A UK/Nigerian cybergang with US-based co-conspirators has obtained a list of more than 50,000 corporate officials to be targeted in future Business Email Compromise (BEC) phishing campaigns.
The list was generated during a five-month period in early 2018 and of the list, 71 percent were CFOs, two percent were executive assistants and the remainder were other finance leaders from small businesses to the largest multinational corporations, according to Agari’s London Blue report.
Researchers noted that in many cases the threat group had amassed the information of dozens of executives from some of the world’s largest banks and had singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments.
"Well over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the United States," the report said. "Other countries commonly targeted included Spain, the United Kingdom, Finland, the Netherlands and Mexico."
Targets from 82 countries, in total were listed in the cybergang’s directory with more than half in the US, with others in the UK, Spain, Finland, the Netherlands and Mexico.
Researchers learned of the groups malicious dealings when the cyber-criminals foolishly targeted the cyber-security firm in one of its attacks.
"On 7 August, 2018, London Blue sent an attack email to Lim, appearing to come from Agari CEO Ravi Khatod," researchers said in the report. "While the actual sending email account is on the daum.net domain, the display name on the email is Ravi Khatod. Agari then engaged actively with the attacker."
Researchers requested wire transfer numbers and were able to fish out mule accounts and advise the financial institutions of fraudulent and malicious accounts to help shut them down.
The threat groups works with commercial data brokers to assemble lists of target victims around the world which enable them to carry out massive spam campaigns while also allowing them to carry out targeted customisation of spear-phishing attacks.
In 2011 the group was heavily involved in Craigslist scams that involved sending high-quality counterfeit checks, by 2015 the gang had upgraded to credential phishing attacks, and by 2016 the gang was carrying out the BEC attacks.
Although the group is based in Nigeria, researchers noted it has operations within 17 potential collaborators in Western Europe and the US.
Corin Imai, senior security adviser at DomainTools, said the revelation of the group’s actions should be a serious concern to businesses.
"BEC fraud can have devastating consequences for the organisation targeted; the amounts of money involved more than often outweigh those associated with the more general phishing scams, which cast a wide net in the hopes of securing multiple payments," Imai said. "These scams prey on the high-pressure environments of large corporations, hoping that those responsible for transferring funds will be more concerned with completing the task quickly than by making sure it is an authentic request."
Imai went on to say CFOs should make efforts to verify any requests that they find unusual and that taking slightly longer to make a transfer is significantly better than unwittingly helping to facilitate a fraudulent transaction.
Javvad Malik, security advocate at AlienVault added these attacks shouldn’t be a surprise to the c-suite and other executives.
"Therefore, educating and making execs aware of these scams is the first step in nipping the problem in the bud," Malik said. "Additional measures can be taken whereby double authorisation is needed to setup a new recipient or to send large payments."
Experts agree, Tim Sadler, co-founder and CEO at Tessian said the attacks highlight that high profile and C-level employees of financial institutions are becoming increasingly popular targets of BEC scams because they have access to lucrative data and have the power to authorise high-value money transfers.
"It is clear that no employee, regardless of seniority, is safe from the threat of spear-phishing," Sadler said. "As long as a willing attacker can gain access to the requisite information, and email networks remain open and unprotected, they can effectively masquerade as an employee in order to exploit those that have the power to manage and release company funds."
Sadler added that with access to global contact lists and a deftness for strong-form impersonation methods, London Blue has the resources and know-how to extract money at a great scale.
This article was originally published on SC Media US.