In order to succeed in their BEC attacks, Scattered Canary first needed to find targets. To do this, Scattered Canary, like other BEC criminal groups we’ve researched, uses online commercial lead generation services—the same ones legitimate sales and marketing teams use all over the world. Like any startup, though, Scattered Canary wanted to pinch pennies and save money.
One of the ways they did this was to use the Gmail dot variant account technique discussed earlier to sign up for a seven-day free trial period with a service like Lead411. The group would then use the service to retrieve as many target leads as possible in the one-week timeframe. Once the free trial ended, the group would let it lapse and then sign up for it again using the same email address—but with periods in different places in the registered email address. Scattered Canary did this a total of twenty times over a three-year period in order to maintain access to this lead generation service without paying a monthly subscription.
Once the group had a list of leads, often for the Chief Financial Officer or other top executive, and corresponding information for the CEO, they could then begin sending their malicious emails.
When it comes to engaging targets, Scattered Canary frequently maximized efficiencies through the use of scripts, or as some members of the group call them, “formats.” These formats are templated text documents that can contain several layers of phishing messages to send to potential victims. During our research into Scattered Canary, we identified a format containing 26 different message templates that could be used to target organizations in a variety of BEC scams, including direct deposit and W-2 fraud.
The next piece of the BEC puzzle Scattered Canary needed to solve was how to facilitate wire transfers from victims without exposing the group’s own accounts. Beta specializes in romance scams and was the first Scattered Canary member to start providing these bank account and routing numbers to Alpha.
By using social engineering, Alpha was able to convince organizations to send funds to romance victims. Once victims received the money, romance mule handlers would instruct them to wire the money elsewhere, eventually making its way back to the actors. If more accounts were needed, the mule handler would simply ask the victims to open another account for them, which is something Beta did with his victims.
While some actors do not hide the fact that they are operating from Nigeria, others have tried to mask their true locations. Scattered Canary maintained subscriptions for several pieces of software to communicate with potential BEC, check fraud, and romance scam victims while remaining somewhat anonymous. To accomplish this, the group made use of VPN infrastructure and applications in order to make their traffic appear more legitimate.
Over an eight year period, Scattered Canary leveraged several methods for texting back and forth with victims. Three of the services the group used to engage with victims via SMS were TextMe, Google Voice, and Hushed. While TextMe and Google Voice allow for unlimited messaging, Hushed allows users to set up multiple phone numbers for voice and messaging from the city or country of their choice—a useful tactic for engaging with romance scam victims who believed that the person they were communicating with was located in a specific place.
Furthermore, the service allows users to switch to a new number whenever they wished. During our analysis, we were able to identify ten Hushed phone numbers that Scattered Canary used to engage with victims, as well as other threat actors and cybercrime groups. Of the ten Hushed phone numbers we identified, four were based in the United Kingdom. The remaining six were based in the United States, with two in Alabama, and one each in Hawaii, Illinois, Connecticut, and Arkansas.
It is important to note that while Scattered Canary used Google Voice in romance scams spanning four years, the same phone number was used in a host of other schemes as well. Starting in late 2017, for instance, the actor listed it as a call-back number in fraudulent applications for Hurricane Harvey disaster recovery assistance, home mortgage assistance, online loan applications, staffing agency services, and more. The point remains—few scams exist without a connection to one or more others run by the same criminal organization.
When BEC first exploded in 2015, little was known about its origins or how it may relate to other types of fraud. In order to effectively defeat BEC and the threat actors behind it, it is critically important that we step back and look at the bigger picture—regardless of how big that picture may be.
With BEC overlapping with dozens of other types of scams—ranging from credit card and check fraud to romance scams to W-2 and payroll diversion schemes—approaching BEC as a singular problem will not lead to success. Instead, it will only result in a frustrating game of digital whack-a-mole, with no real success in finding and persecuting the actors responsible for it.
If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams, this report demonstrates that a much more holistic approach—one based on threat actor identity rather than type of fraudulent activity—is required to detect email fraud and protect organizations.
This fight is not just about business email compromise. It is about all types of fraud, no matter the form it takes today—or tomorrow.