The “Florentine Banker” Cybercrime Gang Trick C Level Executives From 3 British Firms To Send Them £1.5 M

A cybercrime gang is known as ‘Florentine Banker,’ steal more than 1.1M GBP by tricking the top-level executives of the 3 British firms following a complicated Business Email Compromise (BEC) attack. 

Though, the attack retort that the team grasped the indications and identified that there must be some conflicts, that occurred to inform the banks regarding the four unusual transaction attempts, and permitted them to resume nearly £570,000.


Well, the outstanding £530,000 were recorded as “lost funds,” indeed, it was not stuck anywhere in the banking system, because the amount has been taken away by the hackers.

However, this was also revealed that they used a domain technique that indicates a severe attack. And it also seems that the hackers are experienced with several techniques of hacking.

First Interact

Initially, the group conducts a highly targeted phishing campaign upon individuals, especially those who are operating for the target company.

However, the individuals include CEO, CFO, or we can say, other high standard employees. Well, the main motive of the attackers is to phish individuals who generally holds the authorization to make money transaction.

According to the report, the hacking group targeted two individuals and continued the process for weeks, until they got a comprehensive glimpse of the financial viewpoint of the targeted business.

After getting full control over their email credentials of any one of the targets, they can quickly get access to the essential representative’s interactions with lawyers, accountants, banks, and different fundamental employees in the firm.

How Did Hackers Do It?

Now people might think that how did they do it? The attackers simply intrude with the target’s Outlook mailbox by formulating new commands that will easily redirect important email to a separate folder, just like the RSS Feeds folder, as it’s not used by the individual generally.

Email flow example: before and after the setup

Not only this, but the hackers also register separate similar domains that mimic the legitimate domains of the entities involved in the email correspondences that they want to intercept, which allow them to perpetrate a MITM attack by sending emails from the fraud domains on behalf of both the parties. 

Additional Targets

During the investigation of this above operation, which is conducted by the Florentine Banker group, the security company, Check Point’s Incident Response Team (CPIRT) have collected forensics data and observed the use of different domains that were carried in this operation.

In the investigation, the security researchers found that seven different domains were utilized by the attackers, which are similar lookalike domains, or a website to serve the Phishing pages.

They stated that they managed to collect all the information from several WHOIS portals. They got unique knowledge with the help of WHOIS portals, as the information they found on several WHOIS portals simply influenced them to find extra 39 similar domains that are registered throughout 2018-2020. 

Well, now it might be clear for you that the main motive of finding this information is to reveal all the illegitimate data that has been carried out till now also by the same hacker group, yes, the Florentine Banker group.

Florentine Banker Origins

Throughout the whole investigation, the actual evidence of the Florentine Banker hacker group did not get revealed, but, still, the security researchers did witness plenty of clues that simply indicated their origin that we have mentioned below:-

  • Only the conversations and transactions that are administered in English were prevented and transformed.
  • Throughout the two months, the Florentine Banker group simply spent inside the victim’s environment, and not only that, even they only operated through Monday to Friday.
  • Fake bank accounts were also settled in Hong Kong and the United Kingdom.
  • Various email strings in Hebrew combined relevant leads that were not utilized by the attacker, and this simply leads the security researchers to understand that they do not talk in Hebrew.
  • A Hong Kong-based company’s name was utilized for the fake money transfers, and the Florentine Banker group demanded a wire transfer straight from the victim’s bank contact. This simply cleared that this company was either fake or previously registered.

For these types of hacks and scams, security researchers always recommend every netizens and company to stay alert about the security threats, as with time hackers and their techniques are also evolving. That’s why to protect against this sort of attack, we also strongly recommended you to consolidate your email security. 

Notably, every employee of financial organizations must get the proper training and guidance regarding phishing and many other threats. Well, the methods that they have utilized are similar to the domain that indicates severe warnings.

Also Read:

Gmail Blocks 18 Million COVID-19 Themed Phishing and Malware Campaign in A Week

Hackers Steal 25,000 Email Addresses and Passwords From NIH, WHO, Gates Foundation And Others Are Dumped Online

Researchers Discovered a New Method that Let Hackers to Run Malicious Code Via RDP

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.