This isn’t the first time our CFO has been targeted by a nefarious executive impersonator. The criminal gang London Blue appeared on our radar in exactly the same way. So why have two unrelated cybergangs made what seems like a high-risk decision to attack a firm focused on stopping advanced email threats?
The answer is multifaceted. In many cases, they have not deemed it necessary to their tactics, techniques, and procedures (TTPs) to be aware of the industries of their targets. In order to carry out the high volume of attacks that these larger gangs perpetrate, they strip the process back to its most basic components, as any smart business would. The “essentials” comprise of the name and email address of a CFO (or comparable financial executive) and the name and email address of the CEO for the same organization. Once they have secured this information, their reconnaissance need not go any further, as these details are fed into their existing infrastructure, and any replies will be subject to non-industry specific social engineering.
Another reason cybercriminals are lax about their targets is likely due to their geographic location. Many feel that they have a home team advantage living in Nigeria, where they are free to pay off law enforcement to look the other way. Despite the introduction of the Nigerian Cybercrime Act 2015, which carries a fine of up to 10 million naira for unlawfully accessing a computer system or perpetuating fraud by using electronic messages, cybercrime in the country has continued to expand. Criminals can often secure millions in profit through BEC and other tactics, and are both willing and able to give local law enforcement enough to keep them quiet. By doing so, they ensure that their operations can continue while they are protected from persecution.
On November 29, 2018, Scattered Canary sent an attack email to Agari CFO Raymond Lim, enquiring as to his availability to send out a domestic wire transfer. This display name deception attempt was quarantined by Agari Phishing Defense™, and we then actively engaged with the attacker in an attempt to establish his true intentions. What followed was a series of engagements that resulted in our team gaining deep insight into this group— including its scattershot origins, how its actors fit together, and how it achieved its remarkable growth trajectory.
Using an unrelated persona account, we reached out to the actor and asked them to send over the details of the wire transfer they wished us to make.
It wasn’t long before we received a reply containing the full details for both the bank account and the amount of $19,725.
As is common with nearly all our active engagements that request a bank payment, the request was caveated with a requirement for a confirmation receipt to be sent upon completion. This document is an essential part of the operational paperwork, as it allows individual actors to prove to the Scattered Canary executive team that a successful payment has been obtained. It also allows them to counter any argument by the mule account go-between—especially if they are a third-party mule account broker—that no payment has been received, when in actual fact it has. Working as an opportunistic criminal, alongside other opportunistic criminals, does not come without its challenges.
After this initial engagement, we continued interacting with Scattered Canary for nearly two more months. Over the course of this engagement, we coerced the group to send us eight different mule accounts used to receive illicit funds from BEC victims and passed this information to law enforcement and financial partners. Using a combination of active engagement and other tactics, we were able to gain significant insight into Scattered Canary’s history, methods, and primary actors. What follows is an overview of what we discovered during our investigation.
In this and groups like them, hierarchical structures center on a few senior members who direct operations while outsourcing specific duties to an open web of freelance agents.
In distributed networks that in some ways resemble the recombinant structure of terrorist cells, honor among these thieves runs deep. Symbiotic relationships are built, fostered, and rewarded. News of betrayal and bad “business practices” travels fast and can have a detrimental effect on an actor’s ability to work with other fraudsters, and ultimately continue their business.
In this report, we examine many of Scattered Canary’s activities, approaches, and connections, which we believe encompass only a small subset of what may be a larger organization with a more expansive circle of influence. Some of the overlapping connections to be discussed in this report are depicted here.
Over the last decade, Scattered Canary has evolved similar to how a tech startup might. Looking past the illegality of its operating model for just a moment, the biggest driver of this business was a desire to generate sustainable revenues by leveraging the global, digital economy enabled by the Internet.