BEC comes in many forms, but in most cases, the criminals behind these attacks impersonate a senior executive within the targeted company, or a trusted outside partner or supplier.
Whether a stress-inducing missive from the “CEO” demanding an urgent wire transfer, or a time-sensitive request for employee tax records from the “CFO,” these malicious emails are used to fool recipients into fulfilling requests before thinking to confirm their legitimacy. The language used in these deceptions and their timing are meant to throw the recipient off kilter just long enough to trick them into revealing sensitive information or making ill-advised payments.
And unfortunately, the cybercriminals are good at what they do. Reported BEC losses in the United States rose 88% between 2016 and 2017, according to the FBI’s Internet Crime Complaint Center.
As illustrated by Scarlet Widow’s evolution, BEC has become an increasingly tempting line of attack for cybercriminal organizations. The U.S. Securities and Exchange Commission (SEC) in October reported that victims include a publicly traded company that made 14 separate wire payments for fake invoices over the course of several weeks—racking up $45 million in losses. Another paid out $30 million.
Part of what makes these attacks so difficult to detect is that BEC emails typically contain no malware, thus rendering them invisible to most email security controls in use today.
It was the quintessential “CEO” scam, complete with an urgent payment request made via an email to the VP of Human Resources at an Agari customer in November 2017. Like most BEC scams, Scarlet Widow uses display name deception techniques. Using a free and temporary email account—in this case a Comcast address—scammers simply change the display name of the account to the person they are trying to impersonate, which in this instance was the targeted company’s CEO.
Although the email was blocked by Agari’s inbound defenses, the customer contacted ACID researchers to see if we wanted to do any further analysis. Posing as an assistant named “Luis,” we began engaging with the fraudster in an attempt to collect additional information about their tactics and infrastructure. What followed was a lengthy conversation that resulted in obtaining a deep insight into a prominent and long-standing Nigerian threat group. The conversation proceeded as follows:
After this initial interaction, we continued engaging with Scarlet Widow actors for nearly a month. During this time, we were able to identify a total of nine mule accounts used to receive illicit funds from BEC victims and passed this information to law enforcement and trusted partners. Using a combination of active engagement and other tactics, we were able to gain a deep understanding of the group’s history, methods, and primary actors. What follows is an overview of what we uncovered during this investigation.