Chief financial officers at some of the world’s biggest banks and mortgage companies are in the crosshairs of a hacker group that compiled a list of 35,000 CFOs that they can target with requests to transfer money.
The Financial Times, citing cyber threat detection company Agari, reported the group, which goes by the name London Blue, is focusing on the business email compromise scam. Agari found the list, which has 50,000 targets. Outside of the 35,000 CFOs, the list included people largely working in accounting departments at banks and mortgage firms around the world. The Financial Times noted that in July the FBI warned hackers were targeting CFOs, getting them to transfer money to unknown accounts. Agari, noted the report, turned over the evidence to law enforcement agencies both in the U.S. and U.K. The report noted that if members of the hacking group are living in the U.K. or the U.S. it will be easier to prosecute them than if they were living in other locations.
“It is pure social engineering,” Crane Hassold, senior director of threat research at Agari, told the Financial Times. He said he has seen evidence that the hackers have been successful in some instances with a so-called money mule able to convince a bank’s loss-prevention unit that a transaction for more than $20,000 was a legitimate one. Hassold said the attack requires playing with people’s minds rather than cutting-edge technology. “The reason it is on the rise is because it has been proven to work,” he said.
The cybersecurity firm said it first discovered the group when it tried to trick the CFO at the company with an email spoof that pretended to be from the CEO. Agari engaged with the hacker group to find out more information about which bank account they were using. Agari told the FT that London Blue is based in Nigeria and has 17 potential collaborators residing in Western Europe and the U.S. The hackers are using contact lists acquired from two data brokers, noted the Financial Times. More than half of the targets were in the U.S. with the other CFOs and accounting workers located in the U.K., Spain, Finland, the Netherlands, and Mexico.
“London Blue’s effectiveness depends on working with commercial data brokers to assemble lists of target victims around the world. Doing so gives it the attack volume of a mass spam campaign, but with the target-specific customisation of spear-phishing attacks,” the researchers said in a report.