London Blue Group Using Evolving BEC Techniques in Attacks

Business email compromise (BEC) has proven to be a growing threat to organizations, with the FBI issuing a statement that losses in 2018 have exceeded US$12 billion. Although the number of BEC attempts are not as high compared to spam campaigns, the increased likelihood that a successful attack would involve monetary transfer often results in high financial losses for victim organizations. Given this form of fraud’s large earning potential, it should come as no surprise that cybercriminals have been continuously refining their techniques to find the most effective way to scam companies. The evolution in attack methods was seen in recent campaigns by London Blue, a BEC scam group based in Nigeria with collaborators in the U.S. and Western Europe that has been active since 2011.

According to cybersecurity firm Agari, the group had been using a fairly basic BEC setup since 2016 involving free and temporary email accounts while impersonating certain individuals within the target organization. However, in 2019, London Blue shifted to using emails that spoofed the company’s CEO to make the attacks more convincing.

London Blue previously used a popular BEC technique: sending messages alerting the company of a pending payment to a vendor along with a request for a wire transfer to fulfill the said receivables at the soonest possible date. In January 2019, the group started shifting towards email messages notifying the organization that an international vendor has accepted acquisition terms but 30% of the purchase price will need to be wired. To help ensure that the scam is not discovered, the email also mentions that the receiver refrain from mentioning the deal until it has been finalized.

Since November 2018, the group had apparently collected a large database of potential targets — approximately 8,500 financial executives from nearly 7,800 different companies globally in addition to a master database of 50,000 executives. Although CFOs comprised the majority of targets, the group was not above targeting people lower down the organizational chart as finance managers and controllers, accountants, and even executive assistants were also listed. This move by London Blue supports our prediction for 2019 that BEC schemes will target employees two levels down from the C-levels.

Furthermore, the group was seen starting to focus on Asia — a region they were not active in previously — specifically in Hong Kong, Singapore, and Malaysia. These developments show that London Blue is not only refining its techniques but also expanding its scope for both targets and regions.

Defending Against BEC Attacks

BEC attacks are highly effective despite not requiring complicated tools or highly technical knowledge. In fact, many of the techniques used by London Blue seem very simple. However, many people still fall for these kinds of scams.

Fortunately, there are ways to protect organizations from BEC attacks, often beginning and ending with end users. These include:

• Employee awareness and education are extremely important. An organization should provide the basics of spotting BEC and phishing scams to its employees.

• Email is often the main vehicle for BEC. End users should know what to look out for when it comes to email-based attacks — even well-crafted BEC attempts usually have signs that they are malicious.

• All employees, but especially those who are involved with the financial or accounting departments of a company, should first verify the legitimacy of fund transfer requests, especially those that involve large amounts.

• Building a culture of security can ensure that cybersecurity within a company is tightened from top to bottom.

Organizations should also consider using multilayered security technology that makes use of artificial intelligence (AI) and machine learning, such as Trend Micro™ email security products which provide defenses against BEC, email account compromise (EAC), phishing, and other more advanced threats. Trend Micro’s anti-BEC technology combines the knowledge of a security expert with a self-learning mathematical model to identify fake emails by examining behavioral factors and the intention behind an email.

In addition, Writing Style DNA, a technology used by Trend Micro™ Cloud App Security™ and ScanMail™ Suite for Microsoft® Exchange™ solutions, can detect email impersonation via AI to help recognize a user’s writing style based on past written emails while comparing it to suspected forgeries. This feature is ideal for protecting against BEC scams like London Blue’s. When an email is suspected of spoofing a user, the writing style of that message is cross-checked against a trained AI model while a warning is sent to the supposed sender, the target recipient, as well as the IT department of the organization.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.