Beginning around 2011, the group was heavily involved in Craigslist scams. These scams involved contacting sellers in the United States inquiring about whether an item for sale was still available. Here’s how these scams usually worked:
London Blue then transitioned to credential phishing attacks, primarily focused on impersonating web pages used by enterprise users, such as Adobe ID, Dropbox, and Microsoft Office 365. This transition occurred around 2015 when the global surge of BEC attacks was just beginning. Based on the temporal context, it is likely that the purpose of the London Blue’s credential phishing campaigns was to compromise business email accounts in order to send BEC emails to other employees.
Example of a London Blue credential phishing email lure.
Example of a London Blue Adobe credential phishing page.
Once a scammer gets hold of an employee’s email credentials, he can surreptitiously take over the email account and use it for a wide variety of malicious purposes. As an example, the real estate industry has been a prime target of these attacks. A scammer gets into the email of real estate or title agents, and monitors pending real estate sales or lease signings. As the closing date approaches and the payment is about to be made, the scammer sends an email to the buyer or lessor providing an account number for a fraudulent wire transfer. The email appears totally legitimate since it is sent from the actual email account of the real estate or title agent. Once the transfer is made, the money is gone—we call this scam the homeless homebuyer.
Any company that sends invoices is vulnerable to these attacks. Invoices can be sent to actual customers for goods they purchased, using invoice forms identical to the real ones, with instructions to transfer payment to a scammer-controlled account. For companies routinely sending or paying invoices for tens of thousands of dollars, it can be many weeks or even months before they realize they’ve been duped.
Obtaining log-in credentials to a corporate network makes all kinds of attacks easier: early access to earnings reports for public companies, W-2 scams enabled by access to employee salary data, and ransomware.
In early 2016, London Blue evolved their tactics to start sending BEC emails to employees using display name deception. Using this tactic, the group registers free webmail accounts and sets the display name (the apparent name of the sender) to match the person being impersonated. This tactic has continued to be the group’s preferred modus operandi through present day.
Example of a London Blue BEC phishing email.