Prolific business email compromise group London Blue has been spotted in a recent campaign that demonstrates the group’s evolved tactics and improved targeting via an updated database.
London Blue has been around since 2011 – but researchers spotted the business email compromise (BEC) group again in January in a fresh campaign, now using new tactics, including trickier, less traditional scams in their emails and spoofing target domains; as well as focusing on new targets in Asia.
“London Blue’s use of legitimate commercial sales prospecting tools shows the out-of-box thinking these groups employ to identify new targets,” researchers with Agari said in a Thursday report. “The pure scale of the group’s target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location.”
London Blue, a Nigerian group with collaborators in the U.S., the U.K. and elsewhere, has been active since at least 2011, researchers said.
In tracking the group since 2011, researchers saw that it rapidly evolved its tactics from the start, “moving from Craigslist scams to enterprise credential phishing to BEC as they matured into a criminal enterprise that is structured and operates much like a modern corporation.”
“With London Blue, a Nigerian gang has extended its base of operation into Western Europe, specifically into the United Kingdom, where at least two of the primary London Blue members operate,” Researchers said. “We have also identified 17 additional collaborators located in the United States and Western Europe who are primarily involved in moving stolen funds.”
The group also touts a master targeting database containing the contact information of more than 50,000 financial executives, collected over a five-month span in early 2018. Researchers predict that previous scams have caused damage worth hundreds of thousands of dollars.
The BEC group specifically targeted Agari CFO Raymond Lim in August 2018 with a scam email. Then, in January 2019, the group targeted Agari’s CFO again. In this most recent email, researchers noted striking differences that indicate that the group has continued evolving its techniques.
London Blue is using new tactics and techniques, starting with the emails themselves it sends to victims.
In its previous August 2018 BEC targeting of Agari, London Blue used a more common BEC ruse, claiming a payment is due to a vendor and a wire transfer needs to be processed as soon as possible, researchers said. In the January campaign, however, the group switched tactics and used a mergers and acquisitions theme.
“After a generic initial email meant to elicit a response, the London Blue attacker stated that an international vendor accepted an offer for acquisition and, based on the terms of the agreement, 30 percent of the purchase price needs to be paid in advance via wire transfer to a Mexican bank,” researchers said. “Of course, until the ‘acquisition’ has been announced publicly, details about the news were not to be shared with anyone else.”
In another switch, London Blue also began spoofing target domains. Domain spoofing attacks capitalize on impersonating the URL of well-known brands or people – in London Blue’s case, executives in target companies.
The group had consistently used a tactic since 2016 that entailed using a free and temporary email account with an imposter display name to send their BEC emails. However in 2019, researchers discovered the group had started spoofing the email address of the target company’s CEO as a way to add a bit more authenticity to their malicious attacks – adding an air of authenticity to the attacks.
Since November 2018, the group has amassed a new targeting database of nearly 8,500 financial executives from almost 7,800 different companies around the world. Similar to their previous targeting dataset amassed earlier in 2018, many of the group’s targets are located in the United States.
However, over the past five months the BEC group has now seemed to shift its targeting to Asia, an area researcher said they have not seen the group target previously.
“In February, London Blue collected contact information for and launched BEC campaigns against targets in Hong Kong and Singapore,” researchers said. “In March, the group targeted employees located in Malaysia with BEC attacks.”
Business email compromise campaigns are nothing new – the scams are popular because they involve little to no technical knowledge, malware, or special tools for cyber criminals. Despite that, BEC scams are becoming costlier to impacted victims – a recent report predicts that BEC attacks will result in over $9 billion in losses in 2018, up from $5.3 billion at the end of 2016.
BEC groups like London Blue, Scarlet Widow are more are continuing to hone their techniques and targets to tap into this lucrative profit, researchers said.
“This report demonstrates that cybercriminal groups continue to evolve and are using formal business strategies and structure to more effectively carry out their scams,” they said.