SAN FRANCISCO – A Nigeria-based scammer gang dubbed “Scarlet Widow” has been launching email fraud attacks against thousands of targets – including universities, the Salvation Army, and Boy Scouts of America.
Researchers with Agari detailed the attack during an RSA Conference session on Tuesday. They said the scammer group has been unleashing a slew of business email compromise (BEC) attacks against K-12 schools, universities and nonprofits around the world.
“To launder its proceeds, Scarlet Widow is using Paxful, a U.S.-based peer-to-peer cryptocurrency exchange that allows it to move scammed funds beyond the reach of authorities within minutes,” researchers said. “Scarlet Widow and other West African scammers use this exchange to convert fraudulently obtained gift cards into cryptocurrency for 40 to 80 cents on the dollar.”
Above: Threatpost catches up with Agari Field CTO John Wilson to discuss BEC scams and Scarlet Widow
The scammers’ technique is common but tricky: They send a generically worded email to targeted victims from a temporary email where the display name is set to an impersonated executive (gleaned through social engineering tactics as well as web scrapers to traverse online directories).
The group typically requests targeted victims to purchase multiple Apple iTunes or Google Play gift cards, and then uses Paxful to move those funds so that authorities can no longer obtain them.
In investigating Scarlet Widow, Agari observed a shift in the group’s cash-out methods that parallels trends observed across the entire BEC threat landscape, said researchers. “While the group relied on wire transfers in its early BEC scams, it has now transitioned to seeking payment through Apple iTunes and Google Play gift cards. This method delivers cash quickly, can’t be reversed through quick action by bank officials, and eliminates the need to manage a network of money mules inside the target country.”
Researchers said they have directly observed more than $15,000 in gift cards obtained through BEC attacks linked to Scarlet Widow.
The method has proved successful and widespread: Researchers identified a consolidated database containing targeting information for more than 30,000 individuals at more than 13,000 organizations in 12 countries.
This targeting list includes more than 3,400 individuals at more than 5,500 nonprofits, and more than 1,800 individuals at 660 educational institutions. The Boy Scouts of America was the nonprofit with the highest number of individual targets, but Scarlet Widow’s targets also included the national Salvation Army organization, the West Coast chapter of the United Way, a Texas ballet foundation, a large hospital and physician group in North Carolina, a Midwest Archdiocese of the Catholic Church and numerous chapters of the YMCA.
The group also targeted universities in Florida, Massachusetts and Oregon, including Harvard University, Massachusetts Institute of Technology (MIT), Oregon State University, University of Florida, University of Miami, University of Oregon and more.
What is Scarlet Widow?
Scarlet Widow has been in operation since 2015, but the scammer group did not dabble in BEC attacks until 2017. The group has instead been known for rental home scams, romance scams and tax fraud.
Researchers have identified three Scarlet Widow Nigeria-based operators who top the group’s hierarchy. Beyond those three, eight other individuals are linked to the gang who assist in various ways – including sharing leads and compromised data.
To date, researchers have also identified 33 email accounts used by Scarlet Widow to distribute their BEC scams.
“Similar to what we have observed with other groups, Scarlet Widow has a loose structure, with central players and tangential actors who are responsible for specific tasks, such as collecting and processing targeting leads for BEC attacks or finding new pictures to use for fictitious personas in romance scams,” said researchers.
Scarlet Widow’s targets are also mostly in the United States – Agari said that 73 percent of the individuals they tracked who were targeted were in the US; the second highest number, 20 percent, were in the United Kingdom.
For all Threatpost’s RSA Conference 2019 coverage, please visit our special coverage section, available here.