UK-Nigerian ‘London Blue’ hacking gang target CFOs in phishing campaign

Hit list of 50,000 financial leaders primed for wave of business email compromise (BEC) attacks

Nigerian cyber criminals have extended their reach into the UK as part of a wider campaign to target chief financial officers (CFOs) from businesses of all sizes and sectors.

The 'London Blue' hacking gang managed to generate a list of more than 50,000 high profile targets from a broad range of companies during a five-month period this year for future business email compromise (BEC) phishing campaigns.

Executives and financial leaders from several of the world's biggest banks are listed, according to researchers from cyber security firm Agari, while London Blue is predominately targeting mortgage companies. Such scams will focus on stealing real estate purchases or lease payments.

Moreover, the BEC attack emails London Blue launches typically contain no malware; the group instead sends fraudulent payment requests to finance teams. As a result, the emails are difficult to detect by the range of counter-measures firms typically employ to block harmful material.

"In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing - using specific knowledge about a target's relationships to send a fraudulent email - and turned it into massive BEC campaigns," the report said.

"Each attack email requesting a money transfer is customised to appear to be an order from a senior executive of the company.

It added: "Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful - identifying individuals with access to move funds, learning how to contact them, and learning their organisational hierarchies. However, commercial lead-generation services have allowed London Blue to shortcut gathering the necessary data for thousands of target victims at a time."

Of the 'London Blue' hit list, 71% of targets held the title CFO, while the remainder were senior members of finance teams including finance directors, controllers and members of accounting. The majority of targets are based in the US, with remaining targets based in a host of nations including Spain, the UK, Finland, and Egypt.

The group itself also operates through an organisational structure resembling that of a generic corporation, with members carrying out specialised functions. These include business intelligence, financial operations, human resources, sales management, email marketing and sales.

Firstly, London Blue members would generate leads for potential targets before engaging in open source reconnaissance to gather any missing information such as their email addresses or names.

Test emails will be sent to other London Blue members to make sure attack emails are sent before the BEC attack emails are sent, and mule accounts that are set up to receive funds share the spoils to the key players in the group.

According to Agari researchers, lead generation is also dependent on business with commercial data providers, with attackers most recently relying on one San Francisco-based firm to collect names, company, titles, work email and personal email addresses.

"This report demonstrates that cybercriminal groups continue to evolve and are using formal business strategies and structure to more effectively carry out their scams," the report continued.

"London Blue's use of legitimate commercial sales prospecting tools shows the out-of-box thinking these groups employ to identify new targets. The pure scale of the group's target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location."

Featured Resources

Security analytics for your multi-cloud deployments

IBM Security QRadar SIEM solution brief

Download now

Five reasons to move to the cloud

Join the enterprises moving their workloads to the cloud

Download now

Architecting hybrid IT and edge for digital advantage

Why business leaders should consider a hybrid IT strategy

Download now

Six reasons to accelerate remote asset monitoring with AI

How to optimise resources, increase productivity, and grow profit margins with AI

Download now

Recommended

Lazarus APT hacking group is targeting the defense industry
Security

Lazarus APT hacking group is targeting the defense industry

26 Feb 2021
Microsoft open sources CodeQL queries used in Solorigate inquiry
Security

Microsoft open sources CodeQL queries used in Solorigate inquiry

26 Feb 2021
CISA warns of ongoing Accellion File Transfer Appliance attacks
hacking

CISA warns of ongoing Accellion File Transfer Appliance attacks

25 Feb 2021
What is a Trojan?
Security

What is a Trojan?

25 Feb 2021

Most Popular

How to build a CMS with React and Google Sheets
content management system (CMS)

How to build a CMS with React and Google Sheets

24 Feb 2021
Oxford University COVID lab falls victim to hackers
hacking

Oxford University COVID lab falls victim to hackers

26 Feb 2021
Npower shuts down app after hackers steal user data
hacking

Npower shuts down app after hackers steal user data

25 Feb 2021