Phishing is nothing new, and efforts to train employees on how to detect and thwart phishing attacks should always be an essential component of any security awareness training program. But what happens when phishing attacks specifically target chief financial officers (CFOs)?
Researchers have discovered increasing evidence of a threat group named London Blue, a U.K.-based collective that focuses on CFOs at mortgage companies, accounting firms and some of the world’s largest banks. According to a report passed on to authorities by Agari, London Blue has collected email addresses for more than 50,000 senior-level targets in the U.S. and other countries, of which 71 percent hold a CFO title. The Agari report noted that London Blue operators have been utilizing email display name deception to trick senior employees into making fraudulent payments to the threat group’s accounts.
The ABCs of BEC
This type of attack, classified as business email compromise (BEC), builds on the typical phishing attack by taking the social engineering aspect to the next level — and sometimes includes elaborate hacking into email servers and the takeover of executive email accounts. But perhaps the most concerning feature of London Blue is that it is an organized cybercrime gang (OCCG) and, as such, works as efficiently as any modern corporation, with specific departments for lead generation, financial operations and human resources.
Crane Hassold, Agari’s senior director of threat research, explained that the report came about when London Blue targeted the company’s CFO for a potential BEC attack.
“Once that came in we started doing a little more digging, and there was a lot of active engagement with the scammers to understand more about them,” he said. It took Agari about four months of engagement after first observing the threat group to release the report.
BEC is a hot topic because it has been relatively successful. What’s really interesting to Hassold and his team is that the attack doesn’t require any technical means to get a result.
“When we think of cyberattacks, we think of things like malware-based attacks where there’s something technical that happened, but in this case, it’s pure social engineering,” said Hassold. Given his background with the Federal Bureau of Investigation (FBI)’s Behavioral Analysis Unit, Hassold is keenly aware that social engineering is the conduit to many cyberattacks.
“A lot of work has to go into them in order to make them successful, but the reasons we’re seeing these being used more commonly is that they’re relatively easy to do with no technical knowledge needed to send one of these things out,” he said. Even if these attacks have a success rate of less than 1 percent, Hassold noted, threat actors can still net tens of thousands of dollars a month.
The Simple, Yet Successful Tactics of London Blue
On a positive note, despite being so organized, groups like London Blue are still using old-school tactics such as the “Nigerian prince” scam, in which poor grammar and spelling are prominent. Red flags should be easy to spot. Yet, somehow, these scams still work on a very limited scale.
“They’re still around because they are successful enough,” said Hassold. “Even though most people would look at one of those things and ask ‘how could anyone actually fall for this?’, there’s always going to be a tiny population of people that will fall for it. They prey on central components of the human brain, like trust, fear and anxiety.” Those components are usually on overdrive when an employee gets an email he or she believes is coming from a CEO or CFO.
Not only have London Blue’s tactics remained the same over the last few years, but its BEC attack isn’t all that complicated. According to Agari’s report, the threat group uses a throwaway email address and changes the display name to match the CEO or CFO of a company. Attackers then send an email to the target financial executive — from their collection of email addresses — asking them to initiate a money transfer for some made-up reason. If London Blue gets a response from the victim, it replies with one or two bank accounts that they control for the money transfer.
Go Back to Security Basics
There’s no reason to believe that the rise in senior-level phishing attacks is going to stop anytime soon. So what are the best tactics to prevent this type of attack?
The easiest solution, of course, is to avoid clicking on links or attachments that appear suspicious. Even if an email seems to be legitimately coming from someone you know, it’s best to think twice before clicking or replying.
“We’ve been accustomed to just simply reacting or responding to emails,” said Hassold. “That’s how we do business, but I think part of what we need to do is take a second to stop and think about what we’re looking at before we take any action.”
Like anything related to security, doing your due diligence is a must, even for day-to-day emailing. While security awareness training for the C-suite is never a bad idea, in the case of a BEC attack, it may not be immediately helpful. Because these attacks have such a low overall success rate, you’d need a perfect 0 percent click rate in security awareness simulations to completely prevent them. Additionally, in Hassold’s experience, CEOs and CFOs are generally less receptive to security awareness training.
“They are extremely busy doing a lot of other different types of activities, so sitting down and having them learn about what the threats are to the business is difficult,” he explained.
CSOs and CISOs: Brush Up on Your Marketing Skills
Instead of awareness training, your chief security officer (CSO) or chief information security officer (CISO)’s time may be better spent making sure other executives understand cyber risks in a way that resonates with them — for example, by showing financial executives real-world incidents that have cost companies millions of dollars. No executive wants his or her company to be the next Maersk; the container shipping conglomerate lost up to $300 million and had to reinstall 45,000 PCs and 4,000 servers after being hit by NotPetya ransomware in 2017, according to ZDNet.
I recall having a long conversation about security awareness with the CSO of a large beverage company, who told me that when it comes to convincing other executives of the importance of security, you need to act like the marketing department and sell them on the concept. This CSO often has her team create pitch decks full of real-world examples to underscore the importance of proper security hygiene. This tactic can work wonders when executed effectively.
Don’t Underestimate the Threat of Business Email Compromise
For Hassold, the biggest takeaway from Agari’s report is how groups like London Blue acquire their information.
“These groups are using legitimate services used by sales teams all over the world to curate their targets,” he said.
Using popular sales prospecting tools, threat groups can narrow targets by granular demographics and export them into a nice CSV file. The report concluded that “the pure scale of the group’s target repository is evidence that BEC attacks are a threat to all businesses, regardless of size or location.” Agari also predicted that the use of legitimate services for malicious means will increase in the future.
Business email compromise attacks are clearly a major threat for IT and security leaders to keep an eye on as attackers continue upping their game and making their emails look more legitimate. A strong security culture, combined with a back-to-the-basics approach to security training, can help enterprises avoid being on the receiving end of a successful attack.
For more tips for on how to reduce the risk of a successful BEC attack, listen to the SecurityIntelligence podcast epsiode, “Gain an Edge Over BEC and Account Compromise With Intelligent Incident Response.”