Once both sides realised the money was gone, they also noticed something strange going on with the emails between the two parties, as some of the emails were modified and some were not even written by them.
At this point, the CEO of the Israeli start-up engaged Check Point Incidence Response Team (CP IRT) to investigate the fraudulent money transfer.
What started as a normal Business Email Compromise (BEC) quickly turned into something else, Matan Ben David, Incident Response Analyst at Check Point, wrote in a report on Thursday.
The investigation revealed that a few months before the money transaction was made, the attacker noticed an email thread announcing the upcoming multi-million dollars seeding fund and decided to do something about it.
Instead of just monitoring the emails by creating an auto forwarding rule, as is seen in the usual BEC cases, this attacker decided to register two new lookalike domains.
The first domain was essentially the same as the Israeli start-up domain, but with an additional 's' added to the end of the domain name. The second domain closely resembled that of the Chinese VC company, but once again added an 's' to the end of the domain name.
The attacker then sent two emails with the same headline as the original thread. The first email was sent to the Chinese VC company from the Israeli lookalike domain spoofing the email address of the Israeli start-up's CEO.
The second email was sent to the Israeli start-up from the lookalike Chinese VC company domain spoofing the VC account manager that handled this investment.
This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack, the research revealed.
Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.
Throughout the entire course of this attack, the attacker sent 18 emails to the Chinese side and 14 to the Israeli side.
Patience, attention to detail and good reconnaissance on the part of the attacker made this attack a success.
To avoid such an attack, the researchers recommended that when dealing with wire transfers, organisations should always make sure to add a second verification by either calling the person who asked to make the transfer, or calling the receiving party.
Ensure your emails infrastructure is able to keep audit and access logs for at least six months, David said.