Skip to main content

From the Nigerian prince to London Blue – the growing threat of organised email fraudsters

(Image credit: Image Credit: Gustavo Frazao / Shutterstock)

Nigeria has unfortunately long been synonymous with email scammers. The “Nigerian Prince” advance fee scam is perhaps one of the best-known email frauds, with the majority of internet users likely encountering it in some form since it first appeared in the early 1990s.

However, email fraudsters have come a long way since the earlier far-fetched and often poorly constructed scams most people are familiar with. While there are still plenty of low-level opportunists around, an increasing amount of the fraudulent emails we encounter originates from sophisticated and well-organised operations that mimic the structure of a legitimate corporation.

Agari recently conducted a deep research campaign into a particularly prolific Nigerian gang we have dubbed London Blue (opens in new tab). The group had grown into a global undertaking that included operatives in the UK and elsewhere in Western Europe, as well as the United States.

Members of the gang each have specific tasks that directly mirror normal job roles, including business intelligence (lead generation), sales management (assignment of leads), email marketing (semi-customised attack emails), sales (the con itself), financial operations (receiving, moving and extracting the funds), and human resources (recruiting and managing money mules).

In addition to its well-defined structure, London Blue also works with commercial data brokers to assemble lists of target victims around the world. This means it is able to combine the immense volume of a mass spam campaign with the high level of customisation seen in individually targeted spear-phishing attacks. Merging commercially available tools with criminal tactics has enabled London Blue to deliver highly effective, semi-customised attacks on companies of all sizes on a global scale.

Unearthing the operation

A typical example of the targeted lists used by the gang includes one that listed more than 300 California-based individuals with CFO in their title. The list included one of the world’s top private universities, a major enterprise data storage company, a famed guitar maker, casinos and hotels and a retirement home, in addition to a wide assortment of other businesses of all sizes.

Unfortunately for the gang, one of their potential marks was Agari CFO Raymond Lim. As many other scammers have learnt to their detriment, it’s generally a bad idea to send a fraudulent message to a company specialising in identifying deceptive emails. After identifying the initial attack email from the gang, we began actively engaging with them to collect in-depth intelligence on their tactics and organisational structure.

London Blue first contacted our CFO in August 2018, opting to take on the guise of Agari’s CEO in order to request an urgent wire transfer. Although the email displayed our CEO’s name in the “from” section, we identified that email had been sent from a temporary email account from provider rather than our own domain.

We proceeded to string the fraudster along, concocting various errors and problems that necessitated the use of more bank accounts for the transfer. Gathering information on multiple mule accounts enables us to inflict greater damage on criminal organisations, as financial services and law enforcement can shut down more of their operations.

As we continued to analyse the group, we found that this fraud attempt was typical of their methods. By itself, the email is a fairly simple Business Email Compromise (BEC) campaign attempting to use the identify of a senior executive to trick an employee into authorising a payment. Many businesses will be targeted by some variety of this scam on a daily basis.

What sets London Blue apart however is their ability to launch targeted spear-phishing emails on a huge scale. Normally, a well-crafted spear-phishing attack will require a fairly large amount of research from the scammer. They will need to identify individuals with the ability to authorise transfers and learn enough about the organisation’s hierarchies to impersonate a senior figure such as the CEO. Some may take additional steps to create a more convincing social engineering attack, generally using personal details from the victim’s social media.

How London Blue is upping the stakes

Because London Blue has purchased subscriptions to the same commercial lead-generation services used by most legitimate businesses, they can take a huge shortcut and gather the necessary data for thousands of victims at a time. Emails on this scale have previously been limited to very broad phishing campaigns that are far less convincing.

Using these tactics, London Blue has been able to set its sights on hundreds of thousands of targets around the world. During the course of our investigation, Agari identified a list of more than 50,000 corporate financial officials that was generated during a five-month period in early 2018. The list was largely made up of CFOs, but included a mix of executive assistants and other financial leaders as well.

The companies involved spanned small businesses to huge multinationals, including dozens of executives at the world’s top banks. Most targets were located in the United States, but the lists also included companies in 82 different countries, with leading targets including Spain, the United Kingdom, Finland, the Netherlands and Mexico.

How can companies defend against organised fraudsters?

London Blue presents a major threat to businesses because of its focus on using highly effective BEC emails. Our previous research (opens in new tab) indicates that BEC emails produce an average of 3.97 victims per 100 initial responses. With average payment requests coming in at around $35,000, this makes them an extremely effective moneymaking tool – particularly when combined with the scale and organisation displayed by London Blue.

One of the reasons BEC emails are so effective is that they do not contain malware or any other keywords that would cause them to be flagged by the traditional email security systems used by most organisations. This means there is a relatively high chance of the email reaching its intended target, and stopping the fraud is then down to the individual victim’s perception and caution, as well as the strength of the company’s financial processes. Spotting a fraud is no easy task, as well-crafted fakes can look identical to the real thing. BEC campaigns also use the authority of senior figures like the CEO to pressure their target into complying, often concocting a scenario that requires the payment to be made urgently and circumvent the normal processes. 

The highly organised and targeted nature of these attacks means that organisations cannot continue to rely on traditional email security measures and employee vigilance. The increasing volume of BEC attacks means that even well-trained workers are likely to be deceived eventually. Organisations need to have measures in place to spot the subtle signs of an imposter such as mismatched sender IDs and other signs of spoofing.

Despite its impressive scale and organisation, London Blue is just one example of increasingly organised gangs in Nigeria and around the world. For those companies that fail to keep pace with the fast-developing fraudsters, it’s only a matter of time before they join the growing list of victims.

Crane Hassold, Senior Director of Threat Research, Agari (opens in new tab)
Image Credit: Gustavo Frazao / Shutterstock

Crane Hassold is Senior Director of Threat Research at Agari and heads up the Agari Cyber Intelligence Division (ACID), a position which he took on at the end of 2018.