A hacker group known as “London Blue” has compiled a roster of around 35,000 chief financial officers, some of whom work for the world’s largest financial services companies, as part of an aggressive series of “Business Email Compromise” (BEC) attack campaigns.
The scam, which involves tricking a chief financial officer into making a large transfer to an unknown account, has cost more than 78,000 businesses more than $12 billion (£9 billion) over the past three years, the FBI said in Im July.
According to security firm Agari, the “London Blue” group, based in Nigeria and the UK with supporters in other countries, is one of the largest and best organized known to date.
Agari noted that the group had compiled a list totaling 50,000 targets, of which 71 percent were chief financial officers and the rest were senior members of finance teams, including finance directors, controllers and members of the accounting department.
Focus on financial services
Most of the targets of attacks are in the USA, including Great Britain, Spain, Finland and Egypt.
The group primarily targets mortgage lenders to steal property purchase monies or rent payments, but the target list also includes executives from the world’s largest banks.
The attacks involved use social engineering techniques and therefore tend to slip past technical countermeasures, Agari said.
The group has taken the basic techniques of targeted scams known as spear phishing attacks, which rely on detailed knowledge of a target’s relationships to send a fraudulent email and “turned them into massive BEC campaigns.” , Agari said in a report.
The study was launched to coincide with Black Hat Europe, which is taking place in London this week.
“Each attack email requesting a money transfer is customized to look like an order from a company executive,” the report said.
It turns out that London Blue has significantly reduced the amount of time-consuming research typically required for a targeted scam by using commercial lead generation services and collecting the necessary data for thousands of targets at once.
Such trading companies provide data such as names, company, title, business email addresses and personal email addresses.
The group is well organized in other respects as well, operating like a modern company with specialized staff in business intelligence, financial operations, human resources, sales management, email marketing and sales.
Members first generate leads for potential targets before conducting exploration to gather additional information such as email addresses or names.
Agari first encountered London Blue when the group targeted Agari’s chief financial officer in a fraudulent email allegedly sent by the company’s chief executive.
The group has 17 potential collaborators in western Europe and the US, Agari found.
Its techniques give it “the attack volume of a bulk spam campaign, but with the targeting of spear phishing attacks.”
After financial services, the group targeted the construction, real estate and healthcare sectors.