Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/10/2019
10:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

'Lone Wolf' Scammer Built a Multifaceted BEC Cybercrime Operation

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasn't the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agari's software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.

Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFO's administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.

They discovered that this group wasn't just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.

"What we recognized when we looked at this group ... was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously]," says Crane Hassold, senior director of threat research at Agari.

The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.

Agari traced back the group's founding, which began in 2008 when a lone individual, who they dubbed "Alpha," ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashier's checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster ("Beta"). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the group's operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.

Scattered Canary's scams are rooted in pure social engineering: no malware required.

"We've not seen Scattered Canary using malware," says Ronnie Tokazowski, senior threat researcher at Agari. "They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits," but they don't have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.

BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizon's "Data Breach Investigations Report." Barely 10% of them didn't recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.

London Blue Calling
Prior to the November incident, Agari researchers turned the tables on a BEC scam on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London. 

London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.

But Scattered Canary is a much larger operation than London Blue, according to Agari. "Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily," Hassold notes.

Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted company's domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesn't spot periods in email addresses — [email protected] and [email protected], for example, are seen by Gmail as the same address, according to Agari's report. "This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website," the company states in its recently published report on Scattered Canary.

A recent Cisco Systems report found that two-thirds of BEC scams employ free webmail and 28% use registered domains. 

Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. "Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful," Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.

The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.

BEC ROI
Hassold says it's possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.

"The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think that's going to be the next step. We'll see other groups move into this space," Hassold says, which will mean more professional and difficult-to-spot BEC emails.

Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. "They're going back to basics. I don't need to develop an 0-day if I can put a macro in a Word file and a victim will click on it," Agari's Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.

"These nontechnical type attacks are now the predominant mode of cyberattacks today," he says. "This is the type of attack employees will see, so they should include them in education and awareness training."

Related Content

 

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Introducing 'Secure Access Service Edge'
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  7/3/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5604
PUBLISHED: 2020-07-09
Android App 'Mercari' (Japan version) prior to version 3.52.0 allows arbitrary method execution of a Java object by a remoto attacker via a Man-In-The-Middle attack by using Java Reflection API of JavaScript code on WebView.
CVE-2020-5974
PUBLISHED: 2020-07-08
NVIDIA JetPack SDK, version 4.2 and 4.3, contains a vulnerability in its installation scripts in which permissions are incorrectly set on certain directories, which can lead to escalation of privileges.
CVE-2020-15072
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An error-based SQL Injection vulnerability exists via the Import Administrators section.
CVE-2020-15073
PUBLISHED: 2020-07-08
An issue was discovered in phpList through 3.5.4. An XSS vulnerability occurs within the Import Administrators section via upload of an edited text document. This also affects the Subscriber Lists section.
CVE-2020-2034
PUBLISHED: 2020-07-08
An OS Command Injection vulnerability in the PAN-OS GlobalProtect portal allows an unauthenticated network based attacker to execute arbitrary OS commands with root privileges. An attacker requires some knowledge of the firewall to exploit this issue. This issue can not be exploited if GlobalProtect...