Only a few groups in the cybersecurity industry know or even heard the name “Scattered Canary”, it is considered as a “cyber-gang” with at least a dozen members set to issue targeted BEC (Business Email Compromise) campaigns. Scattered Canary started its operations more than ten years ago, with only a few members, the team targeted new companies using their specially-designed persuasive emails.
“I think it’s really interesting to look at this group and see how they evolved over time. When we look at groups like Scattered Canary, we referred to them as a ‘tech startup’ in the 2008 – 2009 timeframe, as they’re just learning the ropes. And then as they evolve, you see them growing in size, growing in the breadth and depth of scams they’re launching… they’re evolving very much like a business from the startup phase to the corporate phase,” explained Crane Hassold, Agari’s Sr. Director of Threat Research.
Agari itself was a victim of Scattered Canary, as a BEC email pretending to originate from one of its senior executives was received by its CFO November last year. This prompted the company to further probe the origin of the phishing group, after 6 months of investigation, Agari was able to discover new details about its operations. Agari researchers found out that Scattered Canary is composed of at least 35 members, they run parallel operations given that they have multiple campaigns running all at the same time. Since last quarter of 2018, the group is able to evade detection even if the BEC emails they sent were already reported to authorities early on.
The Scattered Canary operations in 2018 took the form of using counterfeit checks to pay for products sold in Craigslist. In that year, the team was able to send more than 1,900 emails for their potential victims, with an estimated revenue of $24,000/month. Scattered Canary was also involved with “romance scams” in 2010, the lone member of the group at that time targeted people who look for romance online through social media, using clever engagement techniques and social manipulation the scammer was able to solicit money from his victims. Communication through social media instant messaging and SMS detailed how the scammer was able to persuade the victim to give him access to their bank accounts.
Starting in 2015, the group had an expanded operation targeting multinational companies as the recipient of its BEC messages, fake information generation was improved on multiple levels as they started counterfeit checks and fake money orders. This is on top of their regular schemes to capture credit card information from their victims.“By 2017, Scattered Canary had business-critical tools and tactics in place and started to define functional roles across an ever-expanding array of revenue streams. Like any rapidly-growing company, Scattered Canary took infrastructure into consideration and quickly added Remote Desktop Protocol (RDP) servers to help them scale and coordinate operations. Meanwhile, the organization continued to market-test new approaches to defrauding a growing universe of victims,” added Hassold.
BEC scams, being a more modern method for phishing is a big money-making scheme for cybercriminals. As per the U.S. Federal Bureau of Investigation, for 2018 alone, BEC scams earned an estimated $1.2 billion for cybercriminals. Prosecution against this crime still happens, but at a very slow pace with only 74 arrests in the US in 2018.