FOSTER CITY, Calif., (June 5, 2019) —A West African-based scammer gang dubbed “Scattered Canary” has evolved from a one-man, start-up operation to a multi-faceted, scalable, “corporation” with 35 “employees” targeting individuals, businesses, and government agencies, according to the new Threat Actor Dossier published today by Agari, the next-generation Secure Email Cloud that restores trust to the inbox.
Scattered Canary, for which Agari has traced fraudulent activity originating from 2008, has grown exponentially from a lone-wolf cybercriminal named “Alpha,” operating entry-level Craigslist scams to an entire organization with at least 35 criminal actors working for it. Each actor has their own area of expertise, ranging from recruiting money mules to providing infrastructure for the organization. At any one-time, Alpha is orchestrating Scattered Canary’s operatives to simultaneously carry out business email compromise (BEC) scams and other fraudulent schemes, including romance scams, tax fraud, social security fraud, credit card fraud, and payroll diversion.
Similar to legitimate budding entrepreneurial companies, the Scattered Canary gang has sought to increase business operations by developing and validating scalable business models across a diverse set of revenue streams.
Initially detected after impersonating a Senior Executive at Agari to target its Chief Financial Officer, Scattered Canary’s victims include individuals, organizations and, in 2017, was expanded to include federal and state government agencies. Utilizing a feature within Gmail accounts, which does not recognize periods in email addresses, the group created numerous ‘dot variant’ accounts that allowed the group to make their scams more efficient by removing the need to create and monitor different email accounts for every account they create on a targeted website.
As a result of this tactic, Scattered Canary was able to file 13 fraudulent tax returns with the IRS, submit applications for FEMA disaster assistance under three identities, submit 11 fraudulent Social Security benefit applications and gain approval for at least $65,000 in credit with four US-based financial institutions via 48 credit-card applications.
“BEC can no longer be viewed in isolation,” said Crane Hassold, senior director of threat research, Agari. “If we are to take Scattered Canary as a microcosm for the organizations behind today’s most malicious scams, it demonstrates that a more holistic approach, one based on threat actor identity rather than type of fraudulent activity, is needed to detect email fraud and protect businesses. While Scattered Canary’s primary attack vector is BEC, at any given time, it is also involved in a dozen other types of disparate scams.”
The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide business email compromise (BEC) and spear-phishing investigation. ACID uncovers identity deception tactics, criminal group dynamics, and trends in advanced email attacks, and helps mitigate cybercrime activity by working with law enforcement and other trusted partners.
In the Federal Bureau of Investigation’s (FBI) annual Internet Crime Report, it was revealed that losses from BEC scams nearly doubled to $1.3 billion in 2018.
Download “Scattered Canary: The Evolution and Inner Workings of a West African Cybercriminal Start Up Turned BEC Enterprise.”
Agari is transforming the legacy Secure Email Gateway with its next-generation Secure Email Cloud™ powered by predictive AI. Leveraging data science and real-time intelligence from trillions of emails, the Agari Identity Graph™ detects, defends, and deters costly advanced email attacks including business email compromise, spear phishing and account takeover. Winner of the 2018 Best Email Security Solution by SC Magazine, Agari restores trust to the inbox for government agencies, businesses, and consumers worldwide. Learn more at www.agari.com.
Jean Creech Avent
Senior Director, Global Corporate Communications