Cyber Crime: Dossier out on 35-man Nigerian gang called Scattered Canary

A Nigerian-based scammer gang dubbed “Scattered Canary” has evolved from a one-man, start-up operation to a multi-faceted, scalable, “corporation” with 35 “employees” targeting individuals, businesses, and government agencies.

The criminal gang was exposed in a new Threat Actor Dossier published Wednesday by Agari, the next-generation Secure Email Cloud that restores trust to the inbox.

Scattered Canary, for which Agari has traced fraudulent activity originating from 2008, has grown exponentially from a lone-wolf cybercriminal named “Alpha,” operating entry-level Craigslist scams to an entire organisation with at least 35 criminal actors working for it.

Each actor has his own area of expertise, ranging from recruiting money mules to providing infrastructure for the organisation. At any one-time, Alpha is orchestrating Scattered Canary’s operatives to simultaneously carry out business email compromise (BEC) scams and other fraudulent schemes, including romance scams, tax fraud, social security fraud, credit card fraud, and payroll diversion.

Similar to legitimate budding entrepreneurial companies, the Scattered Canary gang has sought to increase business operations by developing and validating scalable business models across a diverse set of revenue streams.

Initially detected after impersonating a Senior Executive at Agari to target its Chief Financial Officer, Scattered Canary’s victims include individuals, organisations and, in 2017, was expanded to include federal and state government agencies.

Utilizing a feature within Gmail accounts, which does not recognise periods in email addresses, the group created numerous ‘dot variant’ accounts that allowed the group to make their scams more efficient by removing the need to create and monitor different email accounts for every account they create on a targeted website.

As a result of this tactic, Scattered Canary was able to file 13 fraudulent tax returns with the IRS, submit applications for FEMA disaster assistance under three identities, submit 11 fraudulent Social Security benefit applications and gain approval for at least $65,000 in credit with four US-based financial institutions via 48 credit-card applications.

“BEC can no longer be viewed in isolation,” said Crane Hassold, senior director of threat research, Agari. “If we are to take Scattered Canary as a microcosm for the organisations behind today’s most malicious scams, it demonstrates that a more holistic approach, one based on threat actor identity rather than type of fraudulent activity, is needed to detect email fraud and protect businesses. While Scattered Canary’s primary attack vector is BEC, at any given time, it is also involved in a dozen other types of disparate scams.”

The Agari Cyber Intelligence Division (ACID) is the only counterintelligence research team dedicated to worldwide business email compromise (BEC) and spear-phishing investigation. ACID uncovers identity deception tactics, criminal group dynamics, and trends in advanced email attacks, and helps mitigate cybercrime activity by working with law enforcement and other trusted partners.

In the Federal Bureau of Investigation’s (FBI) annual Internet Crime Report, it was revealed that losses from BEC scams nearly doubled to $1.3 billion in 2018.

*Download the dossier on Scattered Canary gang

*Press Statement by PRNewswire