These groups, which frequently hail from Nigeria, account for a significant majority of the social engineering-based cyber attacks that American businesses encounter on a daily basis. In fact, previous Agari research indicates that 90 percent of BEC groups operate out of Nigeria.
To date, we have fully identified three Scarlet Widow actors who top the group’s hierarchy, all of whom currently reside in Nigeria. Through extensive research and analysis, we have been able to connect the leaders with specific scams and personas, some of which you will learn about in this report.
In addition to these three group members, we have identified information linking at least eight other individuals who have assisted the core group of actors in various ways. Like many other BEC groups, including London Blue—the focus of our most recent intel report—Scarlet Widow actively mines and shares leads and compromised data among other members of its network of operatives. Similar to what we have observed with other groups, Scarlet Widow has a loose structure with central players and tangential actors who are responsible for specific tasks, such as collecting and processing targeting leads for BEC attacks or finding new pictures to use for fictitious personas in romance scams.
Scarlet Widow was heavily involved in a variety of home rental scams throughout 2015 until early 2016, starting with vacation rental scams and then moving to fake tenant scams.
The scam typically followed a set pattern, starting with the group posting an advertisement on Craigslist about a home for rent. Images depicting a desirable property that would have wide appeal were used to generate interest in the rental. Postings were targeted around specific areas of the United States, including Denver, Miami, San Diego, San Francisco, and Sarasota, Florida.
When a prospective renter submitted an inquiry about the availability of the property, they were sent a response that the property was (of course) still available. They were also sent a full description of the property, along with a quote for the cost of the rental, which included a “refundable” security deposit.
Once the victim agreed to the price, they were informed that they must wire money to a bank account in order to confirm the rental—either the entire price of the rental for vacation rentals or the first month’s rent plus a security deposit for general rentals. Once the victim sent the rent payment, they were told that they would be sent the keys and other documents for the property. Of course, none of these items were ever sent, leaving the victim swindled out of their money, and without a place to stay.
Example of Scarlet Widow Rental Scam Email
While still conducting home rental scams, Scarlet Widow began expanding their operations to focus on romance scams, where they would actively search for vulnerable populations on dating sites and then carry on an online relationship with their victims, all while swindling them out of money for plane tickets and other expenses. Key personas for Scarlet Widow include a Texas model living in Paris who they named “Laura Cahill;” a woman in Norway named “Lisa Frankel,” who found her ex-boyfriend cheating on her; and “Starling Micheal,” a United States Army Captain currently deployed in Afghanistan.”
The group’s romance scam activity is examined in further detail in Scarlet Widow: Breaking Hearts for Profit, published by Agari in mid-February 2019.
In 2016, Scarlet Widow tried its hand at tax return fraud. Using comprehensive personal information collected from the breach of a Minnesota accounting firm and underground forums, the group filed at least 30 fraudulent tax returns using four different online tax filing services—TaxAct, TurboTax, Efile.com, and TaxHawk—during a two-month period. At least 25 of these fraudulent returns were accepted by the Internal Revenue Service.
To scale their tax fraud operations, Scarlet Widow took advantage of a feature within Gmail to open numerous accounts on tax filing websites linked to email addresses containing strategically placed dots. While all dot variants of a Gmail account direct all email to the same inbox, a vast majority of the rest of the Internet treats each variant as a distinctly separate email address, associated with a unique separate account and identity. Scarlet Widow took advantage of this “feature” to ensure that all correspondence from those accounts were directed to a single Gmail address.
For example, an email like firstname.lastname@example.org and email@example.com both go the same inbox—despite looking like different accounts to an outside service. This allowed Scarlet Widow to conduct their tax fraud schemes more efficiently by not having to monitor and manage numerous different email accounts. Instead, all of their tax fraud information was centralized within a single Gmail account.
Example of Google Dot Accounts Used to Facilitate Tax Return Fraud (Note: Actual Recipient Email Address Changed)
Following a trend seen throughout the cyber threat landscape, Scarlet Widow made its first foray into BEC in March 2017. While romance scams require a great amount of time and effort to continue the con, BEC offers groups like this something revolutionary. Most of the effort comes up front, when groups like Scarlet Widow conduct lead gathering. Once that is done, BEC groups can send phishing campaigns to large number of targets with very little effort and a relatively high ROI. Whereas romance scams are the long con, BEC attacks often yield a similar amount of money in hours—not months.
The tactics Scarlet Widow uses to send their BEC campaigns are quite basic. The group’s modus operandi, which has stayed incredibly consistent over time, consists of sending a generically-worded email to targeted victims from a temporary email where the display name is set to an impersonated executive. To date, we have identified 33 different email accounts used by the group to distribute their BEC scams. A list of these email addresses can be found in Appendix A.
Examples of BEC Emails Sent by Scarlet Widow