Chief financial officers (CFOs) around the world, including in the UK, are being targeted by an online criminal gang using sophisticated email hacking attacks to persuade individuals to make money transfers, according to a cyber security report which identifies a hit list of more than 50,000 senior finance executives
Agari, a cyber security specialist, says it has uncovered a Nigeria-based group with UK connections it has dubbed ‘London Blue’ which is targeting finance teams to make fraudulent payment requests.
London Blue generated a list of more than 50,000 corporate officials during a five-month period in early 2018. Among them, 71% were CFOs, 2% were executive assistants, and the remainder were other finance leaders.
The names are sourced from legitimate lead generation and marketing lists and are then used by the hackers to create so-called business email compromise (BEC) campaigns using display name deception.
Each attack email requesting a money transfer is customised to appear to be an order from a senior executive of the company. Agari was first alerted to the issue when its CFO Raymond Lim was sent an email which appeared to come from the company’s CEO Ravi Khatod.
While the actual sending email account is on the daum.net domain, the display name on the email is Ravi Khatod with the correct name of the CFO or other finance executive.
Agari says its subsequent research shows London Blue’s targets included companies in a broad range of sectors, from small businesses to the largest multinational corporations. Several of the world’s biggest banks each had dozens of executives listed. The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments.
The attack emails typically contain no malware, thus rendering them invisible to many of the most common email security measures. While over half of the 50,000 potential victim profiles that London Blue compiled in their targeting database were located in the US, other countries commonly targeted included Spain, the UK, Finland, the Netherlands and Mexico, and in total, potential targets in 82 different countries were identified.
Agari warns that while conventional phishing hacks require time-consuming research to gather the information needed for the attack to be successful - identifying individuals with access to move funds, learning how to contact them, and learning their organisational hierarchies - in contrast using commercial lead-generation services allows hackers to shortcut gathering the necessary data for thousands of target victims at a time.
Recent data from the FBI puts total identified global exposed losses from BEC at over $12.5bn (£9.7bn) (up from $5.3bn in December 2016), while the bureau says more than 30,000 victim complaints were submitted between June 2016 and May 2018.
Agari report on London Blue is here
Report by Pat Sweet