the company’s vendors.
While BEC normally refers to cases where a business E-mail is compromised (hence, its name), it is often used to describe fake wire transfer requests. In many cases, when access to a mailbox is unavailable, attackers would use similarly registered domains to try and fool recipients. In other cases, E-mails can be spoofed as the security methods designed to prevent such activities, such as SPF, DKIM and DMARC, are not properly configured on the domain involved. At the bottom of the sophistication scale, some attempted BEC fraud incidents included messages sent from free E-mail services, such as Gmail and Yahoo.
From what Sequoia has shared, it appears one of their E-mail accounts has been accessed and used for sending a wire transfer request. No additional information is known on the attack.
Venture Capitals in the Crosshairs
At the end of December 2020, I was asked to assist in investigating and remediating a similar case, in which a venture capital has been the target of BEC fraud. The victim was a drastic contrast from Sequoia, a small upcoming VC that is not based in Silicon Valley. Similar to Sequoia, one of their E-mail accounts has been hacked and was used to send a money transfer request. In this case, the E-mail account was one of the partners.
Interestingly, the money transfer request has not been a “cookie-cutter” letter that is used by attackers across industries. Instead, it was specifically crafted for the use case of a venture capital. First, the recipient was not the CFO, but one of their investors who was identified by the attackers as in the process of sending funds to the VC. The letter specifically referred to this process and requested that funds will be redirected to a different bank.
Had this been an opportunistic attack, where an attacker was able to gain access to the partner’s E-mail account by chance one would not expect such a tailored message. More so, the fact that the E-mail account has indeed been compromised in this case, further suggests that the attacker was sophisticated and may have targeted the VC in the first place.
There isn’t enough information to determine if the incident in Sequoia is related in any way to the one suffered by the other VC. However, considering the tailored nature of the observed attack and that just a few months later a major VC was impacted by a similar type of scam, it seems that VCs do seem to be in the crosshairs of at least one cybercriminal group. This should not be surprising. As BEC fraud becomes a more widely known threat, it is possible that certain criminal groups that focus on BEC fraud search for niches where the threat is relatively unknown.
How to Protect Yourself?
Venture capitals should consider taking extra measures at ensuring that they are as protected from BEC fraud as possible. As the observed cases include E-mail accounts being compromised, consider enforcing two-factor authentication requirements on all E-mail accounts. Furthermore, make sure that your domains are protected from spoofing, through the proper implementation of SPF, DKIM and DMARC.
As many BEC fraud attacks use the registration of similar domains, consider subscribing to a threat intelligence service which alerts you of any recently registered similar domains. The first step towards mitigating cyber attacks is identifying them.
Finally, awareness is incredibly important to identifying and preventing potential scams. Consider informing your investors on the potential threat of BEC and request that they inform you of any suspicious activity.