Security researchers at Check Point have revealed how a sophisticated cybercrime gang, which they dubbed ‘The Florentine Banker,’ got away with over £500,000 following a complex business email compromise (BEC) attack against three UK private equity firms.
Over several months, the Florentine Banker focused on its targets, manipulating email conversations, registering lookalike web domains, and cashing out wire transfers in phases. All in all, four separate bank transactions attempted to transfer £1.1M to unrecognized bank accounts. Emergency intervention by Check Point enabled the recovery of £570,000 of the transferred cash, leaving the rest as permanently lost (i.e. stolen) funds. Check Point researchers also uncovered a number of purchased domains unrelated to the target mentioned, indicating that there are potentially more targets in cybercrime gang’s lineup.
The Florentine Banker initiated its attack by setting up a targeted Phishing campaign against key people inside the victim companies, often CEOs and CFOs or those in charge of money transactions. In this case, the first phishing emails targeted only two people, of which one provided their Office 365 email credentials. The phishing attacks then continue, persisting for weeks in alternating methods, occasionally adding new individuals to the list of targets until the attackers gain a panoramic view of the entire financial picture of the company.
Check Point’s researchers found the attackers followed a five step process:
1. Observation. Once the attackers gain control over the victim’s Office 365 email account, they start reading their emails. The Florentine Banker can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.
2. Control and Isolation. The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, creating a ‘Man in the Middle’ attack.
3. Lookalike setup. The attackers register lookalike domains – domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept. The attacker starts sending emails from the lookalike domains. They either create a new conversation or continue an existing one – deceiving the target.
4. Ask for money. The attackers begin injecting fraudulent bank account information through the following two techniques:
a. Intercepting legitimate wire transfers
b. Generating new wire transfer requests
5. Money transfer. The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers will intercept and fix the rejects until the money is in their own hands.
In the case of the British private equity funds, a total of seven different domains were used by the attackers; either lookalike domains, or a website to serve the phishing pages. Check Point found 39 additional lookalike domains registered throughout 2018 and 2020, clearly trying to masquerade as a variety of legitimate businesses who may have been targeted by the Florentine Banker as well. To protect the privacy of the potential victims, Check Point will not share the lookalike domains or the targeted brands. Check Point Research is contacting these organizations to prevent the next BEC heist.
Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said: “These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses. I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”
During Check Point’s investigation, it did not find definitive evidence to the origins of Florentine Banker, but they do have some clues that may indicate origin:
1. Only conversations or transactions conducted in English were intercepted and modified.
2. During the two months that the Florentine Banker group spent inside the victim’s environment, they operated Monday through Friday.
3. Fraudulent bank accounts were located in Hong Kong and the United Kingdom.
4. Several email threads in Hebrew included valuable leads that were not used by the attacker – which leads us to assume they do not speak Hebrew.
5. A Hong Kong based company name was used for the fraudulent money transfers in which the Florentine Banker group requested a wire transfer directly from the victim’s bank contact. It appears that this company was either fake or previously registered and has since gone out of business.
To protect against business email compromise and phishing attacks, Check Point recommends organizations do the following:
1. Incorporate email security. Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
2. Educate your employees – proper and ongoing education of employees to the evolving threat landscape.
3. Add verification. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
4. Notify business partners. If a similar breach has been detected in your organization, make sure to notify all your business partners as well – any delay in notification only works for the benefit of the attacker.