More data joy: Email scammers are buying marks' info from legit biz intelligence firms

Black Hat A Nigerian email scammer gang has evolved to the point where it has corporate-style specialist departments and uses commercial business intelligence data brokers to help plan its attacks.

According to infosec research biz Agari, a group of business email compromise (BEC) scammers it nicknamed "London Blue" has become so well organised that it has an entire division devoted to merging illicitly acquired information with data bought from legitimate business intelligence companies.

Agari's senior director of threat research, Crane Hassold told a session at today's Black Hat conference in London: "There's a group of individuals whose job is to organise leads. There's a group of individuals whose job it is to send out the BEC campaigns. And there's a group whose job it is to receive the money, the malicious transactions, and pass this back up to the primary actors."

The gang – so nicknamed because one of its principals was said to live in London, having given his identity away by tagging himself at various locations in Instagram – makes active use of "actual business intelligence", according to Hassold.

"What we're able to find is that this group is using legitimate sales leads services to identify potential targets in their campaigns. They're using services that businesses all round the world use from a legit sales perspective to ID companies they might wanna offer their services to," said Hassold.

The gang has five distinct departments in its structure that the infosec bods identified: lead generation; open source recon; testing (whether their phishing emails would send or not); BEC attack; and mule bank accounts.

"One of the things that they use ... [is] a master database of nearly 50,000 targets that they’ve collected," he continued. "It consists of financial executives and the like as a way to identify potential targets down the line."

Many of those potential marks, he said, were people such as CFOs, financial controllers, directors, senior managers and company accountants from businesses spanning the US, the UK, Spain and more.

Once London Blue's business intelligence wing has secured enough data, the active end of the gang starts sending carefully targeted phishing emails appearing to come from their marks' superiors; perhaps the "CEO" sends an email to a financial controller with instructions to transfer money to a particular account and mark the transfer as coming from the expenses budget.

Even the people receiving the money are part of their own distinct division, said Hassold, who told the audience that "some could be unwitting" players in the gang's scheme, their bank account credentials having been bought or rented from other criminals. However, Agari identified at least three with "historical criminal records", raising the possibility that these ex-cons had turned back to a life of crime after failing to go straight.

Hassold said the researchers had also "identified emails being sent to potential mules", which were worded to "make it seem like something legitimate is going on" and offering them inducements ("$500 to $1,000 a month, which for some people is a great sum of money") to allow their bank accounts to be used by the gang. ®