Nigeria has been a hub for scammers since long before the Internet came into wide use, and it remains one of the world’s primary centers for active gangs, including many that are focused on BEC. But with London Blue, a Nigerian gang has extended its base of operation into Western Europe, specifically into the United Kingdom, where at least two of the primary London Blue members operate.

Using responsible active defense technique, the Agari Cyber Intelligence Division (ACID) discovered the London Blue organization and uncovered how they are operating. With extensive research, ACID now understands:

  • How London Blue operates like a modern corporation.
  • How attackers deliver semi-customized attacks on companies of all sizes.
  • Why financial executives are especially susceptible to attacks in their name.

Download your copy of the London Blue Report to learn the tactics behind business email compromise.

Background

BEC Overview

Business email compromise is an advanced email attack that leverages the most common form of identity deception—display name deception—most frequently targeting finance teams to make fraudulent payment requests.

Operational intelligence about BEC targets may be gathered from a variety of open sources such as LinkedIn; however, this report demonstrates that these criminals are also leveraging proprietary marketing services to obtain lists of legitimate business email addresses.

According to the FBI Internet Crime Complaint Center (IC3), BEC is a $12 billion scam. Previous Agari research has demonstrated that BEC is the most popular and most effective email scam—producing 3.97 victims for every 100 initial email responses. With an average payment request of $35,000, BEC is big business for these criminal organizations—and as we will explore in this report, they operate like one too.

BEC attack emails typically contain no malware, thus rendering them invisible to many of the most common email security measures.

Uncovering London Blue

In a move that could be described as felony stupid, London Blue targeted Agari with one of its typical attacks.

Agari CFO Raymond Lim was on a list of 306 target victims London Blue obtained in November 2017. The list, which was generated by a commercial data provider, consisted almost entirely of CFOs, plus other people who had CFO in their title, such as “CEO and CFO” or “Executive Assistant to CFO.”

Initial Discovery of London Blue

In addition to Agari, the list targeted California-based CFO victims at one of the world’s top private universities, a major enterprise data storage company, a famed guitar maker, casinos and hotels, a retirement home, and small and medium-sized businesses of all types.

On August 7, 2018, London Blue sent an attack email to Lim, appearing to come from Agari CEO Ravi Khatod. While the actual sending email account is on the daum.net domain, the display name on the email is Ravi Khatod.

Agari then engaged actively with the attacker, giving us an initial glimpse of the gang that we would widen into a penetrating X-ray.

Agari continued engaging with London Blue to gain more insight into the group and identify additional mule accounts. By gathering information on mule accounts, Agari is able to advise financial services of fraudulent or malicious accounts to help shut them down.

Who is London Blue

Nigeria has been a hub for scammers since long before the Internet came into wide use. The origin of the “Nigerian Prince” advance fee scam dates back to a similar Spanish prisoner scam in the mid-16th century. Today, Nigeria remains one of the world’s primary centers for active gangs, including many who are focused on BEC. In fact, previous Agari research indicates that 90% of BEC groups operate out of Nigeria.

Based on our research, while the primary members of this group likely originated in Nigeria, at least two of them have extended the group’s base operations into Western Europe—specifically into the United Kingdom, hence the first part of the group’s name. In addition to these two primary threat actors located in the U.K., we have identified 17 other potential collaborators located in the United States and Western Europe who are primarily involved in moving stolen funds.

In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing—using specific knowledge about a target’s relationships to send a fraudulent email—and turned it into massive BEC campaigns.

Each attack email requesting a money transfer is customized to appear to be an order from a senior executive of the company. Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful—identifying individuals with access to move funds, learning how to contact them, and learning their organizational hierarchies. However, commercial lead-generation services have allowed London Blue to shortcut gathering the necessary data for thousands of target victims at a time.

By combining commercially available tools with criminal tactics, attackers based anywhere in the world are able to deliver semi-customized attacks on companies of all sizes located in countries around the world.

12345
Close button
12345
Mail Letter

Would you like the confidence to trust your inbox?