BEC has continued to grow, taking the number one spot for greatest financial losses from Internet crime. In a recent report, the FBI’s Internet Crime Complaint Center (IC3) reported that more than 20,000 businesses lost nearly $1.3 billion to BEC attacks in 2018. Globally, BEC attacks have cost more than $13 billion in losses over the past five years.
But with the West African gang we’ve named Scattered Canary, we have a deeper look at how business email compromise is connected to the rest of the cybercrime. With over ten years of visibility into Scattered Canary’s operations, we have deep insight into how the group grew from a single cybercriminal working Craigslist scams into an entire organization that consists of dozens of criminals, each with specific tasks.
When the first member of Scattered Canary, who, for the purposes of this report, we call Alpha, began his operations, he was a lone wolf—working mostly Craigslist scams as he learned the tricks of the trade from a mentor. However, within a few years, he had honed his craft enough to expand into romance scams, where he met his first “employee,” Beta. Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born.
Since its inception, at least 35 different actors have joined Scattered Canary in its fraudulent schemes. The group has turned to a scalable model through which they can run multiple types of scams at the same time. And with multiple tools designed to help them expand their operations and stay hidden from law enforcement, it is no wonder that they are seeing massive success.
While BEC remains a favorite due to its ease and success, a look into Scattered Canary’s operations demonstrates that these groups are not one-trick ponies. At any given time, Scattered Canary is involved in a number of different types of scams simultaneously—including romance scams, tax fraud, social security fraud, employment scams, and more. And this is only one organization, out of the hundreds currently residing in West Africa and around the world. With this much involvement between members, and so much connection between crime type, we must look at the bigger picture to truly understand the enormity of the cybercrime problem.
If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams, this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations.
This investigation by the Agari Cyber Intelligence Division (ACID) into the cybercriminal group we’ve named Scattered Canary offers unprecedented visibility into eleven years of fraud and criminal activities, and the growth of a 419 startup into a fully operational BEC business. From our research, we have discovered that BEC actors are playing very active roles in many other forms of criminal activities—a fact that showcases just how much of an impact these groups can create.
In today’s rapidly-evolving cybercrime economy, business email compromise (BEC) has emerged as a growth industry all its own. According to the most recent Internet Crime Report from the FBI’s Internet Crime Complaint Center (IC3), “revenues” for this advanced form of email fraud nearly doubled in 2018—to $1.3 billion. In all, more than $13.5 billion has been lost to BEC scams since 2013. But investigation into the criminals behind BEC shows that $13.5 billion is likely just the tip of the iceberg. Since 2015, BEC complaints have doubled year after year and currently account for 45% of all reported complaints to IC3.
One common misconception is that crime rings operate within set verticals—that BEC groups only run BEC scams, groups focused on romance scams only run romance scams, and so forth. But like entrepreneurs in any industry, cybercriminal organizations work to achieve growth by developing and validating scalable business models across a diversified set of revenue streams.
Throughout our research into Scattered Canary, we can see how the main threat actors encountered periods where opportunities for diversification presented themselves, and they boldly and rapidly pushed forward into new terrain.
Due to their agile working practices, they have been able to bring in extra skilled “staff” at a moment’s notice, typically by flaunting their wealth to display the trappings of their success. Trust encourages a nepotistic approach to candidate selection, and many relationships are formed while still in the Nigerian education system where talent is easily spotted, and where recruitment can flourish naturally.
As we have discovered, the same groups that reap billions in BEC schemes each year are also partly to blame for the $360 million lost to romance scams, the $1 billion hijacked in real estate transactions, and millions more pilfered through W-2 scams, payroll diversions, and other types of fraud. This suite of email-based attack vectors is operated concurrently by modern-day cybergangs including Scattered Canary, and represent the apex of years of both massive growth and massive success.
Through extensive active defense engagements and research over the last six months, we have been able to build a detailed picture of not just the tactics and techniques currently used by Scattered Canary, but also historically how they have adopted these over a period of many years. While this criminal organization’s activities now center around BEC, and extend to romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, tax schemes, and more, these actors came from much humbler beginnings, starting with basic Craigslist scams in 2008.
Given the wide range of its activities, the extended ecosystem of individual actors with which it collaborates, and the persistent optimism present in its range of email addresses, we have dubbed this organization “Scattered Canary.” Over the course of active engagement with operatives of this group, an ever-growing global footprint has emerged, eclipsing that of even London Blue—the UK-based threat group we uncovered in December 2018.
Scale aside, we are resolute in our conclusion that BEC can no longer be seen in isolation and thus unrelated to other email deployed criminal enterprises. Instead, we must view it as part of a larger ecosystem of cybercrime, with BEC as its current apex. Infrastructure, and actors, are common across the entire cybercrime industry, and knowing this will help to generate further discussion about ways to curtail and shut down these maturing operations.