Scattered Canary Evolves From One-Man Operation to BEC Giant

A Nigerian cybercriminal group dubbed Scattered Canary has evolved from a one-man operation running Craigslist and romance scams to a large scale criminal business operating multiple types of frauds concomitantly and coordinating at least 35 threat actors.

Since 2008, when the group founder named "Alpha" ran basic scams, Scattered Canary has evolved into an organization with credential phishing operations leading to business email compromise (BEC) scams and credit card fraud, as detailed by the Agari Cyber Intelligence Division (ACID).

"Once they had secured enough mules via their romance scams to launder their stolen money, they shifted from targeting individuals to targeting enterprises, and the group’s BEC operation was born," says ACID.

Even though their BEC schemes are highly profitable, Scattered Canary is also "involved in a number of different types of scams simultaneously—including romance scams, tax fraud, social security fraud, employment scams, and more."

The group's BEC operations 

Scattered Canary's BEC operations were first detected when the group targeted Agari's Chief Financial Officer Raymond Lim, "inquiring as to his availability to send out a domestic wire transfer."

After this initial contact, ACID kept the criminal organization busy for roughly two months, leading to the scammers sending in info on eight different mule accounts used by the group to collect funds from their BEC victims.

All the data collected by ACID including Scattered Canary's tactics, techniques, and procedures (TTPs), as well as primary actors and history was also delivered to law enforcement for further investigation.

Scattered Canary's focus on BEC scams closely follows a trend revealed by FBI's Internet Crime Complaint Center (IC3) in its 2018 Internet Crime Report which reveals that cybercriminals were able to grab $1,2 billion in profits by targeting wire transfer payments of both businesses and individuals throughout last year.

Also, a Proofpoint report from January showed that BEC attacks have seen an explosive 476% growth between Q4 2017 and Q4 2018.

Scattered Canary's BEC toolkit

The Scattered Canary actors use various tools to help them get the job done easier and faster, ranging from victim leads and phishing message templates to VOIP phone numbers and VPNs to hide their real location.

During the time their operations were observed, the group collected their target leads using one-week trial accounts registered with the Lead411 lead generation service " a total of twenty times over a three-year period."

Scattered Canary crooks also made use of a collection of templated text documents dubbed "formats" by the actors and designed to speed up the group's phishing efforts.

During their investigation, ACID "identified a format containing 26 different message templates that could be used to target organizations in a variety of BEC scams, including direct deposit and W-2 fraud."

The scammers also used multiple VPN applications while exchanging messages with BEC, check fraud, and romance scam targets to hide the fact that they were based in Nigeria and "to make their traffic appear more legitimate."

Last but not least, Scattered Canary actors also made use VOIP phone numbers provided by services such as TextMe, Google Voice, and Hushed. This made it possible for them to "set up multiple phone numbers for voice and messaging from the city or country of their choice" and to quickly change between phone numbers.

Despite this, more than one of the scams operated by the cybercriminal group used the same call-back number starting late-2017 "in fraudulent
applications for Hurricane Harvey disaster recovery assistance, home mortgage assistance, online loan applications, staffing agency services, and more."

This oversight made it a lot easier for ACID to connect these operations to the Scattered Canary criminal organization and to get an eagle eye view of the group's highly varied operations.