[BreachExchange] London Blue Cybergang List 50, 000 execs for Phishing Attacks

Destry Winant destry at riskbasedsecurity.com
Thu Dec 6 00:12:43 EST 2018


https://hackercombat.com/london-blue-cybergang-list-50000-execs-for-phishing-attacks/

As reported by SC Magazine, a U.K./Nigerian cybergang has accumulated
a list of more than 50,000 corporate executives to be targeted in
future phishing campaigns.

According to Agari’s London Blue report, the list was generated in
early 2018 and of the list, 71 percent were CFOs, 2 percent were
executive assistants and the remainder were other finance leaders from
small businesses to the largest multinational corporations.

Researchers noted that in many cases the threat group had amassed the
information of dozens of executives from some of the world’s largest
banks and had singled out mortgage companies for special attention,
which would enable scams that steal real estate purchases or lease
payments.

The report said “Well over half of the 50,000 potential victim
profiles that London Blue compiled in their targeting database were
located in the United States. Other countries commonly targeted
included Spain, the United Kingdom, Finland, the Netherlands and
Mexico.”

Targets from 82 countries, in total were listed in the cybergang’s
directory with more than half in the US, with others in the U.K.,
Spain, Finland, the Netherlands and Mexico.

Researchers learned of the groups malicious dealings when the
cybercriminals foolishly targeted the cybersecurity frim in one of its
attacks.

“On August 7, 2018, London Blue sent an attack email to Lim, appearing
to come from Agari CEO Ravi Khatod,” researchers said in the report.
“While the actual sending email account is on the daum.net domain, the
display name on the email is Ravi Khatod. Agari then engaged actively
with the attacker.”

Researchers requested wire transfer numbers and were able to fish out
mule accounts and advise the financial institutions of fraudulent and
malicious accounts to help shut them down.

The threat groups carry out massive spam campaigns while closely
working with commercial data brokers, who collect the list of target
victims around the world which enable them to carry out targeted
customization of spear-phishing attacks.

In 2011 the group was heavily involved in sending high-quality
counterfeit checks, by 2015 the gang had upgraded to credential
phishing attacks, and by 2016 the gang was carrying out the BEC
attacks.

Although the group is based in Nigeria, researchers noted it has
operations within 17 potential collaborators in Western Europe and the
US.

Corin Imai, senior security adviser at DomainTools, said the
revelation of the group’s actions should be a serious concern to
businesses.

“BEC fraud can have devastating consequences for the organisation
targeted; the amounts of money involved more than often outweigh those
associated with the more general phishing scams, which cast a wide net
in the hopes of securing multiple payments,” Imai said. “These scams
prey on the high-pressure environments of large corporations, hoping
that those responsible for transferring funds will be more

concerned with completing the task quickly than by making sure it is
an authentic request.”

Imai went on to say CFOs should make efforts to verify any requests
that they find unusual and that taking slightly longer to make a
transfer is significantly better than unwittingly helping to
facilitate a fraudulent transaction.

Javvad Malik, security advocate at AlienVault added these attacks
shouldn’t be a surprise to the c-suite and other executives.

“Therefore, educating and making execs aware of these scams is the
first step in nipping the problem in the bud,” Malik said. “Additional
measures can be taken whereby double authorization is needed to setup
a new recipient or to send large payments.”

Experts agree, Tim Sadler, co-founder and CEO at Tessian said the
attacks highlight that high profile and C-level employees of financial
institutions are becoming increasingly popular targets of BEC scams
because they have access to lucrative data and have the power to
authorize high-value money transfers.

“It is clear that no employee, regardless of seniority, is safe from
the threat of spear-phishing,” Sadler said. “As long as a willing
attacker can gain access to the requisite information, and email
networks remain open and unprotected, they can effectively masquerade
as an employee in order to exploit those that have the power to manage
and release company funds.”

Sadler added that with access to global contact lists and a deftness
for strong-form impersonation methods, London Blue has the resources
and know-how to extract money at a great scale.


More information about the BreachExchange mailing list