sb-eu logo
Story image

How a cyber-gang with a posh name stole millions from private equity firms

A cybercrime gang with a moniker reminiscent of a Bond villain has pulled off a sophisticated cyber heist, taking NZ$2.7 million from three different British private equity firm, according to new data from Check Point Research.

The gang, dubbed ‘The Florentine Banker’ by researchers, succeeded in its campaign by manipulating email correspondences, registering lookalike domains, and cashing out in phases. 

Four separate bank transactions attempted to transfer $2.3 million to unrecognised bank accounts.

Emergency intervention by Check Point enabled the recovery of only $1.2 million, leaving the rest as permanently lost funds. 

Researchers concluded that there are potentially more targets in the Florentine Banker’s sights, after recovering several purchased domains unrelated to the other three targets.

The Florentine Banker’s strategy

After selecting a target, the Florentine Banker initiates its attack by setting up a targeted phishing campaign against key people inside the victim’s company, CFOs or other executives who oversee funds.

The first phishing emails targeted only two personnel, of which one provided their credentials. 

The phishing attacks then continue, persisting for weeks in alternating methods, occasionally adding new individuals to the list of targets until the attackers gain a panoramic view of the entire financial picture of the company.

After gleaning high-level credentials from the victims, the Banker’s plan is then separated into five distinct categories:


Once the attackers gain control over the victim’s email account, they start reading their emails. 

The Florentine Banker can spend days, weeks or even months doing reconnaissance before actively intervening in the communication, patiently mapping the business scheme and procedures.

Control and isolation 

The attackers start to isolate the victim from third parties and internal colleagues by creating malicious mailbox rules. 

These email rules divert any emails with filtered content or subjects into a folder monitored by the threat group, essentially creating a ‘man-in-the-middle’ attack.

Lookalike setup

The attackers register lookalike domains - domains that look visually similar to the legitimate domains of the entities involved in the email correspondences they want to intercept. 

The attacker then sends emails from the lookalike domains. They either create a new conversation or continue an existing one - thus deceiving the target into presuming the source of the email is legitimate.

Intercept funds

The attackers begin injecting fraudulent bank account information by both intercepting legitimate wire transfers and generating new wire transfer requests.

Money transfer

The Florentine Banker manipulates the conversation until the third party approves the new banking details and confirms the transaction. If the bank rejects the transaction due to a mismatch in the account currency, beneficiary name or any other reason, the attackers are there to fix the rejects until the money is in their own hands.
“These are times in which wire transfers are very common – from day-to-day actions to government stimulus packages for both citizens and businesses,” says Check Point manager of threat intelligence Lotem Finkelsteen.

“I urge everyone to pay extra attention to what goes in and out of their inboxes, for you may be corresponding with the Florentine Banker.”

Story image
Interview: Microsoft's Ann Johnson on digital empathy and zero trust
“Digital empathy means creating an environment and rolling out tools that are forgiving of employee mistakes,” Johnson explains.More
Story image
SentinelOne signs Netpoleon as security distributor in Asia Pacific Japan
“Working with a partner that understands our needs and can provide access and reach across a diverse region with strong security expertise, makes partnering with Netpoleon compelling and a logical choice for our next phase of growth."More
Story image
Fortinet holds position as fastest-growing SD-WAN vendor
According to a new Omida report, the company has seen a 247% revenue growth year-on-year. Plus, Fortinet announces Fortigate 80F.More
Story image
DDoS attacks spike thanks to COVID-19 lockdowns, Kaspersky finds
Kaspersky experts believe the rise in malicious activity can be attributed to the impact of COVID-19, as both cybercriminals and their targets have had to reconsider their holiday plans. More
Story image
Why greater network visibility is needed to reduce the threat posed by IoT in the enterprise
At home and abroad, organisations have joined the rush to embrace Internet of Things (IoT) technology, but a new survey shows they’re only just beginning to wake up to the enormous risk those devices pose, writes ExtraHop A/NZ Regional Sales Manager Glen Maloney.More
Story image
Increased demand for cloud computing as organisations look to achieve business continuity - Aruba
The increase in remote working has also created a focus on cyber security for all businesses.More