This prolific phishing gang is back with new tactics to target executives

A prolific cyber-criminal phishing operation which built a list of 50,000 executives, CFOs and other top financial personnel has expanded its operations with a new database of additional targets.

Initially uncovered by researchers at cybersecurity company Agari, the Business Email Compromise (BEC) group dubbed London Blue distributes phishing emails in an effort to trick organisations into transferring large sums of money into their accounts, often while posing as executives and other senior staff.

The group, which works between Nigeria, the UK and several other countries, remains active and has tweaked their tactics in an effort to remain effective.

Previously, the attackers used temporary accounts from free email service providers which used a name known to the intended victim to conduct their attacks. Now they've stepped up their game, sending BEC emails which don't only contain a convincing name, but also use a spoofed address which mimics that of the company in order to add more authenticity to attacks.

It's a common tactic used in phishing attacks, but suggests that London Blue might be having to put in a bit more work to be successful – or just that they want to ensure they have the best chance of tricking a victim into wiring a financial transfer.

Lures during the previously reported campaign tended to be based around phoney vendor payments – after some initial back and forth to secure trust of the intended victim - now there's been a shift here too, with scammers attempting to use mergers and acquisitions deals to extract payment.

Agari's own CFO was targeted by this new scheme – after previously being targeted with the original campaign.

"What they did with our CFO is they're using a mergers and acquisition theme. They're saying we've just agreed with a vendor for an acquisition but as part of the agreement terms, 30 percent of the price needs to be paid up front," Crane Hassold, senior director of threat research at Agari told ZDNet.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

The scammers asked for a 30 percent payment upfront, equating to $80,000. However, given the attackers were targeting a cybersecurity company – again – it wasn't successful, especially as Agari researchers knew the attempted attack was coming before it even arrived.

"Because we now track them so closely and we've got really good visibility into their operations, we knew it was coming, we knew they were going to target our CFO and other financial executives in California," Hassold explained.

"So we were able to watch and track the entire lifecycle of their attack from preparation to execution. Then we saw them testing the email they were going to send to executives in California and two and a half hours after they first tested it, we saw it coming to our CFO's inbox," he added.

The first round of London Blue attacks mostly targeted the US and Western Europe, but now the attackers have added South East Asia and Australia to their radar, having not targeted them previously.

However, while the employees targeted in these attacks are based in Asia, the companies they work for were nearly all based in Western Europe, the US and Australia – with all of the phishing emails written in English.

London Blue has been identified as a Nigerian operation, but researchers have identified one member who is based in the UK. There are also several members of the group who work in other countries, including Turkey, Egypt and Canada – with each of them originally from Nigeria.

For the scammers, said Crane, the whole operation is just viewed as a job and a means of making money – even coming with the prospect of promotions.

"It's very much an occupation for some of these guys and you look at the differentiation on how they split duties, a lot of these scammers get into it very young and go through apprenticeships," he explained.

"They start with low-level tasks, before doing it themselves then overseeing things – the structure behind it is fascinating."

It's believed that London Blue remains active and organizations are urged to be on the look out for their campaigns. In order to help, Agari has provided a full list of email addresses associated with London Blue's BEC campaigns.

READ MORE ON CYBER SECURITY

• Phishing attacks: Half of organisations have fallen victim in last two years
• How to spot a phishing email CNET
• Phishing attacks: Why is email still such an easy target for hackers?  
  
• The challenges with preventing phishing attacks: An insider's perspective TechRepublic
• Filled with malware, phishing and scams, does the web need a safety manual?