Cyber threat detection company Agari has warned of a criminal organisation in possession of a list containing the contact details of 50,000 top business professionals, which is being used to trick large businesses into handing over money willingly.

The scam is known as a ‘business email compromise’ (BEC) campaign, a largely unsophisticated attempt to steal funds from businesses by sending out fraudulent emails to employees in financial roles.

While little technical skill is involved, BEC scams use social engineering techniques to persuade these employees to hand over large sums of money. These emails usually appear to come from somebody higher up in the organisation and typically ask for a set amount of money to be transferred to an account as soon as possible. Keen to follow the orders of their superiors, many often complete these transactions without questioning the source of the email.

These scams, often carried out by criminal gangs in Nigeria, are nothing new. According to the FBI Internet Crime Complaint Center, some 78,600 businesses have fallen victim to BEC campaigns since 2013, resulting in losses of more than $12bn.

The London Blue scam

Agari was first alerted to the London Blue scam in August, when the company’s Chief Financial Officer Raymond Lim received an email that appeared to have been sent by Agari CEO Ravi Khatod.

The email read:

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“Ray, we need to make a transfer today. Let me know if you can process now and I will send info.

Ravi Khatod”

Noticing that the email address used didn’t match the name, Lim continued to back and forth with the scammer to get an idea of how they operate.

It is easy to see how many of those targeted might be fooled. The emails, which can be viewed in Agari’s full report, stress urgency and put pressure on the target to make the payment as soon as possible, with phrases such as “please advise” and “can you process now” littered throughout.

Once the target agreed to help, the scammer sends over details of the recipient account, bank address and the total transfer amount.

The email asks for acknowledgement of its delivery and for the employee to provide updates on the transfer, again pressing the target to complete the request with urgency. Should they not acknowledge the email quickly enough, follow-up emails are sent.

As these emails don’t tend to include attached malware or suspicious links, they are rarely picked up by security systems.

Where did the London Blue target list come from?

The list thought to be used by London Blue was generated over a five-month period earlier this year.

According to Agari, the 50,000 strong target list is made up of two contact lists put together by two separate data brokers. Most recently, they have released on a company based in San Francisco who supplied detailed information on potential targets, including their name, company, title, work email address and personal email address.

This sort of data is more commonly sold to marketing and sales teams looking to target executives high up in a company. However, it is likely available to whoever wants to get a hold of it for the right price.

“London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world,” the report states. “Doing so gives it the attack volume of a mass spam campaign, but with the target-specific customization of spear-phishing attacks.”

Who is being targeted?

According to Agari’s research, the vast majority of professionals being targeted by London Blue are Chief Financial Officers. Some 35,000, or 71%, of names on the list held the CFO role, with a further 12% holding a financial director or manager role. The remaining 17% was made up of finance controllers, employees in accounting positions, or those working as assistants to executives.

The vast majority of targets are located in the United States. However, the list also included details of a high number of professionals located in Spain, the United Kingdom Finland, the Netherlands, Mexico, Egypt, France, Canada and Malta.

In total, individuals in 82 different countries were targeted by London Blue, with customised emails sent in the target’s native language each time.

What should CFOs look out for?

Employees in control of financial transactions should always check the address of the sender before finalising a payment. While there are ways for scammers to spoof addresses (making emails appear to come from another address), London Blue doesn’t appear to be using this tactic.

During its research, Agari uncovered a number of email addresses connected to the group. These are:

Who is behind London Blue?

Due to how common these operations are in the region, Agari suspects that London Blue likely operates out of Nigeria. The country is a hotbed for this sort of activity, with those infamous Nigerian prince emails dating back to the early days of the internet.

According to Agari, London Blue is operated in a similar fashion to the businesses that it is targeting. Those involved likely have specific roles in the operation, such as intelligence gatherers, researchers, copywriters, financial operators among other roles.

The process carried out starts with lead generation, where group members compile large data sets such as the one obtained for this scam. The next step involves researching any missing information such as names and email addresses. Test emails are then produced and sent around the organisation to make sure that they are delivered successfully. If there are no issues, the email is then sent out to the targets. If successfully, financial operators collect the transferred amounts and pass it on to the group.

Aside from London Blue’s main Nigeria-based operators, the group also has a number of collaborators in the United States and Europe, who act as mules to receive the transferred funds and deposit the money into the scammers’ bank accounts. Asking for money to be transferred to bank accounts in Europe and North America is likely an attempt to add some credibility to the request.

Unsurprisingly, unmasking the individuals behind the operation is an almost impossible task. However, Agari did identity 17 individuals that had been used as ‘money mules’, who would receive and move the funds taken through the scam. The group had seemingly targeted individuals with lengthy criminal histories that may otherwise find it difficult to secure work and earn money.

A history of London Blue

2011 to 2015
Craigslist scam

2015 to present
Credential phishing

2016 to present
BEC campaign

Agari managed to track the group back to 2011, revealing how it has evolved over the years.

London Blue’s criminal activity can be tracked back to a Craigslist scam that was in operation between 2011 and 2015.

The scammers would ask a seller whether they could send some money to a third-party, who would collect the item on their behalf, for which the seller would be reimbursed. The scammers would then use a US-based accomplice to send a fake cheque for the full amount to the seller. The seller would deposit the cheque and send the money to the third party’s account, which would be withdrawn before the bank processed the cheque and spotted it as a fake.

The organisation then moved on to credential phishing in 2015, using spoof web pages to trick users into entering their login information. Users would receive emails suggesting that their account for a particular service was about to be closed, prompting the user to cancel the shutdown request. Clicking the link would take the user to a fake webpage and ask for the user’s login details.

Services targeted included Adobe, Dropbox and Microsoft Office, suggesting that London Blue were attempting to collect the login information on enterprise users, which could indicate that this was actually the early stages of the BEC campaign that started the following year.