How one romance scammer built an international phishing operation

Researchers have detailed the evolution of a business email compromise scheme that is thought to have cost organisations millions - but over a decade ago, the operation had very simple beginnings.
Written by Danny Palmer, Senior Writer

A security company has detailed how a con artist who began his cyber-criminal career as a simple Craigslist romance scammer has gone on to build a highly successful business email compromise (BEC) operation, targeting organisations and raking in millions of dollars.

Since 2008, the individual has built an organisation employing dozens of other cybercriminals, hackers and money mules in a scheme that targets enterprises to trick employees into transferring large sums of money.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   

Dubbed Scattered Canary, the evolution of the Nigerian-run criminal scheme has been detailed by researchers at cybersecurity company Agari. Researchers have been able to interact with and track the activity of the group after the organisation's CFO was targeted by Scattered Canary in November 2018.

"Their primary goal is to identify people who have the ability to send money and identify who should be impersonated to send that money and send those emails out," Crane Hassold, senior director of threat research at Agari Cyber Intelligence Division told ZDNet.

The BEC attacks work like those of similar schemes; attackers send phishing emails to employees and executives designed to look as if they come from a contact within the business, asking them to make a wire transfer to a phoney account -- or to fill out a form that steals their login credentials providing access to the company finances.

The emails will often pressure the recipient to respond quickly, by urging them to act on a tight deadline -- and the hope that employees will feel obliged to do something they think their boss is demanding.

The attacks also deploy payroll diversion scams, which contact human resources departments and encourage them to change direct-deposit accounts associated with high-level executives.

These types of scams are becoming highly popular with email scammers because they don't require a mule to move stolen money from one account into another -- scammers can simply apply for a credit card online and ask the HR team to redirect funds to that account.

What's unusual is that the security company said it has managed to trace the history of the leader of the group, who it said is living in Ibadan, Nigeria. This individual wasn't always going after such big targets; he started his cybercriminal career as a low-level scammer who cut his teeth on Craigslist between 2008 and 2010, according to Agari.

After gaining some success with this, he started branching out into other areas of social engineering. Most notably, the world of romance scams, where he would build relationships online, in which he would exploit victims for money, tricking them into giving him access to their bank accounts, retirement funds or into buying him pre-payment cards in a mean-spirited, but lucrative, scam that was the main focus of Scattered Canary until 2015.

By late-2015, it seems he realised that he could expand his operations by joining forces with others -- which is when he met an individual who would help him run Scattered Canary as an operation and move away from romance scams to enterprise attacks.

This started with the mass harvesting of credentials via phishing attacks against targets that were initially focused in Asia, but later expanded to North America -- with a focus on the US.

It was during this time that the group realised that domain spoofing allowed them to gain greater leverage in attacks, using social engineering to appear as if they were employees within the organisation, asking for a favour or a transfer to be made.

SEE: Cybercrime and cyberwar: A spotter's guide to the groups that are out to get you

It was also around this time when the group started to further expand, to turn Scattered Canary into a well-oiled machine with scammers, mules and others each playing specific roles.

With a larger team operating the campaigns, Scattered Canary turned its attention to bigger targets -- and bigger pay-offs, which led to the recruitment of more scammers. In total, 35 individuals have helped make Scattered Canary millions, with the boss now having more of a hands-off role.

Business Email Compromise attacks have become a successful means of cybercriminals making money, with US companies alone believed to have lost over a billion dollars to scams last year.

Scattered Canary is far from the only malicious actor operating in this space -- Agari has previously detailed attacks by a phishing gang dubbed London Blue.


Editorial standards