A recent business email compromise (BEC) attack spree ended up taking about $700K (£600K) from financial institutions in the UK and Israel, but the total damage would have been over $1.3M (£1.1.M) if financial industry policies had not allowed for the emergency recovery of some of the funds.
The attackers, given the colorful moniker of “The Florentine Banker,” stalked their victims for months with targeted phishing attacks and used advanced lookalike domains to both intercept scheduled wire transfers and make requests for new ones. These attacks provide a good benchmark for how far reasonably capable cyber criminals are willing to go to pull off BEC attacks, and what the higher end of their capabilities look like.
“Low and slow” BEC attacks
The campaign was uncovered and documented by Check Point Research, a cybersecurity firm based in California and Tel Aviv. The BEC attacks began in mid-December of last year, with three large financial services companies being hit by several fraudulent transactions that totaled $1.3 million between them. Only about half of that amount ended up being recovered.
The Florentine BEC attacks unfolded with remarkable patience and precision, taking about two months to come to fruition. The attackers began by choosing targets known to transfer large sums of money to multiple third parties on a weekly basis. They then drilled down to targeted spear phishing directed at no more than several company employees, usually high-ranking executives with the authority to approve large financial transactions.
The attackers appeared to also target staff known to use Office 365, sending phishing emails purporting to be from Microsoft technical support indicating that action was needed on a cache of emails that were not delivered due to an error. The link led to a phishing site with a fake login prompt to harvest credentials.
With this foothold in the network, the next phase of the BEC attacks was to slowly and surreptitiously comb through the victim’s inbox by hand to discern who the company regularly transfers large sums of money to. The attackers took their time studying the parties involved, their relationships and the internal company processes to fabricate very authentic-looking transfer requests.
Once the attackers were ready to act, they would begin isolating the victim’s inbox from the rest of the corporate network by setting up mailbox rules to divert incoming emails of interest (such as those about invoices or purchase orders) to an obscure existing folder that the victim would not normally check. The attackers then registered fake domains with a strong similarity to those of the target parties corresponding with the victim, URLs that one might not notice are different at a casual glance. Fraudulent requests for money transfers would then come in from these domains.
In some cases, the attackers simply forged an entirely new wire transfer request from scratch and sent it to the victim from one of these fake domains. In other cases, they would alter an intercepted request and forward it back to the main inbox of the victim with the bank routing numbers altered.
The security researchers at Check Point did not turn up the identity of the threat group, but their research found that the bank accounts the funds were being diverted to were located in the United Kingdom and Hong Kong. The attackers only communicated in English, and in the case of the compromised Israeli bank appeared to ignore some emails in Hebrew that would have provided them with lucrative exploitation opportunities.
BEC attacks on the rise
BEC attacks like this one thrive in busy environments, particularly in large organizations where an executive probably receives 100 or more emails in a day. A missing invoice most likely won’t be noticed, and the vendor may not follow up about it for a month or more.
BEC is one of the fastest-growing segments of cyber crime, so much so that the FBI issued a warning about it in April. Losses have increased year-over-year since 2013, hitting $1.7 billion in 2019. BEC attacks are popular as they can require no more “hacking” than the successful targeted phishing of the right executive, something that can potentially be done by an amateur with a pre-made phishing kit; once inside the corporate network, it becomes a matter of subterfuge and social engineering. The payoffs are also direct and large, not requiring criminals to take on the added layer of risk of attempting to sell exfiltrated information on the dark web or use it to execute another type of scam.
Preventing phishing is the key to stopping most of the major types of cyber attack; BEC attacks should, at least in theory, be easier to prevent since the potential targets are limited to staff with the ability to approve large money transactions and vendor payments. Check Point’s security recommendations certainly apply across the organization, but particularly to executives who are the critical element in this type of exploit.
Check Point’s advice on phishing prevention is fairly standard industry best practice — regular training of and reminders to employees as the first line of defense, plus an automated email security solution to cut down on attempts and provide remediation measures if an account is compromised. The company adds some advice specific to wire transfers, however, suggesting that a policy of having a secondary verification be in place before funds are released. Lotem Finkelsteen, Check Point’s Manager of Threat Intelligence, also believes similar BEC scams may be seen outside of the financial sector: “These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses. I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”