Phishing, Content

Spear Phishing Hackers Target CFOs in Fake Email Scheme

A notorious hacking group working out of the U.K. and Nigeria, whose calling card is business email compromise (BEC) scams, has been smoked out by a London-based email security firm.

In a new report released to coincide with the Black Hat Europe conference, Agari said it became aware of the group after the hackers tried to trick the security firm’s CFO into sending a chunk of change to an unknown account. Agari dubbed the cyber gangsters London Blue. Unbeknownst to the hackers, it was they who ended up getting scammed.

Here’s how it went down:

Posing as Agari chief executive Ravi Kahtod, London Blue emailed company CFO Raymond Lim requesting an urgent money transfer. But Agari researchers were ready for the hackers. "Our email filter caught ," Crane Hassold, Agari’s newly installed head of the its cyber intelligence division, and an 11-year veteran of the FBI, told DarkReading.

Posing as Lim’s assistant, Agari’s cyber pros were able to keep the email exchange going long enough to finger the gang’s two bosses, both of whom apparently live in and operate out of London. That wasn’t all they learned: London Blue, which is among the world’s largest BEC hucksters, used two lead generation services to compile a hit list of 35,000 CFOs in the U.S. and U.K. Worldwide, the hackers have another 15,000 targets in more than 80 countries, most of whom are in the U.S., with others in Egypt, Finland, Spain and other locales. More than 70 percent of the potential victims are CFOs. The remainder are top execs on finance teams, according to Agari’s legwork. In addition to financial services, construction, real estate and healthcare industries are among the crew’s favorite scores.

It’s on one of the lead generation lists that Lim’s name appeared, Agari said. Here’s how the email exchange between London Blue, posing as Kahtod and Agari researchers, posing as Lim’s assistant Alicia, began: (via DarkReading)

London Blue:
Ray, we need to make a transfer today. Let me know if you can process now and I will send info. Thanks Ravi Khatod.

Agari researchers:
Ravi, Raymond is out this week and I will help you with the transfer. Would you please provide me with the transfer details? Also just a reminder, as you may know, all payments go out on Wednesday, which is tomorrow. So if you need to make another transfer or payment, please inform me so that I could take care of them together before tomorrow's cut-off passes. Best Regards, Alicia

According to Hassold, London Blue’s crew includes roughly 25 people and a number of money mules in the U.S. and Western Europe with a few members in Nigeria. The FBI estimates that BEC con artists have have swindled 78,000 companies out of some $12 million.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.