April 08, 2019 – London Blue, one of the most notorious business email compromise hacking groups, has added to its database of more than 50,000 leading executives and expanded its hacking techniques, according to a recent report from security firm Agari.
The hackers were able to generate their list of 50,000 executives during a five-month period in 2018, which they in turn used to prepare for future phishing campaigns, the researchers explained. About 71 percent of the database were chief financial officers, while the rest were made up of executive assistants and other finance leaders.
According to the report, the group targets a broad range of sectors and businesses, from small firms to large corporations. What’s worse is that these campaigns typically don’t contain malware, which makes it nearly impossible for common email security measures to detect the attacks.
First discovered by Agari in December, the hacking group leverages targeted phishing campaigns to dupe executives into transferring funds into the hackers’ accounts. Operating much like a modern corporation, the group poses as senior staff members and other executives to trick its victims.
For example, hacking group members each have designated functions including business intelligence like lead generation, sales management with lead assignments, email marketing, such as customized business email compromise attack emails, and human resources, like recruiting and managing “money mules,” according to the report.
“London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world,” the report authors wrote. “Doing so gives it the attack volume of a mass spam campaign, but with the target-specific customization of spear-phishing attacks.”
“By combining commercially available tools with criminal tactics, the attackers are able to deliver semi-customized attacks on companies of all sizes in countries located around the world,” they added.
Since the group’s initial discovery, London Blue has modified their attack methods to improve the success rate. In the past, the hackers used free, temporary email accounts with a name known to their intended victim.
The researchers explained that now, the attackers have added a spoofed email address that mimics the victim’s company to increase the authenticity of the emails’ appearance. To successfully trick their victims, the hackers are sending victims emails around mergers and acquisitions in an attempt to receive a payment from the victim. In the past, the group leveraged fake vendor payments.
In fact, Agari’s own CFO Raymond Lim was on a list of the hacking group’s target victims. The researchers then engaged with the hackers to gain insight into the attack method.
“In our analysis of London Blue, we identified the working methods of a group that has taken the basic technique of spear-phishing—using specific knowledge about a target’s relationships to send a fraudulent email—and turned it into massive BEC campaigns,” the researchers wrote.
“Each attack email requesting a money transfer is customized to appear to be an order from a senior executive of the company,” they continued. “Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful—identifying individuals with access to move funds, learning how to contact them, and learning their organizational hierarchies.”
By using commercial lead-generation services, the researchers explained that the hackers have managed to find a shortcut to target thousands of victims at a time. To help organizations detect these attacks, Agari compiled the list of targeted executive emails in its report.
Business email compromise attacks have rapidly increase in recent years and is one of the most effective email scams. Agari researchers found that the campaigns produce 3.97 victims per every 100 email responses.
Several recent reports echoed Agari’s findings. Beazley Breach Response Services found business email compromise made up half of the hacking and malware cyberattacks in 2018, while Barracuda found the cyberattacks have caused more than $12.5 billion in losses since 2013.
The security researchers in these reports noted that AI security solutions may help organizations analyze normal communication patterns to detect any anomalies, as traditional security tools may be ineffective at detecting these highly targeted campaigns.
Other effective tools include DMARC authentication and report, account-takeover prevention, proactive investigations, and multi-factor authentication.