Now, Agari has uncovered and documented the practices of a Nigeria-based scammer group, dubbed Scarlet Widow, that has evolved a different strategy. Rather than focusing on corporate targets, which are devoting increased resources to cyber-defenses, the group focuses on more vulnerable sectors such as school districts, universities, and nonprofits, which the group likely believes are softer targets.
Agari has been gathering information on Scarlet Widow since 2017 and we have documented its evolving operations going back to 2015. In 2015, its focus was on romance scams and property rental fraud. In 2016, Scarlet Widow moved into tax fraud, successfully submitting dozens of fraudulent returns and scoring thousands of dollars in tax refunds with minimal effort. By 2017, like so many West African cybercrime groups, the group moved into the lucrative world of BEC, where it continues to focus its efforts to this day.
Scarlet Widow’s preferred targets for BEC scams include academic institutions, including K-12 school districts in the American Midwest and universities in five countries, and nonprofit organizations around the world, ranging from the Boy Scouts of America to the YMCA.
While the bulk of its recent BEC attacks has focused on schools and nonprofits, Scarlet Widow also seems to be preparing for phishing campaigns targeting tax preparation firms. In September 2018, the group began collecting targeting information on thousands of United States-based tax preparers, likely to target these individuals with W-2 BEC attacks prior to tax season.
Like London Blue, the subject of an Agari report in December, this Nigeria-based cybercriminal group operates like a modern sales and marketing organization, building out an entire solution stack to run its scams—including resources for lead generation, email distribution, aliases, falsified documentation used in romance scams, and more.
Since November 2017, Scarlet Widow has gathered targeting information for more than 30,000 individuals associated with more than 13,000 organizations in 12 countries. Most of the leads collected by Scarlet Widow were for employees located in two countries—with 73% in the United States and 20% in the United Kingdom.
During our investigation into Scarlet Widow, we observed a shift in the group’s cash out methods that parallels trends we are seeing across the entire BEC threat landscape. While the group originally relied on wire transfers in their early BEC scams, they have now transitioned to seeking payment through Apple iTunes and Google Play gift cards.
To launder their proceeds, Scarlet Widow uses a US-based peer-to-peer cryptocurrency exchange called Paxful that—whether wittingly or not—has become a bazaar for West African scam artists. Nigerian scammers are using the exchange to convert fraudulently obtained gift cards into bitcoin for 40 to 80 cents on the dollar.
As a result, within minutes from when a victim emails Scarlet Widow gift cards, they can move the funds beyond the reach of authorities in the victim’s country. This avoids the trouble of recruiting and managing local money mules, and eliminates the window when authorities and financial institutions can halt and reverse some wire transfers.
This document is the second of two reports Agari has published on Scarlet Widow. The first report, released on February 13, 2019, focused on the group’s history of romance scams.