A group of London-based Nigerian cyber-criminals known as London Blue that has been targeting thousands of CFOs at firms based in the US, the UK, Spain, the Netherlands, Finland and Mexico with spear-phishing attacks has started spoofing e-mail addresses of CEOs of target companies to make its BEC emails appear more legitimate and persuasive.
In December last year, security firm Agari detailed the arrival of a hacker group called London Blue that used various phishing tactics to target more than 50,000 corporate officials, more than half of whom were located in the United States and other were located in the United Kingdom, Finland, Spain, the Netherlands, and Mexico.
London Blue's operations involved a well-planned approach to con finance executives and CFOs into transferring money to their accounts or to share sensitive company information. The group's members carried out specialised functions such as generating leads, assigning leads to members, composing and sending customised BEC attack emails, receiving, moving and extracting funds, and recruiting and managing money mules.
"During our research into London Blue, we identified a list of more than 50,000 corporate officials generated during a five-month period in early 2018 and used to prepare for future BEC phishing campaigns. Among them, 71 percent were CFOs, two percent were executive assistants, and the remainder were other finance leaders," Agari said.
London Blue also targeted organisations of various sizes and across sectors to maximise its reach and profitability. Its targets included executives at the world's biggest banks and the world's largest multinational corporations as well as small businesses.
Recently, the security firm observed that in addition to targeting well over 50,000 finance executives across organisations in various countries, London Blue has created a fresh database of nearly 8,500 financial executives from almost 7,800 different companies around the world who the group intends to target with BEC attacks in the coming days.
While the group selectively targeted organisations located in the United States or in Western Europe in the past, the group has now started targeting a large number of organisations in Asia, particularly in financial centres such as Hong Kong, Singapore, and Malaysia. Notably, most of the organisations that are now being targeted have their headquarters in the United States, Western Europe, and Australia.
Agari also observed that in order to make their phishing emails appear more genuine and legitimate, London Blue hackers are now spoofing email addresses of CEOs of targeted companies instead of using free and temporary email accounts with imposter display names. However, the spoofing of CEOs' email addresses is not a unique one and has been used freuently in the past by fraudsters to force employees into wiring money or revealing company secrets.
A major reason why hackers belonging to the cyber-crime group are resorting to impersonation scams is because most of the companies targeted by the group using spoofing techniques do not have a DMARC record established. Even though a few of them do have DMARC records set up, a majority of such companies have set their policies to p=none which basically does nothing to prevent a spoofed email from reaching its intended target.
"DMARC only helps senders prove who they are - that they really do own the domain that they are sending the email from. This helps protect senders from being directly impersonated by malicious actors but does little to protect the recipients of emails against a wide variety of email impersonation attacks," said Tim Sadler, CEO at Tessian to SC Magazine UK.
"Global adoption rates for DMARC remain low and executive branches should be aware that the majority of emails employees receive are still not DMARC authenticated. This means that whilst their own domain may be protected from direct impersonation, their employees remain vulnerable to direct impersonation of their external contacts.
"To protect themselves from the impersonation of external contacts, many enterprises rely on inspection of attachments, URLs or other payloads that can be sent in a spear-phishing email. A better approach would be to identify the actual impersonation behind the attack.
"This will not only reduce their vulnerability to attacks whereby hackers exploit business-critical applications but also protect them from zero-payload attacks such as BEC or its next iteration. Machine learning can prove invaluable here, in understanding the human layer to automatically mitigate the threat and prevent a data breach happening in the first place," he added.
Commenting on the evolved tactics of London Blue hackers to maximise their earnings, Corin Imai, senior security advisor at DomainTools, said that this revelation should be a serious concern to businesses as BEC fraud can have devastating consequences for the organisation targeted; the amounts of money involved often substantially outweigh those associated with the more general phishing scams, which cast a wide net in the hopes of securing multiple payments.
"These scams prey on the high-pressure environments of large corporations, hoping that those responsible for transferring funds will be more concerned with completing the task quickly than by making sure it is an authentic request.
"CFOs and other potential BEC targets should make efforts to verify any requests that they find unusual– taking slightly longer to make a transfer is significantly better than unwittingly helping to facilitate a fraudulent transaction," he added.
Earlier this week SC Media UK editor in chief Tony Morbin interviewed Crane Hassold, senior director of Threat Research at Agari, and former analyst at the US FBI strategic and tactical analytical support to cyber, financial crime, and violent crime cases for a video about email security. During the video he explaned how groups such as London Blue developed from 'Nigerian Prince' type scammers to more sophisticated BEC players. Video to be uploaded.