Nigeria has been a hub for scammers since long before the Internet came into wide use, and it remains one of the world’s primary centers for active gangs, including many that are focused on BEC. But with London Blue, a Nigerian gang has extended its base of operation into Western Europe, specifically into the United Kingdom, where at least two of the primary London Blue members operate.

Using responsible active defense technique, the Agari Cyber Intelligence Division (ACID) discovered the London Blue organization and uncovered how they are operating. With extensive research, ACID now understands:

  • How London Blue operates like a modern corporation.
  • How attackers deliver semi-customized attacks on companies of all sizes.
  • Why financial executives are especially susceptible to attacks in their name.

Download your copy of the London Blue Report to learn the tactics behind business email compromise.

Executive Summary

Agari has uncovered the working methods of a U.K./Nigerian gang with U.S.-based co-conspirators conducting Business Email Compromise (BEC) attacks against companies around the world.

Nigeria has been a hub for scammers since long before the Internet came into wide use, and it remains one of the world’s primary centers for active gangs, including many that are focused on BEC.

But with London Blue, a Nigerian gang has extended its base of operation into Western Europe, specifically into the United Kingdom, where at least two of the primary London Blue members operate. We have also identified 17 additional collaborators located in the United States and Western Europe who are primarily involved in moving stolen funds.

London Blue operates like a modern corporation. Its members carry out specialized functions including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules).

London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world. Doing so gives it the attack volume of a mass spam campaign, but with the target specific customization of spear-phishing attacks. By combining commercially available tools with criminal tactics, the attackers are able to deliver semi-customized attacks on companies of all sizes in countries located around the world.

During our research into London Blue, we identified a list of more than 50,000 corporate officials generated during a five-month period in early 2018 and used to prepare for future BEC phishing campaigns. Among them, 71 percent were CFOs, 2 percent were executive assistants, and the remainder were other finance leaders.

Targets included companies in a very broad range of sectors, from small businesses to the largest multinational corporations. Several of the world’s biggest banks each had dozens of executives listed. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments. The attack emails typically contain no malware, thus rendering them invisible to many of the most common email security measures.

Well over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the United States. Other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands, and Mexico. In total, potential targets in 82 different countries were identified in London Blue’s target repository.

Like other BEC gangs, London Blue evolved into BEC attacks after previously focusing on other phishing activities like credential phishing and Craigslist scams.

12345
Mail Letter

Would you like the confidence to trust your inbox?