FOSTER CITY, Calif., Feb. 27, 2019 — A Nigeria-based scammer gang dubbed “Scarlet Widow” is unleashing ruthless email fraud attacks against K-12 schools, universities and nonprofits around the world, according to a report published today by Agari, the next-generation Secure Email Cloud that restores trust to the inbox.
Scarlet Widow’s targets include dozens of small-town schools and school districts in Indiana and Wisconsin; U.S. and U.K. nonprofits including Boy Scouts of America and the Salvation Army; and universities in Florida, the United Kingdom, New Zealand and Australia, Agari found.
To launder its proceeds, Scarlet Widow is using Paxful, a U.S.-based peer-to-peer cryptocurrency exchange, that allows it to move scammed funds beyond the reach of authorities within minutes. Scarlet Widow and other West African scammers use this exchange to convert fraudulently obtained gift cards into cryptocurrency for 40 to 80 cents on the dollar.
This is the second report Agari has released on Scarlet Widow, focusing on the group’s Business Email Compromise (BEC) activities. Agari described Scarlet Widow’s romance scams targeting lonely men and women in “Scarlet Widow Part 1,” released earlier in February.
During Agari’s investigation into Scarlet Widow, researchers identified a consolidated database containing targeting information for more than 30,000 individuals at more than 13,000 organizations in 12 countries. This targeting list includes more than 3,400 individuals at more than 5,500 nonprofits, and more than 1,800 individuals at 660 educational institutions. Scarlet Widow uses a web scraper to traverse the online directories of nonprofit organizations and collect email addresses, a process it refers to as “bombing” the directory.
While the Boy Scouts of America was the nonprofit with the highest number of individual targets, other major U.S.-based nonprofit organizations appeared frequently in Scarlet Widow’s target database, including a West Coast chapter of the United Way, a nationwide anti-hunger charity, a Texas ballet foundation, a large hospital and physician group in North Carolina, a Midwest Archdiocese of the Catholic Church, a well-known annual arts festival, and numerous chapters of the YMCA.
In the United Kingdom, Scarlet Widow secured targeting information for individuals at more than 1,300 large and small nonprofits, including the country’s leading children’s charity, a large advocacy and support group for the disabled, the national Salvation Army organization, and a family services hub for a borough of London.
Scarlet Widow has recently targeted universities in Florida, Massachusetts, and Oregon, including Harvard University, Massachusetts Institute of Technology (MIT), Oregon State University, University of Florida, University of Miami, University of Oregon, and others.
In the U.K., some of Scarlet Widow’s academic targets included University of Oxford, University of Cambridge, Imperial College London, and University of Glasgow. It went after Australia’s Curtin University and University of Newcastle; and New Zealand’s University of Canterbury and Victoria University Wellington. More than one-third of the email addresses in Scarlet Widow’s educational database were for universities and K-12 schools in New Zealand.
It is important to note that while these schools and nonprofits were targeted, the attacks weren’t necessarily successful. Any individual scam email has a low probability of success—previous Agari research found a success rate of 0.37%. However, the scam groups generate strong returns through on a huge volume of attacks. BEC attacks are growing fast, with reported BEC losses in the United States rising 88% between 2016 and 2017, according to the FBI’s Internet Crime Complaint Center.
While the bulk of its recent BEC attacks have focused on schools and nonprofits, Scarlet Widow also seems to be preparing for phishing campaigns targeting tax preparation firms. In September 2018, the group began collecting targeting information on thousands of United States-based tax preparers, likely to target these individuals with W-2 BEC attacks before and during the current tax season.
In investigating Scarlet Widow, Agari observed a shift in the group’s cash out methods that parallels trends observed across the entire BEC threat landscape. While the group relied on wire transfers in its early BEC scams, it has now transitioned to seeking payment through Apple iTunes and Google Play gift cards. This method delivers cash quickly, can’t be reversed through quick action by bank officials, and eliminates the need to manage a network of money mules inside the target country.
This behavior mirrors findings from a 2018 report from the U.S. Federal Trade Commission. From January through September 2018, gift cards and reload cards were the payment method in 26% of fraud reports, up from just 7% in 2015, the FTC said. Among those who paid a scammer with a gift or reload card, 42% used iTunes or Google Play cards, according to the report.
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide Business Email Compromise (BEC) and spearphishing investigation. ACID uncovers identity deception tactics, criminal group dynamics, and trends in advanced email attacks, and helps mitigate cybercrime activity by working with law enforcement and other trusted partners.
Read the Agari blog
DownloadScarlet Widow, Part 2: BEC Bitcoin Laundry: Scam, Rinse, Repeat
Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spear phishing and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide. Learn more at www.agari.com.