The security company Check Point Research has revealed details of a cyber heist from private equity firms that once again relied on a time-worn tactic: simple email phishing. The story started when a cybercrime gang known as the “Florentine Banker” targeted three UK private equity companies for a potential wire transfer heist. The thieves targeted high-ranking officials in those companies, including CEOs and CFOs, via phishing attacks.
Once the thieves gained control over the officials’ emails, they monitored them over weeks and months to figure out how the companies did business and spot opportunities. To make sure no one would notice any suspicious activities, the hackers created mailbox rules that diverted emails relevant to the theft to special inboxes monitored by the gang — creating a “man in the middle” attack.
The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.
Next, the thieves registered lookalike domains visually similar to the domains of the companies involved in the email chains. Since the hackers had diverted legitimate messages, they could create new conversations or continue existing ones, with the target assuming that the email source was genuine.
At that point, the team was ready to demand money for what seemed like real investments. By posing as legitimate email correspondents, they could easily do that by substituting their own banking information for that of a bona fide party. That allowed them to intercept legitimate wire transfers and even create new ones.
“The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction,” according to Check Point. “If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.”
These types of attacks show how easy it (still) is for malicious players to manipulate emails in a way that’s easily missed by busy or inattentive company officials. Check Point said that, via an “emergency intervention,” it managed to recover about half of the £1.1 million in funds (around $1.3 million), but the rest of the money was lost.
As such, it advised companies to incorporate email security, educate employees and partners immediately, and add second-party verification by direct phone calls. These things all seem obvious, especially for firms dealing in large amounts of money, but we’ve obviously still got a lot to learn.