Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:20 PM
Connect Directly

Cybercrime Group Steals $1.3M from Banks

A look at how the so-called Florentine Banker Group lurked for two months in a sophisticated business email compromise attack on Israeli and UK financial companies.

A cybercriminal group dubbed the Florentine Banker Group launched advanced business email compromise (BEC) attacks on leading Israeli and UK financial firms, stealing $1.3 million dollars in just four separate transactions.

Unlike a basic BEC where an attacker sends one or two emails posing as an executive in the victim organization, the Florentine Banker Group stole email credentials and lurked for two months before diverting important wire transfers worth millions of dollars, a new report by Check Point Research shows.

According to Check Point, only $600,000 was recovered via some emergency intervention immediately after the attack. 

"People need to understand that these attacks happen fast," says Lotem Finkelstein, Check Point's threat intelligence group manager. "In most instances, once the wire transfers are made, they are lost for good; our clients were lucky to even get half of their money back." 

Finkelstein says Check Point had been watching the activities of The Florentine Banker Group for at least six months before his firm started working with the victims last December. The targeted companies are three large UK and Israeli financial sector firms that weekly transfer large sums (in the millions of dollars) to new partners and third-party providers.

The Scam

Here's how the attackers pulled it off: Phishing emails targeting two top officials were sent over several weeks, and they only occasionally added new people to the list of targets until they finally gained access to the victim's email account.

Once the attackers gained control of a victim's email account, they were able to read through their emails to understand the different channels used by the victim to conduct money transfers, the victim's relationships with other third parties such as clients, lawyers, accountants, and banks, and finally, key roles inside the victim company.

Finkelstein says the next step was to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. In this case, emails with pre-defined words such as "invoice," "returned," or "fail," would be moved to another folder not commonly used by the victim, such as the RSS folder.

"The attackers would only move over a couple of emails into the RSS folder, move them in a way that they wouldn't be noticed by the victim," Finkelstein says.

Richard Henderson, head of global threat intelligence at Lastline, says at this point the attackers had total visibility into the victim's email. So they could wait until the email authorizing a wire transfer was sent, interrupt it, and then send the wire transfer instructions to a bank account held by the fraudsters.

In one case, the attackers noticed a planned transaction with a third party in which the firm suggested using a UK bank account speed up the process. However, the company that was to receive the funds transfer said they didn’t have a UK bank account. The attackers then saw an opportunity: they provided an alternative UK bank account via a phony email and intercepted the payment.

"It's very ingenious how these schemes operate," Henderson says. "Most of us have a couple of hundred emails that we get every day so we wouldn't miss one or two emails if they were diverted to a hidden folder. To the victim, everything looks normal, they don't find out about the stolen money until the bank or the business partner calls 30 days later and asks what happened to the payment."

While ransomware gets a lot of the press, BECs are big business for hackers and deserve a lot more attention, says Peter Firstbrook, a research vice president at Gartner.

Firstbrook adds that the FBI recently reported that there was $1.7 billion stolen in BECs in 2019 alone. That's a massive amount of money compared to the $144 million stolen in bitcoin from ransomware attacks over the past six years. In the most prolific cases, a BEC cost Toyota $37 million and Nikkei $29 million. 

So how can organizations protect themselves?

Check Point's Finkelstein says while organizations must always deploy an email security solution, they can't rely on technology alone. They have to consider the human factor. This includes training the staff on how to spot bad links and fraudulent emails, and setting up processes where the people responsible for large wire transfers add a second verification factor by either calling the person who asked to make the transfer, or calling the receiving party. 

Lastline's Henderson adds that companies need to set aside their top people and educate them on the need for multifactor authentication. He says when CEOs or CFOs make their confirmation calls, they have to have the direct office phone or personal cell phone numbers of the receiving parties and be really sure they are speaking to the right people.

"There's more money in cybercrime than most people realize," says Lastline's Henderson. "You're not looking for a needle in a haystack, you're really looking at atoms in a haystack."

Related Content:

A listing of free products and services compiled for Dark Reading by Omdia analysts to help meet the challenges of COVID-19. 

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's featured story: "5 Ways to Prove Security's Worth in the Age of COVID-19"

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...
PUBLISHED: 2020-07-10
A SQL injection vulnerability in the user and admin web interfaces of Sophos XG Firewall v18.0 MR1 and older potentially allows an attacker to run arbitrary code remotely. The fix is built into the re-release of XG Firewall v18 MR-1 (named MR-1-Build396) and the v17.5 MR13 release. All other version...
PUBLISHED: 2020-07-10
Incorrect file permissions in Citrix ADC and Citrix Gateway before versions 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 allows privilege escalation.
PUBLISHED: 2020-07-10
Improper input validation in Citrix ADC and Citrix Gateway versions before 13.0-58.30, 12.1-57.18, 12.0-63.21, 11.1-64.14 and 10.5-70.18 and Citrix SDWAN WAN-OP versions before 11.1.1a, 11.0.3d and 10.2.7 allows reflected Cross Site Scripting (XSS).