No Phishing! Protecting Against Business Email Compromise

By Lotem Finkelsteen, Manager of Threat Intelligence, at Check Point, 

Looks at how business email compromise attacks have stolen millions from private equity firms, and how businesses can best protect themselves.

Fraudulent wire transfers can be tricky for malicious actors to pull off – but the payback for doing so successfully can be substantial. Recently, a sophisticated cybercriminal group dubbed the Florentine Banker managed to trick three private equity firms into transferring £1.1 million to unrecognized bank accounts. Just £570,000 has been recovered, meaning the criminals got away with over half a million pounds.

And if this story sounds familiar, it’s because just last year, Check Point released a report about a similar case investigated by our incident response team – an incident where attackers were able to steal $1M of funds, which were supposed to be transferred from a Chinese venture capital to an Israeli startup company. In other words, private equity firms are being specifically targeted by cybercriminals looking to set up fraudulent wire transfers. But how is it done? And what are the lessons for other businesses in the financial industry?

Understanding the targets

Lotem Finkelsteen

In this particular instance, the targeted organizations were three large UK and Israeli-based finance sector firms – often handling and transferring large sums of money to new partners and third-party providers on a weekly basis. They all used Office 365 as their main email provider.

Having selected a target, the group launched a targeted phishing campaign against key individuals within the company – generally senior figures who would be in charge of executing money transactions. Typically, the phishing emails were designed to look like they came from Office 365, claiming that the system had prevented the delivery of new messages and inviting the recipient to ‘review’ them by clicking on a malicious link.

The goal was to gain control of the victim’s email account, and from there five sophisticated attack stages took place:

Step 1: Observation

This stage focused on reading the target’s emails on order to understand the different channels used to conduct money transfers, the target’s relationships with third parties and other key roles within the company. Careful reconnaissance, often over a period of several months, is the foundation of myriad successful cyberattacks.

Step 2: take control &isolate the targets

After carefully studying the victim’s organization, the attackers began to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. These email rules would divert any emails with interesting content or subjects into a folder monitored by the threat group, essentially creating a type of “Man in the Middle” attack.

For example, any email containing pre-defined words such as “invoice”, “returned” or “fail” would be moved to another folder not commonly used by the victim, such as the “RSS Feeds” folder.

Step 3: Lookalike domains

From there, the attackers registered lookalike domains which looked similar to the legitimate domains of the entities involved in the email correspondences they wanted to intercept. This enabled them to create new conversations – or continue existing ones – without the targets noticing the slight change to the domain name sending the email.

Step 4: show me the money

Then the attackers began injecting fraudulent bank account information, either by intercepting legitimate wire transfers with “new” bank account details, or by generating all new wire transfer requests.

Step 5: money transfer

Assuming success via the above stages, the criminals were then able to manipulate the conversation until the third party approved the new banking details and confirmed the transaction. If the bank rejected the transaction due to a mismatch in the account currency, beneficiary name or for any other reason, the attackers were still there to fix the rejects until the money was in their own hands.

A growing risk

Private equity and venture capital firms have become lucrative target for business email compromise (BEC) operations like these. The fact that VC’s are often involved in transfers of large amounts of money, often to new partners and recipients, makes them the perfect target to introduce new and fraudulent transactions.

The Florentine Banker group seems to have honed their techniques over multiple attacks, from at least several years of activity and has proven to be a resourceful adversary, quickly adapting new situations.

The techniques they use, especially the lookalike domains technique, present a severe threat – not only to the originally attacked organization, but also to the third-parties with whom they communicated using the lookalike domains. The attackers can continue and try initiate fraudulent activity with the third-parties with whom trust has been established, long after the main target has detected and removed the intruder from their network.

So how should private equity firms protect themselves against these stealthy, sophisticated BEC attacks?  We recommend four key steps:

1. Email is by far the number one vector for attackers to infiltrate business networks. Phishing emails baiting users to expose their organization credentials or to click on a malicious link/file are the number one threat in the email space. Organizations must always incorporate an email security solution, designed to prevent such attacks automatically utilizing continuously updated security engines.
2. Educate your employees – proper and ongoing education of employees to the evolving threat landscape. This does not just mean asking them to read a quick guide on joining the company – it means an ongoing, evolving program of awareness and education, in line with the evolving threat landscape. Crucially, it must go all the way up to the most senior members of the organization, who are most likely to be the targets of this kind of attack.
3. When dealing with wire transfers, always make sure to add a second verification by either calling the person who asked to make the transfer or calling the receiving party.
4. If a similar breach has been detected in your organization, make sure to notify all your business partners as well – any delay in notification only works for the benefit of the attacker.

Intelligence-based security engines incorporating advanced anti-phishing are now available, which use behavioral analysis to prevent phishing attacks like this from ever taking root in an organization. With potentially millions at risk, they should be a critical part of any private equity firm’s arsenal.