An Inside Look at the Evolution of a West African Cybercriminal Startup Turned BEC Enterprise
Following an unsuccessful business email compromise (BEC) attack against a security firm, researchers have used active defense techniques to gain unprecedented insight into a Nigerian scamming group. The initial attack purported to be an email from the firm’s CEO asking the CFO to instigate “a domestic wire transfer to a vendor.”
Over the last few years, BEC has become one of the most profitable of all cybercrimes. The latest report from the FBI’s Internet Crime Complaint Center (IC3) for 2018 states that 20,373 victims lost a total of $1.3 billion to BEC. This was the single largest category of reported internet crime, representing approximately 48% of the total losses of $2.7 billion. However, the remaining $1.4 billion loss clearly demonstrates that BEC is not the only con in town.
The Agari Cyber Intelligence Division (ACID) engaged with the BEC scammer seeking to defraud Agari. What it discovered (PDF) is a criminal organization that started from a single Nigerian criminal entrepreneur (who they call Alpha) in 2008 and developed into a complex organization of at least 35 actors today. ACID calls this group Scattered Canary, and demonstrates that BEC is just one of many types of fraud perpetrated by the gang. BEC does not stand alone from the other online frauds that comprised 52% of IC3’s reported losses in 2018, and may well — as in the case of Scattered Canary — be directed by the same criminal group.
“We were able to map out dozens of relationships,” say the researchers, “an entire infrastructure, thousands of email discussion threads, hundreds of romance and fraud victims, dozens of scam kits, and other evidence that helps connect the dots between a wide universe of threat actors and actions associated with this West African fraud ring.”
Alpha started his criminal career with early Craigslist scams, being mentored by a more senior criminal named as Omega. This is where he learned his basic tradecraft in social engineering. But he always aimed high. During the first 15 months, Alpha delivered more than 100 addresses to Omega, who was responsible for sending the fake checks to victims — typically in the $2,000 to $4,000 range. The desire to maximize profits may lie behind the continuous expansion of Alpha’s organization, and its move towards larger targets and more profitable scams.
Alpha’s first diversification, in 2010, was into romance scams. Romance fraud taken together with confidence fraud was the second most costly fraud noted by IC3, with reported losses of $362.5 million in 2018. There is nothing romantic about romance fraud. The criminals first extract every penny possible from the victim, and then carry on using them by migrating them into mules.
‘Jane’ was such a victim. By 2016, her ‘boyfriend’ had extracted as much money as he could from her, and converted her into a mule. Over 18 months she opened five mule accounts and bought 20 prepaid cards for her boyfriend. An early password for an account was ‘weare4ever’. A late password was ‘iam2wornout’. Jane died in 2017; but even after her death, say the researchers, “Scattered Canary continued to victimize her. In October 2017, a member of the group attempted to take out an auto loan using Jane’s personal information, providing more evidence that these groups are only interested in one thing — money.”
The romance frauds have continued even though Scattered Canary, led by Alpha, started looking at more immediately profitable targets in 2015. This started with credential phishing, largely general in nature and via a Google Docs phishing page. Towards the end of 2015, the attacks began to focus on North America and primarily the U.S. This paused in February 2016.
It restarted in March 2017, but with a new focus. Credential phishing now almost entirely focused on enterprise credentials, using phishing pages mimicking common business applications such as Adobe, DocuSign and OneDrive. Over the next 18 months, say the researchers, “Scattered Canary received more than 3,000 account credentials as a result of their phishing attacks.”
ACID believes that the gang was concentrating on developing its BEC skills during the quiet months between the two credential phishing periods. It was towards the end of that first period, in November 2015, that the gang started dabbling in BEC attacks.
This coincided with the greatest period of expansion for the group. Until now, Alpha had done the greater part of the work himself, with just the help of few tangential associates. In October 2015, Alpha recruited his first new full employee, Beta. Beta’s role, then and now, is to act as the group’s ‘mule herder’, and have primary responsibility for sending out fake checks in mystery shopper scams. Nineteen other individuals joined the gang over the next three years, working on generating mule accounts and taking part in other scams. ACID gives three specific examples: Gamma (joined in January 2017) provides compromised bank account details; Delta (joined in April 2016) provides mule accounts probably established by romance scam victims; and Epsilon (joined in June 2016) provides access to systems that can be accessed by RDP.
The gang started its BEC operation by spoofing target company domains and requesting payment by wire transfer to a fictitious vendor. In September 2016, the method switched to using obscure webmail accounts or email accounts linked to domains registered by themselves. By 2017, the group had its BEC and other scam tools and tactics sufficiently established to define functional roles for its different revenue streams.
An interesting feature of the majority of active engagements undertaken by ACID with Scattered Canary was a request from the gang for proof of completion by the victim. This is probably required by the size of operations that have evolved, with many different individual actors all ultimately working for Alpha. The requirement prevents a go-between skimming profits off the gang by pretending that the scam had failed since a ‘manager’ could check the email account or even contact the mule directly. “Working as an opportunistic criminal, alongside other opportunistic criminals, does not come without its challenges,” comment the researchers.
A continuing theme in the evolution of Scattered Canary is the move toward scams with the highest return over the shortest period. So, just as it had earlier moved from individual to business targets, in 2017 it started targeting government agencies, including IRS, FEMA, Social Security, the Postal Service and many others. BEC in its various forms has, however, remained a primary scam from the group. It has performed both gift card scams and payroll diversions.
The history of the evolution of Scattered Canary is valuable for giving an insight into the motivation and methods of West African criminals. Money is everything, and as quickly as possible. The preferred attack is the one that nets the highest return as quickly as possible, and victims are milked for every penny possible. But more than anything else, it shows the interrelationship of social engineering attacks. There are no separate BEC gangs, and romance scam gangs, and agency fraud gangs — in this instance at least it is just one social engineering gang that has honed its skills over many years and multiple simultaneous operations.