Jun 5, 2019

A look inside a Nigerian email scam group active since 2008

Cybersecurity company Agari detailed a newly discovered Nigerian email scam team, dubbed "Scattered Canary," composed of dozens of members, in a new report released Wednesday.

Why it matters: Unlike with criminal hackers and espionage groups, there is not as much research into the taxonomy of actors in email fraud, but since it can siphon off as much as $2 billion each year, it's a threat worth understanding.

The big picture: Agari won't publicly discuss its methods for gaining intelligence on Scattered Canary. But given methods they've used to detail similar groups in the past, which were only shared with Axios under the condition that they not be included in stories, they have extensive visibility on how a group operates, who is involved and their criminal history.

  • "We have a 10-year look on how this developed from a single individual into a group that comprises at least 35 people that we know of," Crane Hassold, senior director of threat research at Agari, told Axios.

Background: Scattered Canary started as a small-time operation in 2008 — a single actor dubbed "Alpha" running Craigslist scams with the help of a more seasoned mentor, dubbed "Omega." The tandem committed 419 total Craigslist scams, averaging $24,000 in profits.

  • Alpha is currently engaged and has three kids. In 2010, he began running romance scams, extorting money from victims and using them to do menial tasks in other scams, such as opening bank accounts.
  • In 2015, Alpha started scamming corporations and began hiring additional employees.

Details: Like other groups, Scattered Canary uses commercial lead generation services to compile lists of potential victims.

  • Since 2017, the group has perpetuated several fraudulent attacks on the U.S. government, including filing 13 tax returns and 11 Social Security benefit applications. It's also filed applications for Texas unemployment benefits under 9 identities and applications for FEMA disaster assistance under 3 identities.
  • Agari lists several email accounts associated with the group in its report.

The bottom line: Conventional hackers may get most of the attention, but email fraud is a thriving industry with a higher return on investment.

  • Hassold says, "I'm worried about what happens when the Eastern European, Russian and Southeast Asian groups realize, 'Why are we spending so much money on infrastructure and paying developers to develop malware when we could just send an email to someone, ask them to send us money and they'll do it?'" 

Go deeper: Email scammers take advantage of Gmail dot feature

Go deeper