A group of hackers based in Nigeria is trying to trick thousands of top executives across the globe into sending them company funds.
The ambitious scheme that mainly targets chief financial officers via email is described in a new report by cybersecurity firm Agari, which investigated the group after coming under attack itself.
“Targets included companies in a very broad range of sectors, from small businesses to the largest multinational corporations,” the report warns. More than half of them are in the United States.
The attackers are carrying out an increasingly common scam known as “business email compromise” in which they attempt to pose as a company insider, such as the CEO, requesting a money transfer to an outside account.
The FBI estimates that businesses around the world lost more than $12 billion through this kind of email scam between October 2013 and May 2018.
Agari said that the Nigerian group, which it calls “London Blue,” has developed a highly sophisticated operation to dupe money out of finance executives.
“London Blue operates like a modern corporation,” the report says. The group has people working on business intelligence, sales, email marketing, financial operations and human resources, according to Agari.
It carries out attacks in multiple languages and has at least 17 collaborators in the United States, United Kingdom and other Western European countries who are mainly involved in moving stolen money, Agari added.
50,000 finance execs on the target list
The email security firm said that during its investigation, it got hold of a list of the group’s potential targets this year that contained more than 50,000 finance executives, of which 71% were CFOs.
Agari declined to reveal how it secured the data, other than saying it had actively engaged with the scammers. It said it had shared the info with US and UK law enforcement.
“Several of the world’s biggest banks each had dozens of executives listed,” it said. “The group also singled out mortgage companies for special attention, which would enable scams that steal real estate purchases or lease payments.”
As well as the United States, companies in more than 80 other countries were on the list, including Spain, the United Kingdom, Finland, the Netherlands and Mexico.
Agari said it became aware of London Blue after the group tried to trick the security firm’s own CFO in August. Agari said it “then engaged actively with the attacker, giving us an initial glimpse of the gang that we would widen into a penetrating X-ray.”
London Blue relies on commercial data providers, most recently one based in San Francisco, to build up its list of targets and gather information about them, according to the report. That includes executives’ names, company titles, work email addresses and personal email addresses.
The list of more than 300 potential targets on which Agari’s CFO appeared was obtained by London Blue from a commercial data provider in November 2017.
The list also contained information about “CFO victims at one of the world’s top private universities, a major enterprise data storage company, a famed guitar maker, casinos and hotels, a retirement home, and small and medium-sized businesses of all types,” the report says.
Agari estimated that the scam has caused damage worth hundreds of thousands of dollars.