The Agari Cyber Intelligence Division first uncovered UK-based cybercriminal gang London Blue in December 2018. Since that time, the group has targeted 8,500 additional finance executives with new techniques.

Download the April 2019 update to the original report to learn:

  • How London Blue targeted Agari again
  • Which regions the group is focusing on, and
  • How these cybercriminals have made their attacks more sophisticated in recent months

In December, we published a report on a business email compromise (BEC) group of cybercriminals we call London Blue. In this report, we documented how this group, which has roots in the United Kingdom, evolved its tactics over time, from Craigslist scams to enterprise credential phishing to BEC as they matured into a criminal enterprise that is structured and operates much like a modern corporation. We also discussed how the group uses legitimate commercial services to mass harvest target data for their phishing campaigns, which included a master targeting database containing the contact information of more than 50,000 financial executives. That list was collected over a five-month span in early 2018.

Since the release of our previous report, we have continued to track London Blue’s activities in real time. This report provides an update on how the group has continued to evolve over the last few months, including how they have started targeting new parts of the world and how they are now using new tactics in their BEC campaigns.

How Not to Stay Under the Radar 

In our last report, we mentioned that we started investigating London Blue after they targeted Agari CFO Raymond Lim in August 2018. In January, the group made the decision to try their hand at targeting our CFO… again. This time, though, we knew the malicious email was coming. Because of our visibility into London Blue’s operations, we were able to observe the entire lifecycle of the group’s attack chain, from preparation to execution.

Targeting a Cybersecurity Company

Here’s what the lifecycle of London Blue’s BEC attempt against Raymond looked like:

  • January 11, 2019: Raymond’s contact information, in addition to information for more than 500 other financial executives, was collected by one of the primary London Blue actors using a commercial US-based lead service in the initial preparation stage for BEC campaigns targeting California-based companies.
  • January 13, 2019: A CSV file containing the raw leads for these identified targets was sent to another London Blue associate for processing. Processing involves organizing and validating the targeting data and supplementing it with open source intelligence to identify a company’s CEO, who is then impersonated during the attack.
  • January 22, 2019: The associate sent a batch of processed leads back to the primary actor, which contained Raymond’s validated email address and the name of Agari’s CEO at the time. This was the second of two batches of processed leads. The first was returned to the primary actor on January 16, 2019.
  • January 28, 2019: In preparation for a round of BEC attacks, a test email was sent from an attack email account to one of the group’s central operational email addresses. This test email is likely used to verify that a BEC email will successfully be delivered to a target without being blocked. All BEC groups we have tracked have used similar testing methods prior to launching their campaigns.
  • January 28, 2019: Three and a half hours after the initial test email, London Blue’s attack email is sent to Raymond, but is blocked by Agari Advanced Threat Protection before it hits the inbox.

In the August 2018 BEC attempt, London Blue used one of the more common BEC ruses, claiming a payment is due to a vendor and a wire transfer needs to be processed ASAP. In the January campaign, however, the group switched tactics and used a mergers and acquisitions theme.

After a generic initial email meant to elicit a response, the London Blue attacker stated that an international vendor accepted an offer for acquisition and, based on the terms of the agreement, 30 percent of the purchase price needs to be paid in advance via wire transfer to a Mexican bank. Of course, until the “acquisition” has been announced publicly, details about the news were not to be shared with anyone else.

Our initial engagement with London Blue during this latest campaign is shown below:

Close button
Mail Letter

Would you like the confidence to trust your inbox?