Email Security Blog

Scarlet Widow Bombs Nonprofit Directories to Run BEC Scams

Crane Hassold February 27, 2019 Cybercrime

When the Agari Cyber Intelligence Division released our report on London Blue in December, much of the focus was on how cybercriminals use legitimate lead generation services to identify their targets. Research we released today into a different cybergang—one we’ve named Scarlet Widow—shows how Nigerian criminals take a different tactic against more vulnerable institutions.

Rather than focusing on the large enterprises to provide hefty jackpots when compromised, Scarlet Widow preys on school districts, universities, and nonprofits, which the group believes may be softer targets. Since evolving from their historical focus on romance scams, Scarlet Widow has implemented new tactics for generating income from business email compromise attacks.

While the group uses commercial tools to identify individual targets within most businesses, when Scarlet Widow goes after nonprofits, the group primarily uses publicly-accessible websites to scrape contact information for employees. Working off a list of identified websites that contain directories of nonprofit organizations, Scarlet Widow uses a web scraper to traverse the online directory and collect email addresses associated with each organization—a process they refer to as “bombing” an online directory.

Nonprofit Bombing by Scarlet Widow

Since November 2017, Scarlet Widow has gathered targeting information for more than 30,000 individuals associated with more than 13,000 organizations in 12 countries—many of which were gathered through this tactic. Nearly all of the leads collected by Scarlet Widow were for employees located in two countries—with 73% in the United States and 20% in the United Kingdom. Notable targets include the Boy Scouts of America, a West Coast chapter of the United Way, a nationwide anti-hunger charity, a Midwest Archdiocese of the Catholic Church, a well-known annual arts festival, and numerous chapters of the YMCA.

And once Scarlet Widow has successfully targeted an organization posing as an executive or other leader, it is easy for them to launder their money using nontraditional methods. By requesting Apple iTunes or Google Play gift cards rather than wire transfers, the group is able to eliminate associated money mules and safeguard their earnings, far away from bank accounts that could easily get shut down.

Of course, their main objective is not to stockpile gift cards but rather to easily and quickly turn them into cash. Scarlet Widow does this by using two online services: Paxful and Remitano. By first advertising the stolen cards on Paxful, the group can successfully turn them into bitcoin, which they can then trade on Remitano for a specified price. Once the Scarlet Widow actors have exchanged their bitcoin and the buyer’s funds are in their bank account, the process of converting illicit gift cards into cash is complete.

BEC Gift Scam Cycle

Unfortunately, it’s easy, simple, and fast—meaning that the nonprofits and other organizations scammed out of their money lose it quickly, with no real way to track it down. In one instance, Scarlet Widow attacked an Australian university and converted $1,800 in Apple iTunes gift cards into $700 in bitcoin, laundering it through a Nigerian bank account in less than two and a half hours.

For more information on how Scarlet Widow targets their victims and turns their proceeds into cash, download a full copy of Scarlet Widow: BEC Bitcoin Laundry—Scam, Rinse, Repeat.

Laptop with multiple paddle locks with key holes

January 24, 2022 John Wilson

2022 Data Privacy Week – Education and Inspiration

As the world becomes more and more dependent on online resources to complete daily tasks,…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

mobile image