UK-Nigerian ‘London Blue’ hacking gang target CFOs in phishing campaign

Nigerian cyber criminals have extended their reach into the UK as part of a wider campaign to target chief financial officers (CFOs) from businesses of all sizes and sectors.

The 'London Blue' hacking gang managed to generate a list of more than 50,000 high profile targets from a broad range of companies during a five-month period this year for future business email compromise (BEC) phishing campaigns.

Executives and financial leaders from several of the world's biggest banks are listed, according to researchers from cyber security firm Agari, while London Blue is predominately targeting mortgage companies. Such scams will focus on stealing real estate purchases or lease payments.

Moreover, the BEC attack emails London Blue launches typically contain no malware; the group instead sends fraudulent payment requests to finance teams. As a result, the emails are difficult to detect by the range of counter-measures firms typically employ to block harmful material.

"In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing - using specific knowledge about a target's relationships to send a fraudulent email - and turned it into massive BEC campaigns," the report said.

"Each attack email requesting a money transfer is customised to appear to be an order from a senior executive of the company.

It added: "Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful - identifying individuals with access to move funds, learning how to contact them, and learning their organisational hierarchies. However, commercial lead-generation services have allowed London Blue to shortcut gathering the necessary data for thousands of target victims at a time."

Of the 'London Blue' hit list, 71% of targets held the title CFO, while the remainder were senior members of finance teams including finance directors, controllers and members of accounting. The majority of targets are based in the US, with remaining targets based in a host of nations including Spain, the UK, Finland, and Egypt.

The group itself also operates through an organisational structure resembling that of a generic corporation, with members carrying out specialised functions. These include business intelligence, financial operations, human resources, sales management, email marketing and sales.

Firstly, London Blue members would generate leads for potential targets before engaging in open source reconnaissance to gather any missing information such as their email addresses or names.

Test emails will be sent to other London Blue members to make sure attack emails are sent before the BEC attack emails are sent, and mule accounts that are set up to receive funds share the spoils to the key players in the group.

According to Agari researchers, lead generation is also dependent on business with commercial data providers, with attackers most recently relying on one San Francisco-based firm to collect names, company, titles, work email and personal email addresses.

"This report demonstrates that cybercriminal groups continue to evolve and are using formal business strategies and structure to more effectively carry out their scams," the report continued.

"London Blue's use of legitimate commercial sales prospecting tools shows the out-of-box thinking these groups employ to identify new targets. The pure scale of the group's target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location."

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.