First, a successful collaboration between industry researchers, financial institutions, and law enforcement has made the identification and mitigation of suspected mule accounts more impactful, shortening the effective lifespan of these accounts. Using gift cards, cyber threat actors are able to receive illicit funds in a way that does not come into contact with accounts that could get shut down.
Second, by using gift cards, cybercriminals eliminate the need for a middleman to receive and redirect stolen money. Money mules are individuals that are generally located in the same country as a victim company and help a scammer launder stolen proceeds through their bank account. For their part in the scheme, money mules typically keep a percentage of the stolen funds. Using gift cards, a BEC actor is able to bypass this process and receive the stolen funds directly.
One of the biggest downsides of using gift cards as a cash out mechanism, though, is that the financial gain for an individual attack is typically significantly less than a successful wire transfer. As documented in “Behind the ‘From’ Lines,” the average amount requested in BEC attacks using fraudulent wire transfers is $35,000. The average amount gained through a successful gift card BEC scam, on the other hand, is generally between $1,000 and $2,000.
Mimicking the BEC threat landscape, Scarlet Widow also evolved their tactics over time. In their early days of BEC scams, Scarlet Widow’s preferred technique was to request a wire transfer to a mule bank account under the auspices that a vendor invoice needed to be paid.
But in August 2018, the group’s methods changed. Instead of requesting payment to a bank account, the group requested targeted victims to purchase multiple Apple iTunes or Google Play gift cards. While this certainly does not encompass the totality of successful attacks perpetrated by the group, we have directly observed more than $15,000 in gift cards obtained through BEC attacks linked to Scarlet Widow.
Example of a Scarlet Widow BEC Email Requesting Gift Cards
Our observation of Scarlet Widow’s 2018 shift to gift cards mirrors findings from a 2018 report from the U.S. Federal Trade Commission. From January through September 2018, gift cards and reload cards were the payment method in 26% of fraud reports, up from just 7% in 2015. “Con artists favor these cards because they can get quick cash, the transaction is largely irreversible, and they can remain anonymous,” the FTC noted. Among those who paid a scammer with a gift or reload card, 42% used iTunes or Google Play cards, according to the report.
Of course, cybercriminals do not actually want a stash of gift cards, as their ultimate goal is to pad their bank account with actual money. So how do scammers convert these gift cards into cash? Our visibility into Scarlet Widow’s operational processes has given us significant insight into how BEC groups launder gift cards through online services.
The primary service Scarlet Widow uses to monetize gift cards is Paxful. Paxful is a US-based peer-to-peer marketplace that allows users to buy bitcoin from other users using hundreds of different payment methods, including dozens of different types of gift cards. To trade gift cards on Paxful, though, sellers take a significant hit when it comes to exchange rate. For example, most Apple iTunes gift cards are traded at 40 to 80 cents on the dollar.
Paxful recently told the online media outlet CoinDesk that it averaged $21 million a week in transactions in 2018—up from $8.5 million in 2017. It attributed the growth in part to its user base nearly tripling in Ghana and more than doubling in Nigeria to more than 300,000 accounts. In fact, African users make up nearly 35% of all Paxful accounts.
Paxful portrays itself as bringing financial services to the world’s unbanked, and perhaps they are, but the US-based company has become a bazaar for West African scam artists selling stolen gift cards, as evidenced by our research into Scarlet Widow and other Nigerian-based cybercriminal organizations.
Gift Cards Being Traded on the Paxful Website
After a gift card has been traded for bitcoin, the funds are deposited into a wallet, but the cryptocurrency still needs to be converted into cash. To do this, Scarlet Widow moves bitcoin from their Paxful wallet to a wallet on another peer-to-peer cryptocurrency exchange: Remitano. On Remitano, users are able to advertise their bitcoin for sale and a buyer can purchase the Bitcoin for a specified price via bank transfer.
Example of Bitcoin Being Offered for Sale on Remitano
Once the Scarlet Widow actors have exchanged their bitcoin and the buyer’s funds are in their bank account, the process of converting illicit gift cards into cash is complete.
In August 2018, Scarlet Widow successfully attacked an Australian university, a transaction that demonstrates the speed at which group completes the laundering process. Thinking she had received a request from the head of the university’s Finance Department, an administrator was tricked into buying $1,800 in Apple iTunes gift cards and sending pictures of the redemption codes to Scarlet Widow. What is fascinating is that we see that upon receiving the gift cards, the group was trading them on Paxful in near real-time. The entire process, from receipt of the first gift card to transferring cash into a bank account, took less than two-and-a-half hours.
In all, $1,800 in Apple iTunes gift cards were converted to $700 in Bitcoin and laundered into a Nigerian bank account in 2 hours, 19 minutes.