A group of cyber criminals called London Blue is in possession of a list of about 35,000 chief financial officers (CFOs), which it uses to target financial professionals with business email compromise, or BEC, scams. The existence of the list was uncovered by cybersecurity firm Agari and contained the data of 50,000 financial professionals including CFOs and accountants working at some of the world's largest companies, particularly banks and mortgage firms.

London Blue's modus operandi

Agari's report on London Blue, which was published yesterday, uses the chilling tagline “UK-Based Multinational Gang Runs BEC Scams like a Modern Corporation”. It looks at the working methods of a Nigerian criminal cyber gang, with operatives in the UK and US, conducting BEC scams against companies around the world. Some of the characteristics of the group's modus operandi include:

• The criminal group is highly structured and includes members dedicated to typical business functions found in large organisations, including: business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customized BEC attack emails), sales (the con itself, conducted with individual attention to the victim), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules).
• It uses commercial data brokers to assemble lists of target victims around the world, enabling it to conduct an email spam campaign “but with the target- specific customization of spear-phishing attacks”.
• The hackers get personal, professional and contact data from a variety of open sources such as LinkedIn but they also use proprietary marketing services to obtain lists of legitimate business email addresses.
• Companies targeted include small businesses to the largest multinationals, including banks and mortgage companies.
• They often target recipients able to authorise high-value money transfers and engineer the compromised email so that it appears to be from one of the company's primary bosses, such as CEO or chairman.
• The attack emails typically contain no malware, making them invisible to many of the most common email security measures.
• Of the 50,000 corporate executives on the list, 71 per cent were CFOs, 2 per cent were executive assistants, and the remainder were other finance leaders.
• Targets from 82 different countries were listed but more than half were based in the US and the other most commonly targeted countries were the UK, Spain, Finland, the Netherlands and Mexico.

Agari's report also notes that, according to the FBI Internet Crime Complaint Center (IC3), BEC is a $12 billion business. It is also the most popular and most effective email scam, producing four victims for every 100 initial email responses and has an average payment request of $35,000.

'Pure social engineering'

Agari's senior director of threat research, Crane Hassold, told the Financial Times that these BEC scams are based on “pure social engineering” and do not require sophisticated technology. However, the number of attacks reported are rising because they have been proven to work. The report outlines how Agari's own CFO has also been targeted by London Blue – enabling the firm to engage with the cyber group and gather intelligence about its methods and bank accounts.

CFO of multinational falls for BEC scam

Tim Sadler, co-founder and CEO at Tessian, an email security firm, highlights a recent case in which the CFO of Pathé was duped by a BEC attack and €19 million was stolen. Sadler commented: “As Agari’s research highlights, high profile and c-level employees of financial institutions are becoming increasingly popular targets of BEC scams because they have access to lucrative data and have the power to authorise high-value money transfers. The Pathé incident from a few weeks, in which 19 million euros was stolen after the company’s CFO was duped by a BEC email scam, also emphasises how effective, and costly, these attacks can be.”

And Corin Imai, senior security advisor at security risk intelligence firm DomainTools, commented: “These scams prey on the high-pressure environments of large corporations, hoping that those responsible for transferring funds will be more concerned with completing the task quickly than by making sure it is an authentic request. CFOs should make efforts to verify any requests that they find unusual. Taking slightly longer to make a transfer is significantly better than unwittingly helping to facilitate a fraudulent transaction.”