Pune Auto Parts Firm Loses ₹2.35 Crore in Man-in-the-Middle Attack

A Pune-based automobile parts manufacturer fell victim to a sophisticated man-in-the-middle (MITM) cyber attack, resulting in a loss of ₹2.35 crore. 

The 52-year-old director of the company filed an FIR with the cybercrime police station after discovering that fraudsters impersonating executives from an Italian manufacturing firm had intercepted business communications and redirected payments to fraudulent accounts.

Key Takeaways
1. ₹2.35 crore loss, Pune auto parts firm defrauded by cybercriminals impersonating Italian manufacturing company executives.
2. Attackers used fake email domain similar to legitimate Italian firm to intercept ₹3.1 crore machine purchase communications.
3. After receiving 25% advance payment, fraudsters claimed bank account issues and redirected remaining funds to fake accounts.
4. Fraud detected when Pune company contacted genuine Italian sales executive; FIR filed with cyber crime police.

Email Spoofing Intercepts Business Communications

According to the Indian Express report, the cyber criminals employed advanced email spoofing techniques to execute this business email compromise (BEC) attack. 

They created a fraudulent email domain that closely resembled the legitimate Italian company’s domain name, utilizing what cybersecurity experts term “domain spoofing” or “typosquatting.” 

The attackers intercepted communications between the Pune firm and the Italian manufacturer during a legitimate business transaction for purchasing a press bending machine worth 320,000 Euros (approximately ₹3.1 crore).

The fraudsters demonstrated sophisticated social engineering skills by monitoring the email exchanges and gathering detailed information about the ongoing business dealings. 

They leveraged this intelligence to create convincing proforma invoices that appeared identical to legitimate documents. 

This attack vector, classified as an “on-path” attack, exploits the lack of end-to-end encryption in standard email protocols and the absence of proper email authentication mechanisms like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting & Conformance).

The attack reached its culmination when the Pune company had already paid 25% of the machine cost (₹75 lakh) in April and May 2025. 

Before the scheduled payment of the remaining 75%, the fraudsters sent a deceptive email claiming the Italian company’s Milan-based bank account was temporarily non-operational. 

The email directed the victim to transfer funds to an alternative account controlled by the cybercriminals.

The Pune firm, failing to detect the sophisticated deception, secured a loan of ₹2.25 crore and transferred ₹2.35 crore to the fraudulent account in two separate transactions during the first and second weeks of June 2025. 

The fraud was discovered only when the company contacted the genuine Italian firm’s India-based sales executive to confirm the payment receipts.

Organizations are recommended to deploy multi-factor authentication (MFA), implement SSL/TLS encryption for all email communications, and establish DMARC policies to prevent domain spoofing.

The Pune and Pimpri Chinchwad cybercrime police stations have specifically advised companies to conduct regular security audits of their email systems and provide cybersecurity awareness training to accounting staff. 

Critical recommendations include verifying any changes in payment instructions through direct telephonic conversations and implementing a dual-approval process for high-value transactions.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now