London Blue Scammers Extend Activities in Asia

The threat actors known as London Blue, known for compromising business emails are now returning with an email domain spoofing tactic, aiming for targets in Asia. Their actions were spotted recently, showing that their work has evolved into a new form, improving their ability to find targets through updating their database.

London Blue have been around as a threat ever since their first appearance in 2011. Researchers discovered their actions by spotting the campaign in January.

London Blue now uses legitimate commercial sales tools, moving away from their previous tactics in a new direction that gives them access to new targets. The scale of the group's targets shows that these attacks are a threat to global businesses everywhere.

Who are the people behind London Blue?

London Blue has been linked to Nigerian citizens with possible collaborators around the world, specifically the United Kingdom and the United States. Since tracking the group's actions starting in 2011, researchers found that it evolved its tactics rapidly, moving on from Craigslist scams to phishing and structuring their criminal actions in ways closer to corporate culture. London Blue expanded their operations into Western Europe, the United Kingdom where at least two London Blue members are suspected to operate. There were 17 more collaborators identified in Western Europe and the US that were mostly involved in moving the stolen money.

The group also appears to possess a database of targets with contact information for more than 50 thousand financial executives, collected during the first part of 2018. The damages due to the scams is allegedly estimated around hundreds of thousands of dollars.

London Blue’s new and improved tactics

London Blue is using new tactics and techniques, starting with the emails themselves it sends to victims. During August 2018, London Blue used a ruse that claimed payment is due to a vendor, with a wire transfer to be processed as soon as possible. It seems the group has now switched tactics to use a theme closer to mergers and acquisitions.

Once the generic initial email gets a response, London Blue attackers state that an international vendor accepted has accepted an offer for acquisition. They also claim that due to the terms of agreement, a 30% cut from the purchase price needs to be paid via wire transfer to a bank in Mexico. Naturally, until the alleged acquisition is announced to the general public, details about it shouldn't be shared.

The group has been using such tactics that used free and temporary email accounts to send off their emails. In 2019 researchers managed to discover that the group began to spoof the emails of a targeted company's CEO to add a more authentic spin to their attacks.

What are the targets of London Blue?

Since the end of 2018, London Blue amassed a new database of targets that amounts to nearly 8500 executives from nearly 7800 companies worldwide. Similar to the attacks in 2018, a much of those numbers happen to be located within the United States.

During February 2019, London Blue collected information and launched campaigns against targets in Singapore and Hong Kong, with more targeted employees in Malaysia to follow during March 2019.