London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving, and extracting the funds), and human resources (recruiting and managing money mules).
During our research, we identified a file containing a list of more than 50,000 finance executives that was generated over a five month period in early 2018. This list was likely used by London Blue as a massive targeting repository for their BEC attacks. Among them, 71 percent held a CFO title, 12 percent were finance directors or managers, nine percent were controllers, six percent held accounting roles, and two percent had executive assistant titles.
Criminal Targeting Database – 50,000 Finance Executives
Criminal Targeting Database – Countries Targeted
Well over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the United States. Other countries commonly targeted by London Blue were Spain, the United Kingdom, Finland, the Netherlands, and Mexico. In total, potential targets in 82 different countries were identified in London Blue’s target repository.
Like a business, London Blue uses commercial data providers to identify potential targets of their BEC campaigns. Most recently, the group has relied on a San Francisco-based company to generate “leads.” Using this service, London Blue is able to collect comprehensive information about targets, including name, company, title, work email address, and personal email address. All of the potential targets London Blue collects information on have financial roles in their respective companies.
These leads are collated and shared among various members of the group. Notably, much like a sales department targets prospects in specific regions, London Blue focuses on specific states or countries during each of their lead generation runs. Out of the more than 60 distinct lead lists we have identified, more than half of them are finely crafted to collect data on financial targets in nine different U.S. states and seven countries.
Essentially, this data gives the group the initial information needed to start preparing for their phishing campaigns. After collecting this information, the group then likely conducts further open source research to identify the names of CEOs affiliated with the companies they will be impersonating for their BEC attacks.
London Blue sends attack emails in multiple languages, usually variants on the same message: a fraudulent email from the CEO or CFO asking a lower-level staff member to make an urgent transfer.
This is an attempted scam of a Belgian property development company. The email, purporting to be from the company’s managing director, is sent to a finance staff member. It says, “We have to make a transfer today. Let me know if you can process now and I will send info.”
This is an attempted scam of a large property management company based in Stockholm. The email, purporting to be from the company’s CEO, is sent to a finance team member, and says, “We need to send a payment of € 23 650 to England today. Let me know if you can process now and I will send info.”
This attack makes the use of display name deception since email platforms and software allow senders to use anything they want as a display name. Email readers or services often show only the display name but not the underlying email address.
Over the course of our research, we identified 17 individuals being used by London Blue as money mules located in the United States and Western Europe. These money mules are used by the group to receive and move illicit funds gained during their scams.
Notably, at least three of the 17 money mules have criminal records. Two have prior felony convictions for sex-related crimes. The increased difficulty that convicted felons face in finding legitimate jobs—and convicted sex offenders likely face an even greater challenge—may be correlated with the willingness of these individuals to participate in these scams.
One of the transactions we observed involved a money mule in a Western state who received a cashier’s check of more than $20,000 from one of the largest U.S. banks. The transaction had originally been flagged by a local branch of the bank as being potentially fraudulent. But the money mule, a registered sex offender with a lengthy criminal record and experience in the mortgage industry, was able to convince the bank’s loss prevention unit that the transaction was legitimate. The check was then cashed and deposited into another account, presumably to be accessed by the primary London Blue actors.