Lone Wolf Scammer Built a Multifaceted BEC Cybercrime Operation

A one-man 419 scam evolved into a lucrative social-engineering syndicate over the past decade that conducts a combination of business email compromise, romance, and financial fraud.

This wasnt the first time the chief financial officer of email security vendor Agari had been targeted in a business email compromise (BEC) scam. As with the first incident in August 2018, three months later Agaris software tool flagged a suspicious email meant for its CFO, Raymond Lim, that posed as a supplier requesting a wire transfer for an invoice payment.
Agari researchers played along with the scammers as they had done in the August incident, impersonating the CFOs administrative assistant and stringing them along for about a month, gathering intel on the people and operation behind the November emails. The researchers were able to identify the BEC attackers as a Nigeria-based cybercrime gang they nicknamed Scattered Canary, a group of some 35 individuals they believe may be a subgroup of an even larger criminal organization.
They discovered that this group wasnt just sending BEC emails to make money. Scattered Canary also conducts romance scams, credit card fraud, check fraud, fake job listings, credential harvesting, and tax schemes, among other online cons.
What we recognized when we looked at this group ... was that BEC is just one type of attack these guys use at any given time. There can be dozens of [different] scams they can be doing [simultaneously], says Crane Hassold, senior director of threat research at Agari.
The researchers kept in touch with Scattered Canary for a couple more months and were able to obtain from them eight mule accounts, which they then passed on to law enforcement as well as to financial organizations to help shut down the money-laundering.
Agari traced back the groups founding, which began in 2008 when a lone individual, who they dubbed Alpha, ran rudimentary but lucrative Craigslist scams that duped victims into wiring him money or mailing him cashiers checks for items sold on the forum. Alpha then expanded into romance scams and brought on a fellow fraudster (Beta). The pair laundered their pilfered funds via money mules and then ultimately set their sights on bigger targets, mainly businesses and government agencies via BEC scams, the centerpiece of the groups operation today. In the past two years, the group doubled in size as it harvested new mule accounts and expanded into other crimes, such as tax return fraud.
Scattered Canarys scams are rooted in pure social engineering: no malware required.
Weve not seen Scattered Canary using malware, says Ronnie Tokazowski, senior threat researcher at Agari. They are using compromised RDP [remote desktop protocol] credentials and compromised websites to host phishing kits, but they dont have a full-blown hacking infrastructure per se, he explains. Scattered Canary mostly employs specific scam scripts and templates they copy and paste in emails they send to their targeted victims.
BEC and email compromise scams have been on the rise worldwide: The FBI Internet Crime Complaint Center last year received more than 20,000 reports from victims who lost more than $1.2 billion to these scams. Interestingly, in the US, half of BEC victims actually recovered 99% of their money, according to Verizons
Data Breach Investigations Report
. Barely 10% of them didnt recover any of their money in the scams. But it only takes a few successful hits to be lucrative. As Verizon points out in its report, even if just 1% of 1,000 BEC attacks are successful, the BEC scammer can still net thousands of dollars.
London Blue Calling
Prior to the November incident, Agari researchers
turned the tables on a BEC scam
on Aug. 7, 2018, when their email security platform caught a BEC email sent to CFO Lim that posed as Agari CEO Ravi Kahtod. The team was able to extract enough information from their email interactions with the attackers to pinpoint the physical location of two of the main operators of the gang, who live and work in London.
London Blue at the time had 20 to 25 individuals, including 17 money mules spread around the US and Western Europe.
But Scattered Canary is a much larger operation than London Blue, according to Agari. Scattered Canary is likely an arm of a bigger entity. We are still trying to research that a little more heavily, Hassold notes.
Scattered Canary over time had adjusted and reset its tactics. For example, after years of spoofing a targeted companys domain, the group began employing webmail or other email accounts in the fall of 2016. They also take advantage of how Google doesnt spot periods in email addresses — [email protected] and [email protected], for example, are seen by Gmail as the same address, according to Agaris report. This allows scammers to scale their operations more effectively by removing the need to create and monitor a different email account for every account they create on a website, the company states in its recently published
report
on Scattered Canary.
A recent Cisco Systems
report
found that two-thirds of BEC scams employ free webmail and 28% use registered domains.
Meanwhile, starting in July 2018, Scattered Canary shifted from wire transfers to gift cards as a way to cash out its stolen funds. They duped business victims with emails purportedly from the CEO asking them to purchase Amazon and Apple iTunes gift cards. Like other scammers involved in gift card BEC scams, Scattered Canary laundered the gift cards they received from victims through a peer-to-peer online cryptocurrency exchange called Paxful, Agari wrote in its report on the gang. Scattered Canary was able to get 132 gift cards from victims valued at two bitcoin apiece on Paxful, or some $12,000 to $14,000.
The BEC gang halted the gift card cashout approach in November 2018 when the price of bitcoin dropped.
BEC ROI
Hassold says its possible well-established cybercrime organizations in Eastern Europe and Russia could pivot to BEC scams as well. Given their size and resources, those gangs could perform even more convincing attacks.
The ROI for BEC is significantly higher than any of the other more technical cyberattacks. I think thats going to be the next step. Well see other groups move into this space, Hassold says, which will mean more professional and difficult-to-spot BEC emails.
Cybercriminals already have been moving away from pricey zero-day attacks to lower-tech, cheaper weapons, such as malware-laden file attachments. Theyre going back to basics. I dont need to develop an 0-day if I can put a macro in a Word file and a victim will click on it, Agaris Tokazowski notes. Hassold recommends that organizations include social engineering in their cyberthreat training and conversation in order to defend against BEC and other email-borne scams targeting businesses today.
These nontechnical type attacks are now the predominant mode of cyberattacks today, he says. This is the type of attack employees will see, so they should include them in education and awareness training.
Related Content
6 Security Scams Set to Sweep This Summer
New, Improved BEC Campaigns Target HR and Finance
6 Ways to Beat Back BEC Attacks
Inside the Criminal Businesses Built to Target Enterprises

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Lone Wolf Scammer Built a Multifaceted BEC Cybercrime Operation