‘London Blue’ Fraud Group Targets Financial Services Industry

Matthew Broersma,
london finance stock exchange gherkin © QQ7 Shutterstock city

The group is carrying out targeted financial scams on a large scale, with a hit list of 35,000 chief financial officers in the UK, the US and elsewhere

A hacking group called “London Blue” has gathered a list of some 35,000 chief financial officers,  some of whom work for the world’s largest financial services firms, as part of an aggressive string of “business email compromise” (BEC) attack campaigns.

The scam, which involves rushing a chief financial officer into making a large transfer to an unknown account, has cost more than 78,000 companies more than $12 billion (£9bn) over the past three years, the FBI said in July.

The “London Blue” group, based in Nigeria and the UK, with supporters in other countries, is one of the largest best-organised known to date, according to security firm Agari.

Agari determined that the group had compiled a list of a total of 50,000 targets, with 71 percent being chief financial officers and the rest senior members of finance teams, including finance directors, controllers and members of accounting.

london stock exchange shares finance money © Bikeworldtravel ShutterstockFinancial services targeted

Most targets are in the US, with the UK, Spain, Finland and Egypt amongst the other countries targeted.

The group is mainly targeting mortgage companies in order to steal real estate purchase funds or lease payments, but the target list also includes executives at the world’s largest banks.

The attacks involved use social engineering techniques and as such tend to slip past technical countermeasures, Agari said.

The group has taken the basic techniques of targeted scams, known as spear phishing attacks, relying on detailed knowledge about a target’s relationships to send a fraudulent email, and “turned it into massive BEC campaigns”, Agari said in a report.

The study was launched to coincide with Black Hat Europe, taking place in London this week.

“Each attack email requesting a money transfer is customised to appear to be an order from a senior executive of the company,” the report said.

It found that London Blue has greatly reduced the amount of time-consuming research that normally goes into a targeted scam by using commercial lead-generation services and gather the necessary data for thousands of targets at a time.

Corporate structure

Such commercial firms supply data such as names, company, titles, work email and personal email addresses.

The group is well-organised in other ways as well, operating like a modern corporation, with specialised staff for business intelligence, financial operations, human resources, sales management, email marketing and sales.

Members first generate leads for potential targets before carrying out reconnaissance to gather additional information such as email addresses or names.

Agari first encountered London Blue when the group targeted Agari’s own chief financial officer, in a scam email supposedly sent by the company’s chief executive.

The group has 17 possible collaborators in Western Europe and the US, Agari found.

Its techniques give it “the attack volume of a mass spam campaign, but with the target-specific customisation of spear-phishing attacks”.

After financial services, the group targeted the construction, real estate and healthcare industries.