Criminal hackers make a lot of money targeting businesses and institutions of all kinds with phishing attacks that lead to compromised business email. While crooks may have an array of systems in place to launder the funds they steal, researchers have noticed that so-called business email compromise scammers are leaning more and more on the humble gift card.
At the RSA security conference in San Francisco next Tuesday, researchers from the email defense firm Agari will present detailed findings on a Nigerian scam group the company has dubbed Scarlet Widow. Agari researchers have monitored the group since 2017, and have tracked its prolific activity back to 2015. Scarlet Widow mostly focuses on targets based in the United States and the United Kingdom, dabbling in a number of types of fraud like tax scams, property rental cons, and especially romance scams. But over the past couple of years, the group has been perfecting its business email compromise efforts, known as BEC for short. The group has particularly targeted medium and large US nonprofits that are often equipped with less advanced defenses. Recent targets include the Boy Scouts of America, YMCA chapters, a midwestern Archdiocese of the Catholic Church, the West Coast chapter of the United Way, medical groups, antihunger organizations, and even a ballet foundation in Texas.
"With most BEC attacks, a vast majority of employees that receive them would know they're scams," says Crane Hassold, senior director of threat research at Agari who previously worked as a digital behavior analyst for the FBI. "But it only takes a very small number of successes to make it very profitable."
Between November 2017 and this month, Agari observed Scarlet Widow targeting 3,483 nonprofits and 5,581 individuals related to nonprofits. Similarly, the group targeted 660 education-related institutions and 1,815 associated individuals. Over the same period of time, the group also targeted 1,505 tax-related organizations and 9,592 individuals as part of tax prep cons.
BEC relies on access to an organization's email. In practice, this can mean that scammers send carefully tailored emails from seemingly legitimate accounts of a business to coworkers, perhaps touting a fictitious initiative within a firm. Attackers can also use malware hidden in an email attachment or a malicious phishing link to gain access to an organization's networks, do reconnaissance on what the group is working on and might need, and then approach them from the outside with fictitious business propositions.
Agari says that Scarlet Widow is organized much like a legitimate sales and marketing operation, with coordinated teams working on different aspects of the scams, and internal support to generate leads, distribute scam emails, create aliases, and generate fake documents as needed. But the group's most recent innovation involves tailoring certain scams so they now culminate with requesting gift cards instead of wire transfers.
This trend is on the rise among scammers, both for individual targets and organizations. The Federal Trade Commission reported in October that 26 percent of people who report being scammed in 2018 said they bought or reloaded a gift card to deliver the money, up from 7 percent in 2015. The FTC says gift card-related losses reported to the agency totaled $20 million in 2015, $27 million in 2016, $40 million in 2017, and $53 million in the first nine months of 2018 alone.
"Con artists favor these cards because they can get quick cash, the transaction is largely irreversible, and they can remain anonymous," Emma Fletcher, a fraud specialist at the FTC, wrote in the October report.
If scammers can convince victims to buy gift cards—and send them photos of the physical cards or screenshots of the digital codes—they don't need to rely on middlemen to receive wire transfers and initiate the process of laundering money. Instead, they can use online marketplaces to buy cryptocurrency with the gift cards. Agari observed that Scarlet Widow particularly uses the US peer-to-peer marketplace Paxful to buy bitcoin with gift cards. Then they move the bitcoin from a Paxful wallet to a wallet on the cryptocurrency platform Remitano, where they can resell it with a bank transfer.
Scarlet Widow generally requests Apple iTunes or Google Play gift cards. The FTC notes that other scammers prefer these cards as well, though some will ask for cards to stores like CVS, Walmart, Target, or Walgreens. Though it may seem difficult in a business environment to trick people into paying for services in gift cards, scammers have developed narratives that make the suggestion fit. Around the holidays, for example, Hassold says that Scarlet Widow, posing as a third-party contractor, will claim they need gift cards for end-of-year employee gifts. One Scarlet Widow scammer played to a sense of urgency: "Ok I am in the middle of something and I need Apple iTunes gift cards to send out to a supplier, can you make this happen? If so, let me know if you can get it now so I can advise the quantity and domination to procure."
Nothing beats gift cards for speed. In an August 2018 scam Agari analyzed, Scarlet Widow targeted an Australian university, and tricked an administrator into buying and sending $1,800 worth of iTunes gift cards. (The victim thought the request came from the head of the university finance department.) Scarlet Widow then sold the cards on Paxful and converted the bitcoin to cash, all within 139 minutes.
Gift cards take a lot of the difficult and dangerous work out of money laundering, but they also have their downsides. For one thing, iTunes gift cards can fluctuate from 80 cents down to 40 cents on the dollar when you convert them on cryptocurrency on platforms like Paxful. It's also difficult to craft narratives that will trick people into buying more than a few thousand dollars' worth of gift cards at a time. If a scammer is looking to swindle a business out of tens of thousands of dollars in one operation, they'll likely still need a wire transfer.
Though it may not have quite the hacker mystique of a more technical-sounding attack like cryptojacking, business email compromise is one of the main practical threats to organizations today. Note that the same measures that can help avoid wire-transfer scams—like requiring multiple employees to review and sign off on payments—apply to gift card scams as well.