According to the cybersecurity firm Check Point, who shared its latest investigation with The Hacker News, nearly $700,000 of the total wire transferred amount has permanently lost to the attackers, with the rest of the amount recovered after researchers alerted the targeted firms in time.
Dubbed 'The Florentine Banker,' the sophisticated cybercrime gang behind this attack, "seems to have honed their techniques over multiple attacks, from at least several years of activity and has proven to be a resourceful adversary, quickly adapting new situations," the researchers said.
'The techniques they use, especially the lookalike domains technique, present a severe threat — not only to the originally attacked organization but also to the third-parties with whom they communicated using the lookalike domain.'
The security firm said previous spear-phishing campaigns launched by the same group of hackers mainly targeted the manufacturing, construction, legal, and finance sectors located in the US, Canada, Switzerland, Italy, Germany, and India, among others.
How did hackers do it?
The investigation follows Check Point's previous report published last December, which described a similar BEC (business email compromise) incident that resulted in the theft of $1 million from a Chinese venture capital firm.
The amount, which was seed funding intended for an Israeli startup, was instead routed to a bank account under the attacker's control via a carefully-planned man-in-the-middle (MITM) attack.
The fraud scheme, which has since caught three UK and Israeli based finance firms in the net, works by sending phishing emails to high profile individuals in the target organization to gain control of the account and carry out extensive reconnaissance to understand the nature of business and the key roles inside the company.
In the next phase, the attackers tamper with the victim's Outlook mailbox by creating new rules that would divert relevant email to a different folder, such as the RSS Feeds folder, that's not commonly used by the individual in question.
Aside from infiltrating the high-level corporate email account and monitoring messages, the hackers register separate lookalike domains that mimic the legitimate domains of the entities involved in the email correspondences they want to intercept, thus allowing them to perpetrate a MITM attack by sending emails from the fraudulent domains on behalf of the two parties.
'For example, if there was a correspondence between 'finance-firm.com' and 'banking-service.com,' the attackers could register similar domains like 'finance-firms.com' and 'banking-services.com,' the team said.
Put differently, the Florentine Banker group sent one mail each from the spoofed domains to the counterparty, thus inserting itself into the conversation and deceiving the recipient into thinking that the source of the email is legitimate.
'Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination,' Check Point researchers said in a separate blog post on BEC scams.
Armed with this set-up, the attackers then begin injecting fraudulent bank account information (associated with accounts located in Hong Kong and the UK) in the emails to intercept money transfers and initiate new wire requests.
FBI Sounds Warning Against BEC Attacks
Business email compromise (BEC) attacks have surged in recent years as organized cybercrime groups try to profit off email scams directed against big businesses.
Last month, Palo Alto Networks' Unit 42 threat intelligence team examined BEC operations working out of Nigeria, uncovering that the group — dubbed 'SilverTerrier' — carried out an average of 92,739 attacks a month in 2019.
According to the Federal Bureau of Investigation's 2019 Internet Crime Report, BEC-related scams alone accounted for 23,775 complaints amounting to losses of over $1.7 billion.
In an advisory published by the FBI early this month, the agency warned of cybercriminals conducting BEC attacks through cloud-based email services, adding the scams cost US businesses more than $2.1 billion between 2014 and 2019.
'Cybercriminals analyze the content of compromised email accounts for evidence of financial transactions,' the FBI warned. 'Often, the actors configure mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.'
The bureau also issued a separate warning highlighting how crooks are updating the profitable scam technique to capitalize on the ongoing coronavirus pandemic and perform fraudulent wire transfers.
In the face of such ongoing threats, it's recommended that users turn on two-factor authentication to secure their accounts and ensure fund transfer and payment requests are verified through phone calls confirming the transaction.
For more guidance on how to mitigate the risk, head to the FBI's alert here.