‘London Blue’ hacker group planned attack on 35,000 CFOs

Cybersecurity research and development firm Agari has obtained an extensive list of targets created by Nigeria-based hacker group ‘London Blue’

Nigeria-based hacker group 'London Blue' compiled a list of 50,000 targets for a business email compromise attack. Since 2013, this kind of attack has claimed 78,617 victims

A hacker group known as ‘London Blue’ has compiled a list of more than 35,000 CFOs, many of whom worked at the world’s largest lenders, to target them with money transfer requests.

The list was discovered by cybersecurity firm Agari. In a report on the scam, the company enumerated an additional 15,000 workers in various accountancy departments across the globe, compiled over a period of just five months.

Well over half of the 50,000 victims listed were located in the US, with the remainder spread over 82 countries

According to Agari, the list details possible targets for business email compromise (BEC) attacks, which have become more popular with hackers in recent years.

In these types of attacks, hackers send an urgent request for funds to a CFO, using a display name the CFO is likely to recognise and therefore not flag as suspicious. They will request around $35,000 on average to be transferred into a fraudulent account.

According to the FBI, this method has cost companies over $12bn since 2013, with the number of victims identified reaching 78,617.

Agari has handed its evidence to the relevant UK and US law enforcement agencies.

London Blue is a Nigeria-based hacker gang with a network of at least 19 operators. Well over half of the 50,000 victims listed were located in the US, with the remainder spread over 82 countries including the UK, Finland, the Netherlands and Mexico.

Agari’s report stated: “Nigeria has been a hub for scammers since long before the internet came into wide use, and it remains one of the world’s primary centres for active gangs, including many that are focused on BEC.”

London Blue “operates like a modern corporation”, the report found, with members carrying out a range of specialised roles including business intelligence, sales, email marketing and HR, all of which are linked to the central hacking operation.

The group works with commercial data brokers across the globe to compile its mass list of targets. Its attack emails do not typically contain any malware, meaning they will not be flagged as dangerous by the majority of email security filters.

Crane Hassold, Agari’s senior director of threat research, said in a statement that he had seen evidence that the scammers had been successful in some cases.

He described the scheme as “pure social engineering” because it is not based on sophisticated technology, but on human carelessness in not verifying email addresses. “The reason it is on the rise is because it has been proven to work,” he added.