While many cybercriminal gangs scam medium-sized and large corporations, Agari has now uncovered and documented the practices of a Nigeria-based scammer group, dubbed Scarlet Widow, that has evolved a different strategy focused on more vulnerable sectors such as school districts, universities, and nonprofits.

In this report, we uncover:

  • How Scarlet Widow transitioned from romance scams to tax fraud to BEC
  • Why the group focuses on school districts, universities, and nonprofits
  • What kinds of emails Scarlet Widow uses to target their victims, and
  • How the cybercriminals launder the money through legitimate online services

Download Scarlet Widow: BEC Bitcoin Laundry—Scam, Rinse, Repeat to see why cybercriminals are going after more vulnerable populations in their scams.

BEC: Brutally Effective Crime 

Agari’s investigation into Scarlet Widow offers a window into today’s predominant advanced email threat—business email compromise (BEC).

BEC comes in many forms, but in most cases, the criminals behind these attacks impersonate a senior executive within the targeted company, or a trusted outside partner or supplier.

Whether a stress-inducing missive from the “CEO” demanding an urgent wire transfer, or a time-sensitive request for employee tax records from the “CFO,” these malicious emails are used to fool recipients into fulfilling requests before thinking to confirm their legitimacy. The language used in these deceptions and their timing are meant to throw the recipient off kilter just long enough to trick them into revealing sensitive information or making ill-advised payments.

And unfortunately, the cybercriminals are good at what they do. Reported BEC losses in the United States rose 88% between 2016 and 2017, according to the FBI’s Internet Crime Complaint Center.

As illustrated by Scarlet Widow’s evolution, BEC has become an increasingly tempting line of attack for cybercriminal organizations. The U.S. Securities and Exchange Commission (SEC) in October reported that victims include a publicly traded company that made 14 separate wire payments for fake invoices over the course of several weeks—racking up $45 million in losses. Another paid out $30 million.

Part of what makes these attacks so difficult to detect is that BEC emails typically contain no malware, thus rendering them invisible to most email security controls in use today.

Untangling Scarlet’s Web 

When the VP of Human Resources at an Agari customer was targeted by an attempted BEC scheme, researchers in the Agari Cyber Intelligence Division seized the opportunity.

Scarlet Widow Initiates First Contact

It was the quintessential “CEO” scam, complete with an urgent payment request made via an email to the VP of Human Resources at an Agari customer in November 2017. Like most BEC scams, Scarlet Widow uses display name deception techniques. Using a free and temporary email account—in this case a Comcast address—scammers simply change the display name of the account to the person they are trying to impersonate, which in this instance was the targeted company’s CEO.

Although the email was blocked by Agari’s inbound defenses, the customer contacted ACID researchers to see if we wanted to do any further analysis. Posing as an assistant named “Luis,” we began engaging with the fraudster in an attempt to collect additional information about their tactics and infrastructure. What followed was a lengthy conversation that resulted in obtaining a deep insight into a prominent and long-standing Nigerian threat group. The conversation proceeded as follows:

After this initial interaction, we continued engaging with Scarlet Widow actors for nearly a month. During this time, we were able to identify a total of nine mule accounts used to receive illicit funds from BEC victims and passed this information to law enforcement and trusted partners. Using a combination of active engagement and other tactics, we were able to gain a deep understanding of the group’s history, methods, and primary actors. What follows is an overview of what we uncovered during this investigation.

Close button
Mail Letter

Would you like the confidence to trust your inbox?