Over the last eleven years, Scattered Canary’s central figure, “Alpha,” transitioned from individual contributor running Craigslist scams and check fraud to CEO of an organization focused on business email compromise. Today, he directs operations and leverages outside expertise on an ad-hoc basis to test and refine new approaches to email fraud in pursuit of evermore remunerative scams. Based on intelligence gathered from Scattered Canary, we have been able to reconstruct the group’s transformation through the years—as well as dozens of tactics used in its scams. This is the story of how a 419 start-up grew into a BEC powerhouse.
Based on historical research into Scattered Canary’s operations, the group started with a single individual, who we call Alpha in this report. Alpha started out in the trenches of Craigslist scams with his mentor, Omega, who would expose Alpha to things like check fraud and romance scams. Alpha’s early role was fairly simple: engage with individuals, who he chose based on the goods they were selling, and then provide personal shipping addresses back to Omega. At the time, Craigslist was a training ground for West African scamming. New players to the cybercrime scene could use the platform to hone their social engineering skills before moving on to other types of fraud, such as romance scams. Two other groups we have previously reported on—London Blue and Scarlet Widow—also cut their teeth on Craigslist scams before evolving into other crimes.
The basic premise of a Craigslist check fraud has become a criminal classic, and it starts with the target listing a good or service on the platform. The scam starts when the scammer reaches out to the potential victim, often asking for the face value of the product, then offering more money in exchange for the victim sending a portion of that money to someone else. For several years, this is where Alpha would hone his scamming tradecraft, setting the stage for his BEC enterprise only seven years later.
Example Craigslist Scam Interaction
Once the fraudster confirms the sale, they inform the seller that they wish to send a check (which is counterfeit) and that the check will be made out for an amount greater than the price of the item—with the stated request to have the seller forward the remaining balance to another person. This person is commonly purported to be performing some function that appears to be related to the purchase, oftentimes a shipping company that will pick up the item on their behalf. The shipping company is, of course, fictitious, and the bank account provided for forwarding or wiring is controlled by the fraudster. Quite often, the item in question will just be left with the original owner once the criminal receives his money. But on rare occasions, the third-party accomplice will actually pick up the item or items in-person, while at the same time collecting the balance of the check in cash.
In the years of Craigslist scams, Alpha learned about targeting individuals and how these 419 scams worked. With Omega as a mentor, Alpha learned how to use different scripts and formats to operate fraud at scale and how to convince victims to complete tasks on his behalf, oftentimes coercing them into cashing checks.
In the early days, Alpha was completing most of the grunt work when it came to dealing with people. In the fifteen month stint of Craigslist fraud, Alpha exchanged over 1,900 emails with victims or scammers related to Craigslist and provided more than 100 addresses to Omega, who was responsible for sending fake checks to victims. Alpha aimed high with each check— typically between $2,000-$4,000.
How effective was this team? With Alpha averaging around eight victims per month in Craigslist scams, the group made an average amount of $24,000 per month, which was split amongst them. Omega and Alpha were obviously two willing participants in the fraud, but there are some pieces of the puzzle that are missing. Who was receiving the packages of money? Who picked up money face-to-face? Who was depositing the cash or sending it to Nigeria? Based on our visibility, we believe that Omega handled most of these interactions. Meanwhile, Alpha began to diversify his portfolio by dabbling into other types of crime. His first move was into romance scams.
Using the social engineering knowledge he gained from working Craigslist scams, Alpha began engaging in romance scams where he communicated with several victims through social media, text messages, and Google Voice. Over this period, victims sent selfies, photos with friends, love messages, and sweet nothings sharing that they’d been thinking about Alpha. In order to maintain the fraudulent persona, Alpha even sent flowers to two victims—once in 2012 and again in 2014.
But why would someone invest the time and effort into pretending to be someone else just to break their hearts? As with all scams, actors have one goal in mind: money. By pretending to be a fake lover, romance scammers are able to fool victims into giving them access to their bank accounts and retirement accounts or into purchasing prepaid debit cards to send to the fraudsters. Once a romance victim has been milked out of all the money possible, they are generally then converted into mules for when the scammer needs something physically moved from one place to another, or when he needs fraudulent funds moved between accounts.
Romance scammers typically assign small tasks to their victims, such as opening a bank account, wiring money from one account to another, or sending a few fake checks in the mail. In order to maximize their investment, some scammers ask their victims to open new loan accounts or credit lines for their “significant other,” only to get nothing back in return. In more extreme cases of romance scams, victims have even been asked to bring suitcases of drugs across country borders, thinking it was a chemical or solvent for their lover.
Alpha quickly learned the value of a romance mule. By using other people to do his dirty work, he could engage with fewer clients and decrease his risk of being caught, all while seeing increased profit margins. And as Scattered Canary grew over time, romance scam victims would end up being a primary source for mule accounts.
The story of one Scattered Canary’s romance victim exemplifies the lengths to which these groups use and reuse their victims until there is literally nothing left to exploit.
By March 2016, one of Scattered Canary’s members had built enough trust with a romance victim—who we’ll call Jane—that she became a frequent source of new mule accounts for the group. Since she had been converted to a mule at this point, it’s safe to assume that Scattered Canary had already stolen as much money from her as they could. Over the next eighteen months, Jane opened five mule accounts and bought twenty prepaid cards that were, unbeknownst to her, used by the group to facilitate other scams.
After the new accounts were opened, Jane sent her fictitious online boyfriend the account credentials, using passwords like weare4ever and 2hearts1love. Over time, these passwords became things like 2muchmystery and iam2wornout as Jane grew tired of the mysterious relationship with her online lover. Unfortunately and sadly, Jane passed away in September 2017. Even after her death, though, Scattered Canary continued to victimize her. In October 2017, a member of the group attempted to take out an auto loan using Jane’s personal information, providing more evidence that these groups are only interested in one thing—money.
While losses related to romance scams are typically tracked on their own, romance and BEC scams are very close cousins when it comes to fraud. In almost every case investigated by our team, when banking details of a phishing email included a person’s name, that person was an unwitting participant of the BEC game. Over the years, we have had the honor of speaking with several victims. In many cases, the victims simply believed that they were in a legitimate online relationship and were unaware of the fraud they were committing. The devastating piece is that many of these victims spent years entangled in the scheme—in one case over nine years—before being notified by external parties or law enforcement.
As Scattered Canary’s business expanded, mostly through romance scams, Alpha saw the value of larger targets and met with the person who eventually became his co-conspirator and who we refer to as Beta. Once these two men joined forces, they would pivot away from targeting individuals to focus on enterprises. By all accounts, late 2015 was the beginning of BEC for Scattered Canary.
In mid-2015, Scattered Canary started moving away from “long con” social engineering attacks and toward more scalable—and ultimately more profitable—attack vectors. The first type of attack they pivoted to was credential phishing. Between July 2015 and February 2016, Scattered Canary’s primary focus seemed to be mass harvesting general credentials using a Google Docs phishing page. In the first few months of their credential phishing ventures, Scattered Canary’s sights were mostly set on Asian targets—Malaysia and Japan, in particular. In November 2015, the group started to focus on North American users, mostly in the United States.
This activity ceased in February 2016, likely because the men who made up Scattered Canary began to focus on honing their BEC skills. However, more than a year later in March 2017, they returned to the credential phishing game. This time, though, the group’s focus had clearly shifted away from individual users and toward corporate victims.
Instead of using fake Google Docs phishing pages to collect personal email login credentials, Scattered Canary began using phishing pages of commonly used business applications to compromise enterprise credentials. Key pages included ones that impersonated Adobe, DocuSign, and OneDrive. For over eighteen months from March 2017 until November 2018, Scattered Canary’s frequent enterprise-focused credential phishing campaigns almost exclusively targeted businesses in the United States and Canada. In total, Scattered Canary received more than 3,000 account credentials as a result of their phishing attacks.
Example Scattered Canary Email Lure and Adobe Phishing Site
Aside from credential phishing, Scattered Canary’s biggest evolution from individual targets to corporate users came in November 2015, when the group, like so many other West African cybercriminal groups, broke into the BEC space. In the early days of their BEC campaigns, Scattered Canary tested multiple different methods of crafting deceptive emails, including using different templates and impersonation tactics.
After a few months, the group settled on a tactic that they felt worked for them: directly spoofing target company domains and requesting a payment via wire transfer to a supposed vendor. Scattered Canary used this tactic of impersonating target domains until September 2016, when they switched to using obscure webmail accounts or email accounts linked to domains registered by the group themselves.
First BEC Email Observed from Scattered Canary in November 2015
Until this point, Scattered Canary was made up of only Alpha working as an individual contributor on every scam, with a few tangential associates helping out from time to time. However, as he became more successful and transitioned into BEC, he looked to expand his numbers and the first new “employee” joined the group in October 2015—Beta.
Beta’s primary role at the time, and what he continues to focus on today, has been to act as the “mule herder” for the group. In other words, Beta’s job is to identify and recruit individuals who are then used to receive the stolen proceeds of BEC attacks. Since 2015, Beta has relayed more than 150 mule accounts to Alpha—more than any other Scattered Canary group member by far. Over the years, Alpha has also relied on Beta to assist in other types of scams, most often handling the distribution of fake checks as part of mystery shopper scams. By all accounts, this is shockingly similar to how Omega used Alpha in the first few years of Scattered Canary’s existence.
Unfortunately for the enterprises being targeted, Beta was not the only new member to join the cybercriminal organization during this period of Scattered Canary’s rapid expansion. In total, 19 individuals joined the group in different capacities during this three-year period. Most of these new associates contributed to the group’s scams by providing a constantly fresh feed of new mule accounts to Alpha. Others came onboard to help facilitate other types of scams or build a more robust scamming infrastructure.
By 2017, Scattered Canary had business-critical tools and tactics in place and started to define functional roles across an ever-expanding array of revenue streams. Some group members were responsible for managing BEC campaigns, some for forging checks and money orders, and still others for harvesting stolen credit card numbers for use in various cons. Like any rapidly-growing company, Scattered Canary took infrastructure into consideration and quickly added Remote Desktop Protocol (RDP) servers to help them scale and coordinate operations. Meanwhile, the organization continued to market-test new approaches to defrauding a growing universe of victims.
Similar to how the group pivoted from individual victims to business targets during the previous three-year period, Scattered Canary again set their sights on a new type of target in 2017—government agencies. Using personal information obtained from various sources, Scattered Canary started perpetrating fraud against US federal and state government agencies. Notable targets include the ones listed here, among dozens of others.
Much of the fraudulent activity targeting government agencies has involved the use of a technique that takes advantage of a “feature” within Gmail accounts. Unlike most online services, Google does not recognize periods in email addresses. Instead, the email address email@example.com and firstname.lastname@example.org are both interpreted as the same address and route email sent to each of those addresses to the same account.
Some cybercrime groups, including Scattered Canary, have exploited this feature by creating numerous “dot variant” accounts on a single website that then directs communications for all of those accounts to a single Gmail account. This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website.
Google Dot Accounts Used to File Fraudulent Tax Returns
Note: Actual Email Address Changed
Using this tactic, Scattered Canary facilitated a significant amount of fraudulent activity against government institutions, including the following:
Internal Revenue Service: Filed 13 fraudulent tax returns with a single online tax service
US Postal Service: Submitted 12 change of address requests with the US Postal Service
Social Security Administration: Submitted 11 fraudulent Social Security benefit applications
Texas State Commission: Applied for Texas state unemployment benefits under nine identities
FEMA: Submitted applications for FEMA disaster assistance under three identities
In addition to the scams above, Scattered Canary also used this technique to submit at least 48 credit card applications at four US-based financial institutions, resulting in the approval of at least $65,000 in fraudulent credit.
While Scattered Canary’s targeting of government institutions demonstrates a notable evolution in their attacks, the group’s primary focus over the past few years has been continuing to improve their BEC phishing campaigns. In July 2018, following a trend we have observed across the entire BEC threat landscape, Scattered Canary changed their preferred cash out mechanism from wire transfers to gift cards. For five months, the group’s primary focus was to persuade employees to purchase Apple iTunes and Amazon gift cards based on a supposed request from their CEO.
Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful. In our previous report on the Nigerian cybercriminal group Scarlet Widow, we detailed the process by which stolen gift cards are converted into cash through a multi-step laundering process using Paxful and other online cryptocurrency marketplaces.
Over the five-month span that Scattered Canary focused on collecting gift cards in their BEC attacks, the group received at least 132 gift cards from victims, which netted them around two bitcoin once they were traded on Paxful. Based on the price range of bitcoin during this period, this translates to around $12,000 to $14,000 in profits. Interestingly, Scattered Canary abandoned gift cards as a BEC cash out method in November 2018, at the same time the price of bitcoin crashed.
Example of a Scattered Canary BEC Email Asking for Gift Cards
After Scattered Canary moved on from gift card scams, they transitioned to another type of BEC attack: payroll diversion scams. In these types of scams, rather than socially engineering a finance employee to wire money to a “vendor” account, the scammer targets employees in a company’s human resources department to persuade them to change the direct deposit account associated with a high-level executive’s payroll information.
Example of a Scattered Canary Payroll Diversion BEC Email
One of the reasons payroll diversion attacks have become a preferred BEC tactic for Scattered Canary—as well as quickly emerging trend we’ve seen across the entire BEC threat landscape— is because of the ability to use easily accessible prepaid debit cards to receive payroll direct deposits. These prepaid debit cards come with a corresponding bank account, and they’re much easier to set up. Rather than requiring a money mule to physically visit a bank branch to open an account, the mule can simply register for a prepaid card online with a less stringent application process and have a new card mailed directly to them. Combined with the fact that most prepaid cards do not require credit checks, it is easy to see why this has become a popular method for scammers.
This tactic, along with the introduction of a fairly new threat actor we’ve named Zeta, has allowed Scattered Canary to scale their payroll diversion schemes very quickly. Since late 2017, Zeta contributed the most prepaid card accounts to the group and has fed Alpha with more than 140 prepaid card numbers in the last eighteen months alone. Because of Scattered Canary’s focus and success on this type of BEC scam, Zeta has quickly become one of the most impactful associates in the group today.
Overall, Scattered Canary’s membership has nearly doubled over the past two years, adding another 15 actors to help scale the group’s operations. While half of these new recruits came on board to harvest new BEC mule accounts, the other half were involved in other scams during this time, such as mystery shopper scams and tax return fraud. In total, 35 actors have been tied to Scattered Canary’s operations since the group emerged in 2008.