[BreachExchange] Hackers Trick 3 British Private Equity Firms Into Sending Them $1.3 Million

Destry Winant destry at riskbasedsecurity.com
Mon Apr 27 10:05:57 EDT 2020


In a recent highly targeted BEC attack, hackers managed to trick three
British private equity firms into wire-transferring a total of $1.3
million to the bank accounts fraudsters have access to — while the
victimized executives thought they closed an investment deal with some

According to the cybersecurity firm Check Point, who shared its latest
investigation with The Hacker News, nearly $700,000 of the total wire
transferred amount has permanently lost to the attackers, with the
rest of the amount recovered after researchers alerted the targeted
firms in time.

Dubbed 'The Florentine Banker,' the sophisticated cybercrime gang
behind this attack, "seems to have honed their techniques over
multiple attacks, from at least several years of activity and has
proven to be a resourceful adversary, quickly adapting new
situations," the researchers said.

'The techniques they use, especially the lookalike domains technique,
present a severe threat — not only to the originally attacked
organization but also to the third-parties with whom they communicated
using the lookalike domain.'

The security firm said previous spear-phishing campaigns launched by
the same group of hackers mainly targeted the manufacturing,
construction, legal, and finance sectors located in the US, Canada,
Switzerland, Italy, Germany, and India, among others.

How did hackers do it?

The investigation follows Check Point's previous report published last
December, which described a similar BEC (business email compromise)
incident that resulted in the theft of $1 million from a Chinese
venture capital firm.

The amount, which was seed funding intended for an Israeli startup,
was instead routed to a bank account under the attacker's control via
a carefully-planned man-in-the-middle (MITM) attack.

The fraud scheme, which has since caught three UK and Israeli based
finance firms in the net, works by sending phishing emails to high
profile individuals in the target organization to gain control of the
account and carry out extensive reconnaissance to understand the
nature of business and the key roles inside the company.

In the next phase, the attackers tamper with the victim's Outlook
mailbox by creating new rules that would divert relevant email to a
different folder, such as the RSS Feeds folder, that's not commonly
used by the individual in question.

Aside from infiltrating the high-level corporate email account and
monitoring messages, the hackers register separate lookalike domains
that mimic the legitimate domains of the entities involved in the
email correspondences they want to intercept, thus allowing them to
perpetrate a MITM attack by sending emails from the fraudulent domains
on behalf of the two parties.

'For example, if there was a correspondence between 'finance-firm.com'
and 'banking-service.com,' the attackers could register similar
domains like 'finance-firms.com' and 'banking-services.com,' the team

Put differently, the Florentine Banker group sent one mail each from
the spoofed domains to the counterparty, thus inserting itself into
the conversation and deceiving the recipient into thinking that the
source of the email is legitimate.

'Every email sent by each side was in reality sent to the attacker,
who then reviewed the email, decided if any content needed to be
edited, and then forwarded the email from the relevant lookalike
domain to its original destination,' Check Point researchers said in a
separate blog post on BEC scams.

Armed with this set-up, the attackers then begin injecting fraudulent
bank account information (associated with accounts located in Hong
Kong and the UK) in the emails to intercept money transfers and
initiate new wire requests.

FBI Sounds Warning Against BEC Attacks

Business email compromise (BEC) attacks have surged in recent years as
organized cybercrime groups try to profit off email scams directed
against big businesses.

Last month, Palo Alto Networks' Unit 42 threat intelligence team
examined BEC operations working out of Nigeria, uncovering that the
group — dubbed 'SilverTerrier' — carried out an average of 92,739
attacks a month in 2019.

According to the Federal Bureau of Investigation's 2019 Internet Crime
Report, BEC-related scams alone accounted for 23,775 complaints
amounting to losses of over $1.7 billion.

In an advisory published by the FBI early this month, the agency
warned of cybercriminals conducting BEC attacks through cloud-based
email services, adding the scams cost US businesses more than $2.1
billion between 2014 and 2019.

'Cybercriminals analyze the content of compromised email accounts for
evidence of financial transactions,' the FBI warned. 'Often, the
actors configure mailbox rules of a compromised account to delete key
messages. They may also enable automatic forwarding to an outside
email account.'

The bureau also issued a separate warning highlighting how crooks are
updating the profitable scam technique to capitalize on the ongoing
coronavirus pandemic and perform fraudulent wire transfers.

In the face of such ongoing threats, it's recommended that users turn
on two-factor authentication to secure their accounts and ensure fund
transfer and payment requests are verified through phone calls
confirming the transaction.

For more guidance on how to mitigate the risk, head to the FBI's alert here.

More information about the BreachExchange mailing list