‘Scattered Canary’ BEC Scams Aim At US Firms

From a one-man shop committing check fraud on Craigslist to a sophisticated multi-fraudster committing BEC scams, the rise of Scattered Canary has been startling. Elsewhere, in the U.K., one instance of fraud was intended to show a business the weakness of its payments oversight.

Business enterprise compromise (BEC) scams are crossing borders, where fraudsters in Africa are targeting U.S. firms.

As reported by Threatpost, earlier this month, researchers in London identified a cybersecurity gang that has evolved markedly in scale. The scam involves communications from fraudsters impersonating company officials, suppliers or vendors, instructing unwitting victims to wire funds to accounts they have set up.

According to the site, the group is called Scattered Canary, and has plied its BEC trade over the past decade. The group has evolved from a “one-man shop” that originally scammed victims on Craigslist, and now has dozens of fraudsters targeting smaller firms through BEC — with an emphasis on U.S. companies and government agencies.

The group’s genesis traces to West Africa in 2008, where Craigslist was used as a conduit to send counterfeit checks. The fraud evolved into romance scams a few years later, then BEC scams in 2015.

“I think it’s really interesting to look at this group, and see how they evolved over time,” said Crane Hassold, senior director of threat research at Agari, in an interview with Threatpost. “When we look at groups like Scattered Canary, we referred to them as a ‘tech startup’ in the 2008 to 2009 time frame, as [they were] just learning the ropes. And then, as they evolve, you see them growing in size, growing in the breadth and depth of scams they’re launching. … They’re evolving very much like a business, from the startup phase to the corporate phase.”

The FBI reported that BEC scam losses roughly doubled in 2018, as measured year over year, to $1.2 billion.

“If Scattered Canary can be seen as a microcosm for the rapidly evolving organizations behind today’s most pernicious email scams, this report demonstrates that a much more holistic approach — one based on threat-actor identity, rather than type of fraudulent activity — is required to detect email fraud and protect organizations,” said Agari.

In other news, spotlighting individual cases of payments fraud, as reported by the Grimsby Telegraph, a finance manager for U.K. healthcare company Clarriots Homecare took £40,000 (nearly $50,820 USD) from his employer, yet didn’t spent a dime, committing the fraud only in an effort to show executives how easy it was to infiltrate the system and siphon the funds. As reported, he paid the money back, and even paid legal fees for the firm. The scheme worked, as he contacted customers and directed them to send funds to his own personal account — not to Clarriots. He submitted another invoice to the company, allegedly showing that customers had been asked to pay the firm.

Separately, and a world away in Afghanistan, Reuters reported that inflated contracts for meat rations for law enforcement officials have run into the millions of dollars, siphoned from government coffers and foreign donors. Contractors forged and inflated quantities of orders, and the amounts charged. The report said that 23 officials were arrested, as was the contractor, and the overbillings came to about $7.5 million.

In one line of defense against fraudulent transactions, payments processing firm Stripe launched Chargeback Protection this past week, billed as a machine learning-based system that seeks to reduce fraudulent credit card transactions. According to Stripe, the protection automatically reimburses banks for disputed charges, along with associated fees. The machine learning process looks at charges as they are incurred, and mandates additional authentication for charges that look atypical.