• Follow us


From the Nigerian prince to London Blue – the growing threat of organised email fraudsters

Nigeria has unfortunately long been synonymous with email scammers. The “Nigerian Prince” advance fee scam is perhaps one of the best-known email frauds, with the majority of internet users likely encountering it in some form since it first appeared in the early 1990s.

However, email fraudsters have come a long way since the earlier far-fetched and often poorly constructed scams most people are familiar with. While there are still plenty of low-level opportunists around, an increasing amount of the fraudulent emails we encounter originates from sophisticated and well-organised operations that mimic the structure of a legitimate corporation.

Agari recently conducted a deep research campaign into a particularly prolific Nigerian gang we have dubbed London Blue. The group had grown into a global undertaking that included operatives in the UK and elsewhere in Western Europe, as well as the United States.

Members of the gang each have specific tasks that directly mirror normal job roles, including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customised attack emails), sales (the con itself), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules).

In addition to its well-defined structure, London Blue also works with commercial data brokers to assemble lists of target victims around the world. This means it is able to combine the immense volume of a mass spam campaign with the high level of customisation seen in individually targeted spear-phishing attacks. Merging commercially available tools with criminal tactics has enabled London Blue to deliver highly effective, semi-customised attacks on companies of all sizes on a global scale.

Unearthing the operation

A typical example of the targeted lists used by the gang includes one that listed more than 300 California-based individuals with CFO in their title. The list included one of the world’s top private universities, a major enterprise data storage company, a famed guitar maker, casinos and hotels and a retirement home, in addition to a wide assortment of other businesses of all sizes.

Unfortunately for the gang, one of their potential marks was Agari CFO Raymond Lim. As many other scammers have learnt to their detriment, it’s generally a bad idea to send a fraudulent message to a company specialising in identifying deceptive emails. After identifying the initial attack email from the gang, we began actively engaging with them to collect in-depth intelligence on their tactics and organisational structure.

London Blue first contacted our CFO in August 2018, opting to take on the guise of Agari’s CEO in order to request an urgent wire transfer. Although the email displayed our CEO’s name in the “from” section, we identified that email had been sent from a temporary email account from provider daum.net rather than our own domain.

We proceeded to string the fraudster along, concocting various errors and problems that necessitated the use of more bank accounts for the transfer. Gathering information on multiple mule accounts enables us to inflict greater damage on criminal organisations, as financial services and law enforcement can shut down more of their operations.

As we continued to analyse the group, we found that this fraud attempt was typical of their methods. By itself, the email is a fairly simple Business Email Compromise (BEC) campaign attempting to use the identify of a senior executive to trick an employee into authorising a payment. Many businesses will be targeted by some variety of this scam on a daily basis.

What sets London Blue apart however is their ability to launch targeted spear-phishing emails on a huge scale. Normally, a well-crafted spear-phishing attack will require a fairly large amount of research from the scammer. They will need to identify individuals with the ability to authorise transfers and learn enough about the organisation’s hierarchies to impersonate a senior figure such as the CEO. Some may take additional steps to create a more convincing social engineering attack, generally using personal details from the victim’s social media.

How London Blue is upping the stakes

Because London Blue has purchased subscriptions to the same commercial lead-generation services used by most legitimate businesses, they can take a huge shortcut and gather the necessary data for thousands of victims at a time. Emails on this scale have previously been limited to very broad phishing campaigns that are far less convincing.

Using these tactics, London Blue has been able to set its sights on hundreds of thousands of targets around the world. During the course of our investigation, Agari identified a list of more than 50,000 corporate financial officials that was generated during a five-month period in early 2018. The list was largely made up of CFOs, but included a mix of executive assistants and other financial leaders as well.

The companies involved spanned small businesses to huge multinationals, including dozens of executives at the world’s top banks. Most targets were located in the United States, but the lists also included companies in 82 different countries, with leading targets including Spain, the United Kingdom, Finland, the Netherlands and Mexico.

How can companies defend against organised fraudsters?

London Blue presents a major threat to businesses because of its focus on using highly effective BEC emails. Our previous research indicates that BEC emails produce an average of 3.97 victims per 100 initial responses. With average payment requests coming in at around $35,000, this makes them an extremely effective moneymaking tool – particularly when combined with the scale and organisation displayed by London Blue.

One of the reasons BEC emails are so effective is that they do not contain malware or any other keywords that would cause them to be flagged by the traditional email security systems used by most organisations. This means there is a relatively high chance of the email reaching its intended target, and stopping the fraud is then down to the individual victim’s perception and caution, as well as the strength of the company’s financial processes. Spotting a fraud is no easy task, as well-crafted fakes can look identical to the real thing. BEC campaigns also use the authority of senior figures like the CEO to pressure their target into complying, often concocting a scenario that requires the payment to be made urgently and circumvent the normal processes. 

The highly organised and targeted nature of these attacks means that organisations cannot continue to rely on traditional email security measures and employee vigilance. The increasing volume of BEC attacks means that even well-trained workers are likely to be deceived eventually. Organisations need to have measures in place to spot the subtle signs of an imposter such as mismatched sender IDs and other signs of spoofing.

Despite its impressive scale and organisation, London Blue is just one example of increasingly organised gangs in Nigeria and around the world. For those companies that fail to keep pace with the fast-developing fraudsters, it’s only a matter of time before they join the growing list of victims.

Crane Hassold, Senior Director of Threat Research, AgariImage Credit: Gustavo Frazao / Shutterstock

Read More

Leave A Comment

More News

Latest ITProPortal news

What is ransomware? Everything you need to know 2019-06-18 09:59:40Ransomware: What’s new 18/06 - NEWS - GandCrab ransomware is no more - Victims can now decrypt files, and it seems as new versions won't be com

Samsung tells users to check their smart TV 2019-06-18 08:00:04Security experts are baffled.

GandCrab ransomware is no more 2019-06-18 07:30:10Victims can now decrypt files, and it seems as new versions won't be coming.

Workers are ready to ditch passwords 2019-06-18 07:00:53Needing to remember multiple passwords makes many anxious.

ITIL 4 has finally arrived. Is it enough 2019-06-18 07:00:02Rather than attempting to rewrite the ITSM playbook, the latest iteration of ITIL has instead been packaged as more an expansion on the previous gener

UK data regulator says its own site doesn't 2019-06-18 06:30:55ICO is in the process of urgently updating its website.

Artificial intelligence: The game changer for businesses 2019-06-18 06:30:15Many people are unsure about the relevance of AI in terms of business encounters.

Does consolidation help or hinder the internet? 2019-06-18 06:00:19To understand how a consolidating Internet economy may shape the Internet’s future is to recognise that this trend goes beyond products and serv

US chipmakers are lobbying to reverse Huawei ban 2019-06-18 06:00:15Huawei is not the only one losing out after blacklisting.

Is having an app still a choice for 2019-06-18 05:30:53Having an app is a great choice for your SaaS startup, so we are going to discuss the potential benefits in our article.

Four key considerations on AI enabled IT service 2019-06-18 05:00:20CIOs need clarity about what AI is and is not when it comes to ITSM.

Data literacy – the foundations of business success 2019-06-18 04:30:03Innovation in data technology is helping businesses make better use of the ever-growing volumes of data they generate.

TechRadar: Internet news

Gold Cup 2019 live stream: how to watch 2019-06-18 16:53:49USA are aiming to make it seven victories in the tournament to draw them level with Mexico. Check out our guide for all your 2019 Gold Cup live stream

Salesforce adds customer data platform to CRM 2019-06-18 16:40:35Salesforce is adding new features to its CRM software alongside the next generation of Customer 360.

Here’s what experts say mobile gaming will look 2019-06-18 16:16:44Developers, publishers and phonemakers told us about what games and hardware in 2019 can tell us about mobile gaming in 2020.

GandCrab ransomware shuts down after netting authors billions 2019-06-18 15:05:49GandCrab operators informed the ransomware community they're shutting down in blog post.

Fraudulent domains are remaining active for longer 2019-06-18 14:04:25New research from Proofpoint has revealed that fraudulent domains hide in plain sight by using the same services and TLDs as legitimate websites.

Best TV 2019: here are the big-screen TVs 2019-06-18 13:57:12On the hunt for the best TV in 2019? We've got all the info on this year's best screens.

Heads up, Mac gamers: big-time PC game port 2019-06-18 13:49:56Aspyr is ending sales of 32-bit titles as Apple discontinues 32-bit app support in the upcoming macOS Catatlina.

Cyberpunk 2077: release date, trailer and news 2019-06-18 13:26:57If you thought CD Projekt Red’s upcoming FPS RPG looked incredible before E3 2019, just wait until you see Keanu Reeves.

Animal Crossing on Nintendo Switch: release date, news 2019-06-18 13:06:19Animal Crossing: New Horizons isn't coming this year, but it's shaping up to be a totally unique experience.

These Huawei P30 Pro deals are now incredibly 2019-06-18 12:58:24One of the world's best phones at a great price - get a Huawei P30 Pro deal now and save some money, if you dare.

Australia vs Jamaica live stream: how to watch 2019-06-18 12:41:47Can the Matildas book their place in the Women's World Cup round of 16 with a win against the Reggae Girlz? Don't miss a kick with our Australia vs

Facebook WordPress plug-ins found to have zero-day flaw 2019-06-18 12:27:36Security researchers from Plugin Vulnerabilities have openly disclosed two zero-day flaws in Facebook's WordPress plugins, putting thousands of users

TechCrunch » Enterprise

VMware announces intent to buy Avi Networks, startup 2019-06-13 17:37:19VMware has been trying to reinvent itself from a company that helps you build and manage virtual machines in your data center to one that helps you ma

IBM, KPMG, Merck, Walmart team up for drug 2019-06-13 08:34:23IBM announced its latest blockchain initiative today. This one is in partnership with KPMG, Merk and Walmart to build a drug supply chain blockchain p

RealityEngines.AI raises $5.25M seed round to make ML 2019-06-12 12:17:56RealityEngines.AI, a research startup that wants to help enterprises make better use of AI, even when they only have incomplete data, today announced

Helium launches $51M-funded ‘LongFi’ IoT alternative to cellular 2019-06-12 12:01:20With 200X the range of Wi-Fi at 1/1000th of the cost of a cellular modem, Helium’s “LongFi” wireless network debuts today. Its trans

Apollo raises $22M for its GraphQL platform 2019-06-12 12:00:13Apollo, a San Francisco-based startup that provides a number of developer and operator tools and services around the GraphQL query language, today ann

WhatsApp is finally going after outside firms that 2019-06-11 15:56:30WhatsApp has so far relied on past dealings with bad players within its platform to ramp up its efforts to curtail spam and other automated behavior.

Dropbox relaunches as an enterprise collaboration workspace 2019-06-11 13:19:37Dropbox is evolving from a file-storage system to an enterprise software portal, where you can coordinate work with your team. Today the company launc

GitHub hires former Bitnami co-founder Erica Brescia as 2019-06-11 11:00:12It’s been just over a year since Microsoft bought GitHub for $7.5 billion, but the company has grown in that time, and today it announced that i

Alyce picks up $11.5 million Series A to 2019-06-11 08:44:02Alyce, an AI-powered platform that helps sales people, marketers and event planners give better corporate gifts, has today announced the close of an $

Crane, a new early-stage London VC focused on 2019-06-11 06:09:45Crane Venture Partners, a newish London-based early-stage VC targeting what it calls “intelligent” enterprise startups, is officially outi

AWS is now making Amazon Personalize available to 2019-06-10 23:50:40Amazon Personalize, first announced during AWS re:Invent last November, is now available to all Amazon Web Services customers. The API enables develop

Apple is making corporate ‘BYOD’ programs less invasive 2019-06-10 18:30:36When people bring their own devices to work or school, they don’t want IT administrators to manage the entire device. But until now, Apple only

Disclaimer and Notice:WorldProNews.com is not responsible of these news or any information published on this website.