In December, we published a report on a business email compromise (BEC) group of cybercriminals we call London Blue. In this report, we documented how this group, which has roots in the United Kingdom, evolved its tactics over time, from Craigslist scams to enterprise credential phishing to BEC as they matured into a criminal enterprise that is structured and operates much like a modern corporation. We also discussed how the group uses legitimate commercial services to mass harvest target data for their phishing campaigns, which included a master targeting database containing the contact information of more than 50,000 financial executives. That list was collected over a five-month span in early 2018.
Since the release of our previous report, we have continued to track London Blue’s activities in real time. This report provides an update on how the group has continued to evolve over the last few months, including how they have started targeting new parts of the world and how they are now using new tactics in their BEC campaigns.
In our last report, we mentioned that we started investigating London Blue after they targeted Agari CFO Raymond Lim in August 2018. In January, the group made the decision to try their hand at targeting our CFO… again. This time, though, we knew the malicious email was coming. Because of our visibility into London Blue’s operations, we were able to observe the entire lifecycle of the group’s attack chain, from preparation to execution.
Here’s what the lifecycle of London Blue’s BEC attempt against Raymond looked like:
In the August 2018 BEC attempt, London Blue used one of the more common BEC ruses, claiming a payment is due to a vendor and a wire transfer needs to be processed ASAP. In the January campaign, however, the group switched tactics and used a mergers and acquisitions theme.
After a generic initial email meant to elicit a response, the London Blue attacker stated that an international vendor accepted an offer for acquisition and, based on the terms of the agreement, 30 percent of the purchase price needs to be paid in advance via wire transfer to a Mexican bank. Of course, until the “acquisition” has been announced publicly, details about the news were not to be shared with anyone else.
Our initial engagement with London Blue during this latest campaign is shown below: