Agari Turns the Table on ‘London Blue’ Hacking Campaign

A hacker group known as “London Blue” has compiled a list of 35,000 chief financial officers, including some at the world’s biggest banks and mortgage companies, with the intent to target them with bogus requests to transfer money.

CFO-Targeting Phishing Campaign

The “London Blue” hackers are the latest group to specialize in “business email compromise” (BEC) campaigns, according to the cyber threat detection company Agari, which found a list of 50,000 targets, mostly accounting department employees.

This past July the FBI warned that this type of scam, where a chief financial officer is rushed into transferring money to an unknown account, is on the rise and had cost companies more than $12 billion since 2013; with the total number of victims reaching over 78,000.

The Discovery

Agari discovered the group when it tried to trick the cybersecurity company’s own chief financial officer with a spoof email that purported to be from the chief executive — a practice known as “whaling” because a hacker disguises themselves as one of the biggest fish at the company.

Agari engaged with the attackers to find out more about which bank accounts they were using to make transactions. The company says the London Blue group is based in Nigeria but has extended its operations with 17 potential collaborators in western Europe and the US.

Agari Takes Action

Agari has handed its evidence to US and UK law enforcement agencies. If members of the hacking group are found to be based in the UK and US, it could be easier to prosecute them than if they are located in other jurisdictions.

Crane Hassold, senior director of threat research at Agari, said it had seen evidence that the hackers had been successful in some cases, including a “money mule” persuading a bank’s loss prevention unit that a transaction for more than $20,000 was valid.

“It is pure social engineering,” Mr. Hassold said, as the attack depends on playing with people’s minds rather than sophisticated technology. “The reason it is on the rise is because it has been proven to work.”

London Blue

The group acts like a “modern corporation”, with units carrying out lead generation, financial operations and human resources functions, Agari said. The hackers are using contact lists acquired from two data brokers, usually used by marketers and sales teams, to select their targets.

“London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world. Doing so gives it the attack volume of a mass spam campaign, but with the target-specific customization of spear-phishing attacks,” the researchers said in a report.

The list of potential victims showed more than half were in the US, with others in the UK, Spain, Finland, the Netherlands and Mexico.

Financial services was the number one industry targeted, followed by construction, real estate and healthcare.

Key Takeaway

Employee Training! Employee training is an effective way to defend yourself against BEC scams and all forms of phishing.  Train your employees to recognize scam emails and to verify the sender’s identity before proceeding with any requests in the email.


Print Friendly, PDF & Email