Business Email Compromise Gang Targeted 50,000 Company Executives

A Nigerian gang with members based in the U.K. is perpetrating a business email compromise operation aimed squarely at executives at companies with locations worldwide.

The gang has compiled a target list of 50,000 email addresses belonging to company executives, the majority of them chief financial officers.

Researchers from email security firm Agari investigated the group, which they’ve dubbed London Blue, after the gang unsuccessfully targeted Agari’s own CFO, Raymond Lim, back in August. The attackers sent an email impersonating Agari’s CEO, Ravi Khatod, and asked Lim to process a money transfer.

The email was flagged and sent to the research team, which continued communicating with the attackers to discover their processes and mule accounts.

“Based on our research, while the primary members of this group likely originated in Nigeria, at least two of them have extended the group’s base operations into Western Europe—specifically into the United Kingdom, hence the first part of the group’s name,” the Agari researchers said in a report. “In addition to these two primary threat actors located in the U.K., we have identified 17 other potential collaborators located in the United States and Western Europe who are primarily involved in moving stolen funds.”

The group is not new to the scam business. Agari managed to trace back its activities as far back as 2011, when it was heavily involved in Craiglist scams. In 2015 the gang transitioned to credential phishing then in 2016 switched to business email compromise (BEC).

BEC is a type of scam that involves sending spear-phishing emails from spoofed or hacked email addresses with the goal of tricking company employees, usually staff from the accounting department, to transfer money into attackers’ accounts. The emails impersonate a high-level executive from the same company, typically the CEO, making the request for a payment or existing business partners sending in bills.

The FBI’s Internet Complaint Center estimated that BEC is one of the most effective type of email scams with around four victims for every 100 responses. These attacks have caused loses of more than $12 billion.

“Conventional spear-phishing requires time-consuming research to gather the info needed for the attack to be successful—identifying individuals with access to move funds, learning how to contact them, and learning their organizational hierarchies,” the Agari researchers said. “However, commercial lead-generation services have allowed London Blue to short-cut gathering the necessary data for thousands of target victims at a time.”

The researchers came across a file belonging to the group that contained 50,000 email addresses. The list was compiled earlier this year and likely served as a targeting repository.

Seventy percent of the addresses on the list belonged to CFOs, 12 percent to finance directors or managers, 9 percent to controllers, 6 percent to employees with accounting roles and two percent to staff with executive assistant titles. Over half of the individuals on the target list worked for U.S.-based companies, but the entire list contained email addresses of company officials from 86 countries working in a broad range of sectors.

The London Blue group itself is organized similarly to a business with different departments that handle different parts of the operation including “lead” generation, the sending of emails, communicating with victims, recruiting money mules and setting up the infrastructure for receiving, moving and collecting funds.

Critical Kubernetes Vulnerability Threatens Cloud Infrastructure

A critical vulnerability was fixed Monday in Kubernetes, the most popular container orchestration platform used in cloud environments. The privilege escalation issue could allow attackers to take control of compute nodes and steal secrets or inject malicious code into services running inside containers.

“With a specially crafted request, users that are allowed to establish a connection through the Kubernetes API server to a backend server can then send arbitrary requests over the same connection directly to that backend, authenticated with the Kubernetes API server’s TLS credentials used to establish the backend connection,” the Kubernetes developers said in a security advisory.

Users are advised to upgrade to Kubernetes 1.10.11, 1.11.5, 1.12.3 or 1.13.0-rc.1 as soon as possible. Possible mitigations include not using aggregated API servers and removing the pod exec/attach/portforward permissions from users who should not have full access to the kubelet API.

The risk of attacks is high because in default configurations both authenticated and unauthenticated Kubernetes users can make API calls that exploit this issue. Also, exploitation of the vulnerability is not easy to detect because the rogue requests are indistinguishable from authorized requests in logs.

Featured eBook
The State of Open Source Vulnerability Management

The State of Open Source Vulnerability Management

The rise in open source usage has led to a dramatic rise in open source vulnerabilities, bringing to the fore interesting developments in open source security. The report drills down into the deeper layers of the open source phenomena and provides the latest insights on how organizations are handling vulnerabilities and what the future holds. 4 Key ... Read More
WhiteSource

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 283 posts and counting.See all posts by lucian-constantin