Using four transactions, cybercriminals attempted to withdraw £1.1 million to third-party accounts. Of these, only 570 thousand pounds were returned, according to the results of a cyber incident study by Check Point Software Technologies Ltd. (a cybersecurity solutions provider). Previously, the CPIRT team investigated a similar case. Hackers managed to steal $1 million from the account of the Chinese venture company, which were intended for an Israeli startup.
In their study, Check Point experts reveal the story of a group of cybercriminals who were given the name “Florentine Banker”. The group’s goal was four large financial sector companies from the UK and Israel. These companies spend significant amounts of money weekly on new partners and third parties. In addition, they all use the Office 365 email service.
As a method of attack, scammers chose targeted phishing mailing. Letters came to the top managers of the companies – to the general or financial directors who were responsible for the cash transactions.
In this case, the attackers chose two employees to send them phishing emails, one of which provided the necessary data. One phishing campaign can last for weeks or months until fraudsters get a complete picture of all the financial activities of companies. For successful implementation, attackers use various tactics, alternate methods and change recipient lists.
After a thorough study of organizational processes, fraudsters began to isolate the victim from communication with both third parties and colleagues, creating certain rules for the mailbox. These rules direct any emails with data of interest to the hackers in the folder that they monitor, realizing the type of man in the middle attack. For example, if the letters mentioned words such as “invoice”, “returned” or “refused”, they were moved to a folder that was not used by the victim.
The next step of the attackers is the creation of fake domains that are visually almost identical to the domains of partners and third parties with whom the victim communicates by mail. After that, scammers sent letters from fake domains to the victims, continuing either the existing correspondence or creating a new one. For example, if communication takes place between finance-firm.com and banking-service.com, hackers can use very similar variations of finance-firms.com and banking-services.com. Attackers begin to send emails, for which they either create a new branch of letters or continue the dialogue in the previous one. In this way, they manage to deceive the victim, who assumes that he is still communicating with a legitimate representative of the company.
Further, the fraudsters conducted a conversation until a third party approves new bank details and confirms the transaction. If the bank rejects the transaction due to a discrepancy in the currency of the account, the name of the recipient, or for any other reason, the attackers correct the deviations until the money falls into their own hands.
So it happened this time. The attackers monitored the correspondence with the bank contact, made the necessary corrections and managed to force the parties to complete the transaction into their fraudulent account. During this attack, a group of hackers managed to intercept three operations and irrevocably transfer to themselves 600 thousand pounds.
Origin of the “Florentine Banker” Group:
- During the investigation, evidence was found that could help locate the group.
- All letters and transactions intercepted by fraudsters were in English.
- During the two months that the hackers spent in the environment of the victim company, they worked from Monday to Friday.
- Bank accounts of fraudsters were in Hong Kong and England.
- Some Hebrew emails contained potentially useful information that was not used by cybercriminals. This allows us to conclude that they do not speak this language.
- For the implementation of bank transfers, the name of one of the Hong Kong companies was used, which was either fake or previously registered but not operational.
The methods used by the Florentine Banker group, especially the double domain technique, pose a serious threat not only to a compromised company, but also to its partners. Even after hackers are discovered and removed from the network of the victim company, attackers can continue to use the organizations of the victim’s partners, clients or banks for their own purposes.