Feb 14, 2019



Welcome to Codebook, the cybersecurity newsletter that would probably give you a toaster for Valentine's Day.

Situational awareness: Coffee meets Bagel met hackers.

1 big thing: Anatomy of a romance-scam ring

Illustration: Aïda Amer/Axios

A Nigeria-based romance-scam outfit, dubbed Scarlet Widow in a new report, has been bilking lonelyhearts of their savings since 2015.

Why it matters: In the abstract, people often dismiss email scams as a punchline they are somehow above. In truth, they are a billion-dollar crime paradigm preying on the gullible and savvy alike. And romance scams have particularly tragic dimensions.

  • One victim of Scarlet Widow — a religious Texas man who believed he was corresponding with an aspiring model training in Paris named Laura Cahill — was swindled out of at least $50,000; $10,000 of which it appears he obtained by stealing from his stepfather.
  • "Based on what we see, his friends and family brought up concerns. In each case, he pushed it aside and thought he and Laura were meant for each other," said Crane Hassold, senior director of threat research at Agari, the email security firm that profiled Scarlet Widow. "It really shows the psychological damage these scams cause."
  • Even with those warnings, when that victim lost contact with Laura, he became increasingly desperate, emailing, "I JUST WANT TO TALK TO MY BABY. I CAN WAIT FOR YOU BUT I NEED MY BOO."

Agari uses unique methods to gain access to groups and investigate email scams and scammers — ones we've been asked not to discuss to maintain their effectiveness. That allows the company to create unique profiles of email scam groups like Scarlet Widow.

  • The firm identified several of the fraudsters involved and says it will announce their identities later this month.

The moniker "Nigerian scam" is more than a nickname. Agari's research found the Scarlet Widow group, like 90% of email scams, actually does originate in Nigeria.

The FTC issued a warning Wednesday about romance scams in general. But while that report warned that the elderly are particularly vulnerable to these scams, Scarlet Widow also looked elsewhere.

  • The group initiated relationships through a variety of personals sites, including the largest services, but also via specialty sites, like ones for people with disabilities, for farmers and for divorced women.
  • Scarlet Widow often targets religious people. Hassold suggests that might be because "these are people who put faith in things they have not seen, being asked to put faith in a person they will never see in person."
  • "It gives you a glimpse into what other groups scammers think are vulnerable," he added.

As Agari re-created Scarlet Widow's past scams, it was also able to identify how the group evolved over time.

  • The group's other fake personas included Sterling Michael, a 43-year old captain serving in Afghanistan, and Britney Parkwell, a fabric saleswoman living in San Jose.
  • Scarlet Widow improved its character work over time — "more backstopping, more detail and more realism," said Hassold.
  • The group, like many of its peers, has dabbled in other forms of email scams as well, but dating is the one that stuck.

Go deeper: Love's multimillion dollar scam industry

2. An ex-counterintelligence officer may have spied for Iran

If you missed yesterday morning's Iranian espionage news, boy howdy.

Details: Monica Witt, a former counterintelligence officer for the Air Force, is being charged with identifying former colleagues, whom Iran would later attempt to hack via phishing emails.

  • Witt began working with Iran in 2012, claims the Department of Justice, and defected to Iran in 2013.
  • Phishing emails and Facebook messages were sent in the name of another member of the intelligence community.
  • Witt is also accused of disclosing U.S. secrets.
  • Four Iranians are also accused of participating in the scheme.
  • Witt is still at large.

Read the full indictment here.

3. Parties spar over election security

The House Homeland Security Committee has finished the first of two panels of election cybersecurity hearings Wednesday, a sign of the Democratic majority's priorities.

Why it matters: While a Republican Senate had been on board with providing new election security funding to the states during the last Congress, the Republican majority in the House had thwarted that push.

  • "This hearing is long overdue," noted Homeland chair Bennie Thompson (D-Miss.) in his opening remarks.

The hearings are intended in part to bolster House Resolution 1, the sweeping anti-corruption bill that contains several election security provisions, including funding and formalizing strategy.

  • Republicans view the provisions as too broad.
  • "I hope that when H.R. 1 stalls in the Senate, which it will, we revisit the issue of election security in a bipartisan manner," said Rep. Mike Rogers (R-Ala.), the ranking member of the committee.
  • Rogers questioned the value of increasing spending on security, given that it would be difficult to spend the money before the next round of primaries.

The bottom line: While Republicans worry about spending fast enough to protect the next race, Democrats say they are planning not just for the 2020 election but for the long term. Their plan calls for continuous upgrading of equipment with 10 years of national funding for state upgrades.

Read more about yesterday's hearing here.

4. Prosecutors "misplace" hard drive in Vault 7 case

In a strange turn in a leaks case first noted by CyberScoop, prosecutors claim to have lost a hard drive storing the defendant's files.

In a filing dated Feb. 12, prosecutors tell the judge that they "understand that the hard drives containing the defendant’s discovery were misplaced” by New York's Metropolitan Correctional Center, which is currently housing defendant Joshua Schulte.

The defendant is accused of leaking the documents that WikiLeaks published as the "Vault 7" files, a series of instruction manuals allegedly describing CIA hacking tools.

  • The files weren't particularly extraordinary, especially in light of a leak of believed NSA hacking tools going on at the same time by hackers The Shadow Brokers.
  • But the fact there were leaks at all was jarring.
  • Schulte is also being accused of unrelated child pornography charges.

Prosecutors say they will provide Schulte's lawyers with copies of all unclassified documents on the hard drives and are working on a way to copy his web server's files, which are too big to easily copy onto a drive to hand over.

Editor's note: This story has been corrected to clarify which hard drive was lost.

5. Odds and ends

A picture obtained on Dec. 14, 2013, from Iran's ISNA news agency allegedly shows the launch of the Pajohesh (research) rocket containing a live space monkey named Fargam (Auspicious) at an undisclosed location in Iran. Photo: /AFP/Getty Images)


Conclusion: Codebook will return next week, when it's OK to be single.