Lookers, one of Britain’s biggest car dealerships, recently dismissed its CEO and COO, while blaming the Brexit uncertainty for its second profit warning in less than four months.[1]  The company’s shares plunged by a quarter as it predicted profit would fall by more than two-thirds this year.  This prompted the closure of 15 branch dealerships.  The C-Suite removals are partially blamed on political and economic uncertainty for falling sales in the three months to the end of September 2019.  Like-for-like sales[2] of new cars to retail customers dropped 11.5 percent and group like-for-like new car sales fell 3.2 percent.

Back in July 2019, Lookers blamed falling sales entirely on Brexit.  Sales of new cars have indeed been hit by consumer wariness over Brexit and the UK economy while demand for used vehicles has suffered from doubts about the future value of diesel cars.   Lookers said its new car sales were even lower than the full market, where sales fell 0.6 percent.  Lookers’ sales of used cars increased but margins across the group were narrowed.

Lookers reports annual underlying pre-tax profits to fall to about £20m from £67m a year earlier.  The new guidance for this year’s profit is about half the £38m analysts were expecting before the warning.  The company’s shares fell 25 percent to 37.4 percent after the recent financial announcement.  It was Lookers lowest since early 2009 when the UK was in the depths of recession.  The departures of the CEO and COO left the chairman running the company.  The CFO left last July, which means Lookers entire executive management team has been lost. 

Lookers will close 15 branches, which should improve its financial performance and the company said it would try to merge some branches with nearby stores, yet did not comment on probable job reductions.  Lookers is also under a UK Financial Conduct Authority investigation of its sales processes.  During company downturns, such as with Lookers, signals a vulnerability that attracts hackers.  This can happen to any automobile dealership who face its country’s political and economic situation.

Proprietary Collection and Analysis

Red Sky Alliance conduced a RedXray search and found the below data and analysis.  RedXray is cyber threat notification service that simplifies cybersecurity monitoring for organizations and supply chains.  This document summarizes threats reported by Red Sky Alliance’s RedXray for Lookers Automotive Group over the past three years.  In this timeframe, data from multiple collection indices was observed.

Raw data is also available in companion .CSV files.


RedXray “hits” are derived from primary sourced intelligence collections and take inputs from customer infrastructure, such as domains and IPs.  The following is an example of the RedXray dashboard displaying threats for domains, networks and companies associated with Lookers Automotive Group.


RedXray focuses on four general categories: Malware Infections, Data breaches, Malicious emails, and Phishing.  The following are examples for Lookers Automotive Group with context and general mitigations.


Data breaches & leakage

This includes any sensitive data that has been compromised whether as a result of malware infection or a 3rd party database breach.  Breach data can come from a number of other sources on the deep and dark webs.  The following are examples of breach data captured for Lookers Automotive:

What does this mean?

Depending on the nature of the leaked database, exposed information may vary from just email addresses, to username and password combinations and other personally identifiable information (PII).   RedXray contains the raw breach data so you can easily view what type of data has been exposed.  If the breach data contains passwords, then Red Sky Alliance recommends enforcing a password reset and investigating whether there has been unauthorized access of the account. In this case, passwords are included in the breach data but redacted above for privacy.


Malware infections

RedXray can identify possible malware installation using either our botnet tracker collection, sinkhole_traffic collection, or keylogger collection.  In many cases, it can also identify the malware protocol resulting in high confidence hits.  The following shows a keylogged login portal in which a Lookers Automotive associated email address logged into in May of 2015.

What does this mean?

If your IP address or domain is found in botnet tracker, it means that it was seen in a communication with a malicious endpoint.  This does not automatically indicate a malware infection as there are a number of reasons why two IP addresses might communicate.  For keylogger related activity, the traffic may be the result of a captured weblog or clipboard data captured by a keylogger. In this case, it appears Lookers Automotive is being impersonated in the address of a web portal login page designed to record the keystrokes of its visitors. All traffic should first be inspected before escalating to incident responders. Red Sky Alliance can help with support.

Malicious Emails

It is good to be aware of malicious email campaigns targeting your organization because it serves as an early warning. If your domain or IP address shows up in this collection, then it was observed in the header of an email that has been identified as malicious (1 or more AntiVirus detection). The following are examples of Lookers Automotive associated email accounts being directly targeted by emails with malicious attachments.

3713249653?profile=RESIZE_710xWhat does this mean?

It should be noted that some AV vendors classify emails as malicious when they are benign.  All malicious emails hits only indicate targeting, not malware infections or data-loss. The above image shows Lookers Automotive Group email addresses and domains who previously received malicious emails. However, this does not directly indicate that malware infections have taken place, but that multiple Lookers Automotive associated email addresses were targeted and have received emails with malicious attachments.


Pastebin is a site used by bad actors to post data, which may be sensitive, for others to view it freely. Oftentimes the hacking group Anonymous will use Pastebin to list targets for the group’s members to attack. The following are examples of Pastebin hits in which Lookers Automotive email users were mentioned.

What does this mean?

A Pastebin hit simply means your information was observed in a paste on pastebin.com. There are numerous reasons information would be contained in a paste – some malicious and some benign. Each Pastebin hit must be individually analyzed to determine context.


Phishing attacks are responsible for a large amount of compromised credentials.  Our Threat-Recon collection aggregates phishing data and we allow searching of keywords in this data set in order to identify both targeted phishing attacks and spoofed URLs.  RedXray does not show phishing hits for Lookers Automotive Group at this time.


What does this mean?

If you receive a phishing hit (ThreatRecon) in RedXray then the first step is to first identify if the phishing campaign is targeting an organizational account or targeting the organizations customers.  Red Sky Alliance can assist in providing context to these hits.


Red Sky Alliance strongly recommends ongoing monitoring from both internal and external perspectives.  Internal monitoring is common practice.  However, external threats are often overlooked and can represent an early warning of impending attacks. Red Sky Alliance can provide both internal monitoring in tandem with RedXray notifications on external threats to include, botnet activity, public data breaches, phishing, fraud, and general targeting.

Red Sky Alliance is located in New Boston, NH USA.  We are a Cyber Threat Analysis and Intelligence Service organization.  For questions, comments or assistance, please contact the lab directly at  (888)-(RED)-(XRAY) or (888)-733-9729, or email feedback@wapacklabs.com   

Website: https://www.wapacklabs.com/
LinkedIn: https://www.linkedin.com/company/wapacklabs/
Twitter: https://twitter.com/wapacklabs?lang=en

[1] https://www.theguardian.com/business/2019/nov/01/bosses-leave-car-dealer-lookers-as-brexit-blamed-for-profit-warning

[2] Like-for-like sales is an adjusted growth metric that only includes revenues generated from organically comparable stores or products with similar characteristics and historical sales periods of operation.

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!

Join Red Sky Alliance