In a recent highly targeted BEC attack, hackers managed to wire up three British private equity firms, with fraudulent access to bank accounts totaling $ 1.3 million – while aggrieved officials thought they had closed an investment deal with the startup.
According to cyber security firm Check Point, which shared its latest investigation with The Hacker News, nearly $ 700,000 of the total wire transferred amount has been permanently lost to the attackers, after the balance was recovered when researchers targeted the targeted companies Timely alert.
Dubbed “The Florentine Banker,” the sophisticated cybercrime gang behind this attack, “seems to have respected his techniques on multiple attacks with at least several years of activity, and has proved to be a resourceful adversary, quickly adapting to new circumstances.” Adhering to, “the researchers said.
‘The techniques they use, particularly lookalike domain techniques, present a serious threat – not only to the organization that originally attacked, but also to the third-parties with whom they used the lookalike domain. Communicated.
The security firm said that previous javelin-phishing operations launched by the same group of hackers primarily targeted the manufacturing, construction, legal and finance sectors located in the US, Canada, Switzerland, Italy, Germany and India.
How did hackers do it?
The investigation follows Check Point’s previous report published last December, which described a similar BEC (business email agreement) incident that resulted in the theft of $ 1 million from a Chinese venture capital firm.
The amount, which was seed funding for an Israeli startup, was sent to a bank account under the attacker’s control through a carefully planned man-in-the-middle (MITM) attack.
The fraud scheme, which has caught three UK and Israeli-based finance firms in the net, works by sending phishing emails to gain control over the account organization and to take a comprehensive recon to understand the nature of the business. Important role inside the company.
In the next step, attackers tamper with the victims’ Outlook mailboxes, which will then divert related emails to a separate folder, such as an RSS feed folder, that is not typically used by the person.
In addition to intruding into high-level corporate email accounts and monitoring messages, hackers register separate lookalike domains that mimic the legitimate domains of entities involved in email correspondence, thus intercepting them, The type allows them to end a MITM attack by sending email to email. Fraudulent domains on both sides.
‘For example, if there is a correspondence between’ Finance-firm.com ‘and’ banking-service.com ‘, the attackers register similar domains like’ Finance-firms.com ‘and’ banking-services.com ‘ Can. The team said.
Put separately, the Florentine Banker Group sent a mail to each of the counterparties from the spoofed domain, thereby inserting themselves into the conversation and tricking the recipient into thinking that the source of the email was legitimate.
Researchers at Check Point stated that the email sent by each party was actually sent to the attacker, who reviewed the email, decided if any content needed to be edited, and then sent the email from the relevant lookalike domain Shipped to its original destination. In a separate blog post on the BEC scam.
Armed with this set-up, they then begin to inject fraudulent bank account information (linked to accounts located in Hong Kong and the UK) into emails to interrupt money transfers and initiate new wire requests.
Source: Tech Rander