Agari threat researchers say the the fraudster group they call Scarlet Widow has switched from phishing large corporations to attacking "more vulnerable sectors such as school districts, universities, and non-profits, which tend to be more poorly defended".
And instead of demanding bank drafts, it's collecting money via Apple iTunes and Google Play gift cards before trading them for cash.
In a typical scam, a member of staff gets an email that pretends to be from their boss or another senior figure. It asks them to buy gift cards and send them photos of the backs, for reasons that will supposedly be explained later. Agari says the gift cards are being traded on Paxful a legitimate US-based peer-to-peer cryptocurrency exchange at a reduced rate, then the resulting bitcoins are sold on for cash received via bank transfers.
Gift cards can't easily be blocked or tracked by the banks, though it does mean the average "win" is smaller when they do manage to scam a victim.
It seems this technique is becoming increasingly common. America's FTC said last October that "when people report paying a fraudster with a gift or reload card, about four times out of five the fraud they report is an imposter scam – in fact, gift cards and reload cards are now the number one reported method of payment for imposter scams." (In imposter scams, the fraudsters may pretend to be businesses, bosses, colleagues, family members, friends, or even government agencies.)
Agari says that Scarlet Widow's targets have included "dozens of small-town schools and school districts in Indiana and Wisconsin plus charities, hospitals, churches and a number of universities in the US, UK, Australia and New Zealand. Names and email addresses are often obtained by scraping websites and directories.
The hit-rate for this particular type of phishing – or Business Email Compromise (BEC), as Agari calls it – must be very low, but apparently it's successful enough to be profitable. It should be possible to reduce it with a bit of user education, ie by telling staff that anyone who asks them to send company money using gift cards can be assumed to be a scammer. (They should already know that CEOs and department heads etc typically have more than one debit or credit card, so they're unlikely to need $1,000 worth of iTunes vouchers in a hurry.)
Agari, of course, has another idea. It offers a "next-generation Secure Email Cloud powered by predictive AI" to detect and defend against these and similar email attacks. Tracking phishing gangs and the way they mount attacks contributes to protecting Agari's customers.
The latest free report from the Agari Cyber Intelligence Division (ACID), Scarlet Widow, Part 2: BEC Bitcoin Laundry: Scam, Rinse, Repeat, is available online. An earlier report, Scarlet Widow, Part 1: Breaking Hearts for Profit, covered the gang's so-called Romance Scam. This involved swindling users of dating sites out of money for plane tickets and other expenses.