×


Home About Contribute Media Kit Contact Sign In
×







.


Technology Industry News

How to Steal Over £500,000 from Three UK Private Equity Funds by Business Email


Check Point reveals scheme of hacker group manipulating emails and lookalike domains to steal cash by wire transfers

How to Steal Over £500,000 from Three UK Private Equity Funds by Business Email


"I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker"
Lotem Finkelsteen, Check Point



Security researchers at Check Point have revealed how a sophisticated cybercrime gang, which they dubbed ‘The Florentine Banker,’ got away with over £500,000 following a complex business email compromise (BEC) attack against three UK private equity firms. 

 

Over several months, the Florentine Banker focused on its targets, manipulating email conversations, registering lookalike web domains, and cashing out wire transfers in phases. All in all, four separate bank transactions attempted to transfer £1.1M to unrecognized bank accounts. Emergency intervention by Check Point enabled the recovery of £570,000 of the transferred cash, leaving the rest as permanently lost (i.e. stolen) funds. Check Point researchers also uncovered a number of purchased domains unrelated to the target mentioned, indicating that there are potentially more targets in cybercrime gang’s lineup.

 

The Florentine Banker initiated its attack by setting up a targeted Phishing campaign against key people inside the victim companies, often CEOs and CFOs or those in charge of money transactions. In this case, the first phishing emails targeted only two people, of which one provided their Office 365 email credentials. The phishing attacks then continue, persisting for weeks in alternating methods, occasionally adding new individuals to the list of targets until the attackers gain a panoramic view of the entire financial picture of the company.

 

Check Point’s researchers found the attackers followed a five step process:

1. Observation. Once the attackers gain control over the victim’s Office 365 email account, they start reading their emails. The Florentine Banker can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.

2. Control and Isolation. The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, creating a ‘Man in the Middle’ attack.

3. Lookalike setup. The attackers register lookalike domains - domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept. The attacker starts sending emails from the lookalike domains. They either create a new conversation or continue an existing one – deceiving the target.

4. Ask for money. The attackers begin injecting fraudulent bank account information through the following two techniques: a) Intercepting legitimate wire transfers. b) Generating new wire transfer requests

5. Money transfer. The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers will intercept and fix the rejects until the money is in their own hands.

 

In the case of the British private equity funds, a total of seven different domains were used by the attackers; either lookalike domains, or a website to serve the phishing pages. Check Point found 39 additional lookalike domains registered throughout 2018 and 2020, clearly trying to masquerade as a variety of legitimate businesses who may have been targeted by the Florentine Banker as well.  To protect the privacy of the potential victims, Check Point will not share the lookalike domains or the targeted brands. Check Point Research is contacting these organizations to prevent the next BEC heist.

 

Check Point’s Manager of Threat Intelligence, Lotem Finkelsteen said:  “These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses. I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”

 

During Check Point’s investigation, it did not find definitive evidence to the origins of Florentine Banker, but they do have some clues that may indicate origin:

1. Only conversations or transactions conducted in English were intercepted and modified.

2. During the two months that the Florentine Banker group spent inside the victim’s environment, they operated Monday through Friday.

3. Fraudulent bank accounts were located in Hong Kong and the United Kingdom.

4. Several email threads in Hebrew included valuable leads that were not used by the attacker - which leads us to assume they do not speak Hebrew.

5. A Hong Kong based company name was used for the fraudulent money transfers in which the Florentine Banker group requested a wire transfer directly from the victim’s bank contact. It appears that this company was either fake or previously registered and has since gone out of business.

 

To protect against business email compromise and phishing attacks, Check Point recommends organizations do the following:

1. Incorporate email security. Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.

2. Educate your employees – proper and ongoing education of employees to the evolving threat landscape.

3. Add verification. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.

4. Notify business partners. If a similar breach has been detected in your organization, make sure to notify all your business partners as well – any delay in notification only works for the benefit of the attacker.

.


Technology Business News - Economic downturns are stressful times for everyone, not least for CEOs who now face incredibly tough decisions to ensure the survival of their business.


CEO Turned Venture Partner Explains How to Survive And Thrive In Economic Downturns

Technology Business News - The retail industry is going through significant and unprecedented changes right now. Every week we hear about yet another well-established household name announcing store closures and redundancies.


Retailers are getting in with the Uncrowd for a deeper understanding of customer behaviour

Technology Business News - The Microsoft for Startups Partner of the Year Award recognizes innovative start-ups from all over the world that are actively solving real-world problems.


Uncrowd win first ever Microsoft for Startups Partner of the Year Award

Technology Business News - Cardiovascular diseases CVD are the leading cause of death, claiming around 18 million lives worldwide every year. With a rapidly aging global population and the increase in cardiovascular disease in low- and middle-income countries, the burden of CVD will continue to grow.


Technology & Data Unlock the Key to Improve Cardiovascular Diagnosis and Quality of Life

Technology Business News - The world of technology venture capital in Silicon Valley is highly competitive. The success or failure of startups is dependent upon not just finding a venture partner but, perhaps more importantly, finding the right venture partner. Yet very few of the people who work in VC have a technical background or have ever run a company themselves.


CEO, Turned Venture Partner, Explains His Unique Approach to Startup Investment

Technology Business News - The global pandemic has meant that businesses all over the world have had to find new ways of working, accelerate digital transformation projects, and rapidly adopt technologies that allow them to continue to operate effectively.


The rise and rise of E-Signature technology in the finance sector