Threat Intelligence Report: London Blue

Dated: 23rd April 2019


A highly organized and successful scam group is targeting companies around the world with a renewed campaign. The group which has been named ‘London Blue’ has grown from targeting individuals on websites like eBay and craigslist, to the more profitable business of Business Email Compromise (BEC) and Spear Phishing.

Business Email Compromise is a type of attack where the attacker spoofs the email addresses of executive employees with the intention of requesting money or favours in order to establish contact with the victim. Spear Phishing enables the attackers to create targeted emails which will pass as legitimate for the untrained eye.

By looking for people with the positions of CFO, CEO, Executive Assistant of CFO and other financial related positions in websites like LinkedIn, the group has been able to create a database with more than 50,000 executives, which they then impersonate in emails to the finance department of the company to perform a wire transfer as soon as possible.

The key to this group success was the organization and level of details and customization taken to phish its victims, which would bypass most email security protections and pose as a legitimate email in the victim’s inbox. The emails are well considered and often customized according to the victim and the business, including email signatures and writing style.

Once money is sent, it is routed through different accounts and jurisdictions, making it difficult to trace or recover.

This group is extremely proficient and well organised, acting like a business with departments in charge of finding potential victims, phishing email developers and testers, people in charge of recruiting mules for money laundering and the actual performers of the attack. This group operates from Nigeria, but sources were able to track members living in the United States, the United Kingdom and other Western European countries.


Financial scams targeting business in this way are not new, indeed 2018 saw UK businesses targeted frequently with invoice fraud in particular and the emergence of Business email compromise as a tactic. However, owing to the success of these campaigns, high sophisticated and organised criminal enterprises are raising the risk to businesses further through increasingly targeted attacks designed to convince even security aware financial controllers.

What allowed this and other groups to steal £9billion globally to date, according to an FBI investigation, was the meticulous investigation the group conducts to identify its victims in conjunction with impressive social engineering skills. Neither of these components use sophisticated technology, and neither are easily mitigated with technical security solutions.


  1. Implement a strong process for transferring funds incorporating: a. separation of duties so that a single employee cannot transfer large sums of money alone. Having a second approver makes it much more likely that an erroneous transfer request will be spotted before being executed b. Strict methods for requesting transfers, establishing whether an email from C-level executives is an approved request mechanism
  2. Implement a security awareness programme incorporating: a. Making staff, particularly with financial responsibility, aware of scams such as this to raise awareness b. Helping your staff to understand the potential impact of over sharing information regarding their position and their role in the company c. Having a simple mechanism to report suspicious emails to IT/IT Security d. Consider teaching more technical techniques such as examining the ‘reply to’ address on emails to high risk users e. Consider a communication from C level executives to finance staff explaining that if they ever receive an email purporting to be from them asking to transfer funds, that they have their full backing to fully verify the request in spite of any urgency stressed in the message, and no staff member will get in trouble for delaying such a request in the interests of security.
  3. Know what information is available on social media and the organization website and consider if any of the information provides attackers with sufficient information to map the organization structure, weighing this up against the benefit of sharing this information to your business

Leave a Reply