Nigeria has been a hub for scammers since long before the Internet came into wide use, and it remains one of the world’s primary centers for active gangs, including many that are focused on BEC. But with London Blue, a Nigerian gang has extended its base of operation into Western Europe, specifically into the United Kingdom, where at least two of the primary London Blue members operate.

Using responsible active defense technique, the Agari Cyber Intelligence Division (ACID) discovered the London Blue organization and uncovered how they are operating. With extensive research, ACID now understands:

  • How London Blue operates like a modern corporation.
  • How attackers deliver semi-customized attacks on companies of all sizes.
  • Why financial executives are especially susceptible to attacks in their name.

Download your copy of the London Blue Report to learn the tactics behind business email compromise.

Evolution of London Blue’s Attack Methodology

Based on our historical visibility into London Blue, we have been able to observe an evolution in the group’s scamming methodology over time.

2011: Craigslist Scams

Beginning around 2011, the group was heavily involved in Craigslist scams. These scams involved contacting sellers in the United States inquiring about whether an item for sale was still available. Here’s how these scams usually worked:

  • If a seller responds, the London Blue actor tells them that they can pay for the item with a certified check, but they won’t be able to pick the item up and will need to use a local “mover.”
  • To pay for the mover, the threat actor writes the check for well over the price of the item and asks the seller to send the difference to the “mover” via Western Union.
  • A US-based accomplice sends a check to the seller through FedEx or UPS.
  • These certified checks are high-quality counterfeits; however, they’re generally not caught by the seller’s bank immediately, so the victim sends the money to the “mover.”

2015: Credential Phishing

London Blue then transitioned to credential phishing attacks, primarily focused on impersonating web pages used by enterprise users, such as Adobe ID, Dropbox, and Microsoft Office 365. This transition occurred around 2015 when the global surge of BEC attacks was just beginning. Based on the temporal context, it is likely that the purpose of the London Blue’s credential phishing campaigns was to compromise business email accounts in order to send BEC emails to other employees.

Example of a London Blue credential phishing email lure.

Example of a London Blue Adobe credential phishing page.

Once a scammer gets hold of an employee’s email credentials, he can surreptitiously take over the email account and use it for a wide variety of malicious purposes. As an example, the real estate industry has been a prime target of these attacks. A scammer gets into the email of real estate or title agents, and monitors pending real estate sales or lease signings. As the closing date approaches and the payment is about to be made, the scammer sends an email to the buyer or lessor providing an account number for a fraudulent wire transfer. The email appears totally legitimate since it is sent from the actual email account of the real estate or title agent. Once the transfer is made, the money is gone—we call this scam the homeless homebuyer.

Any company that sends invoices is vulnerable to these attacks. Invoices can be sent to actual customers for goods they purchased, using invoice forms identical to the real ones, with instructions to transfer payment to a scammer-controlled account. For companies routinely sending or paying invoices for tens of thousands of dollars, it can be many weeks or even months before they realize they’ve been duped.

Obtaining log-in credentials to a corporate network makes all kinds of attacks easier: early access to earnings reports for public companies, W-2 scams enabled by access to employee salary data, and ransomware.

2016: Business Email Compromise

In early 2016, London Blue evolved their tactics to start sending BEC emails to employees using display name deception. Using this tactic, the group registers free webmail accounts and sets the display name (the apparent name of the sender) to match the person being impersonated. This tactic has continued to be the group’s preferred modus operandi through present day.

Example of a London Blue BEC phishing email.


Close button
Mail Letter

Would you like the confidence to trust your inbox?