Operational intelligence about BEC targets may be gathered from a variety of open sources such as LinkedIn; however, this report demonstrates that these criminals are also leveraging proprietary marketing services to obtain lists of legitimate business email addresses.
According to the FBI Internet Crime Complaint Center (IC3), BEC is a $12 billion scam. Previous Agari research has demonstrated that BEC is the most popular and most effective email scam—producing 3.97 victims for every 100 initial email responses. With an average payment request of $35,000, BEC is big business for these criminal organizations—and as we will explore in this report, they operate like one too.
BEC attack emails typically contain no malware, thus rendering them invisible to many of the most common email security measures.
Agari CFO Raymond Lim was on a list of 306 target victims London Blue obtained in November 2017. The list, which was generated by a commercial data provider, consisted almost entirely of CFOs, plus other people who had CFO in their title, such as “CEO and CFO” or “Executive Assistant to CFO.”
In addition to Agari, the list targeted California-based CFO victims at one of the world’s top private universities, a major enterprise data storage company, a famed guitar maker, casinos and hotels, a retirement home, and small and medium-sized businesses of all types.
On August 7, 2018, London Blue sent an attack email to Lim, appearing to come from Agari CEO Ravi Khatod. While the actual sending email account is on the daum.net domain, the display name on the email is Ravi Khatod.
Agari then engaged actively with the attacker, giving us an initial glimpse of the gang that we would widen into a penetrating X-ray.
Agari continued engaging with London Blue to gain more insight into the group and identify additional mule accounts. By gathering information on mule accounts, Agari is able to advise financial services of fraudulent or malicious accounts to help shut them down.
Nigeria has been a hub for scammers since long before the Internet came into wide use. The origin of the “Nigerian Prince” advance fee scam dates back to a similar Spanish prisoner scam in the mid-16th century. Today, Nigeria remains one of the world’s primary centers for active gangs, including many who are focused on BEC. In fact, previous Agari research indicates that 90% of BEC groups operate out of Nigeria.
Based on our research, while the primary members of this group likely originated in Nigeria, at least two of them have extended the group’s base operations into Western Europe—specifically into the United Kingdom, hence the first part of the group’s name. In addition to these two primary threat actors located in the U.K., we have identified 17 other potential collaborators located in the United States and Western Europe who are primarily involved in moving stolen funds.
In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing—using specific knowledge about a target’s relationships to send a fraudulent email—and turned it into massive BEC campaigns.
Each attack email requesting a money transfer is customized to appear to be an order from a senior executive of the company. Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful—identifying individuals with access to move funds, learning how to contact them, and learning their organizational hierarchies. However, commercial lead-generation services have allowed London Blue to shortcut gathering the necessary data for thousands of target victims at a time.
By combining commercially available tools with criminal tactics, attackers based anywhere in the world are able to deliver semi-customized attacks on companies of all sizes located in countries around the world.