New years resolution, start blogging a bit more, I’m usually too busy working to think about writing blogs so let’s see how long this resolution lasts!
I was lucky enough to be able to attend Black Hat Europe 2018 in December. While there I saw a talk by a man called Crane Hassold detailing his attempts to track the activities of the “London Blue” organised crime group.
What struck me most is that “London Blue” don’t use any advanced exploitation malware or software or even social engineering techniques. They rely on sending semi customised email to the right person and more importantly sending this email seemingly from the right person, normally the CFO (Chief Financial Officer). London Blue are using a very simple technique of “display name deception” in the hope to trick the recipient into believing that it is a genuine email from the CEO or CFO.
First a bit more background
London Blue’s name is derived from the fact that Agari, the investigating company, detected that at least two members of the organisation were London based. The Blue comes from a residential area, housing development in Lagos, Nigeria.
As mentioned above London Blue are not relying on advanced malware to complete their attacks, there success is largely due to their prior research and internal group organisation. They are structured like a business with each “department” performing certain tasks and they are using legitimate business resources in order to discover the relevant contacts within a company. Then using free disposable email accounts with the display name changed they send the email. That’s it. Then if questions are asked, they have more front than Brighton to give plausible answers and continue the charade. If successful money is transferred from the victim company to their London Blues money mules accounts and then through a network of knowing or unknowing accomplices bank accounts.
Now you may be thinking, who on earth is going to fall for that? And the answer is not that many, but enough fall for it to make it extremely profitable. Agari the report writers claim that London Blue will have success 3.97% of the time, which may not sound much, but when each victim is “taken” for an average of $35,000 suddenly it’s not a bad return, for a little bit of low risk criminal work. You see their economic motivations.
Agari, through unknown methods were able to get a copy of London Blue potential victims list, which contained contact details for 50,000 CFO’s / CEO’s. Do you think your company could be on that list? It’s certainly not beyond the realms of possibility.
Really the only defence for companies is healthy skepticism and confirming through a secondary communication medium that this money transfer is a legitimate request. The defence vector is as simple as the attack vector.
The Agari report is available here but will cost you your information in order to access it. Whether that is worthwhile is up to you, but having read this post, you now have the gist of the information already.
OIC Solutions can educate your staff against these and other types of social engineering attacks. You can contact us here.