Criminal hackers make a lot of money by targeting phishing attacks on businesses and institutions of all sizes that lead to business email compromises. And while criminals have a range of systems to launder the money they steal, researchers have discovered that BEC scammers rely more and more on the modest gift card.
Scientists launch at RSA Security Conference next Tuesday in San Francisco Email defense firm Agari will present detailed findings on a Nigerian scam group called Scarlet Widow. Agari researchers have been monitoring the group since 2017 and have been pursuing their productive activity by 2015. Scarlet Widow focuses primarily on targets in the United States and the United Kingdom that deal with a number of types of fraud, such as tax evasion, and especially romantic scams. However, in recent years, the group has focused primarily on perfecting their business email tradeoffs. The group is particularly focused on medium and large non-profit organizations in the US, which may have less advanced defenses. Recent targets include the Boy Scouts of America, the YMCA Chapters, an Archdiocese of the Catholic Church in the Midwest, the West Coast chapter of the United Way, medical groups, anti-hunger organizations, and even a ballet foundation in Texas.
"With most BEC attacks, the vast majority of employees who receive them know they are scams," says Crane Hassold, senior threat research director at Agari, previously an analyst for digital behavior worked for the FBI. "It only takes a very small number of successes to make it very profitable."
Between November 201
Trade email compromises require access to an organization's emails. In practice, this may mean that fraudsters send carefully tailored emails from a company's legitimate email accounts to impersonate colleagues or create a fictitious initiative within a company. However, attackers can also use hidden malware or a malicious phishing link in an email attachment to access a company's networks to determine what the group is currently working on and possibly need, and then from the outside with customized, fictitious ones Attacking Them
Agari says Scarlet Widow is organized like a legitimate sales and marketing organization, with coordinated teams working on various aspects of fraud, and internal support to generate leads, distribute fraud mails, create aliases and generate counterfeit documents as needed. The latest innovation in the group, however, is to tailor certain scams to culminate in requesting gift cards instead of bank transfers.
"It only takes a very small number of successes to make it very profitable."
Crane Hassold, Agari
This trend is growing among scammers, both for individual targets and for organizations. The Federal Trade Commission reported in October that 26 percent of respondents said they were being cheated in 2018, that they bought or transhipped a gift card to deliver the money, compared to seven percent in 2015. The FTC states that Gift Certificate Losses Reported The Agency was $ 20 million in 2015, $ 27 million in 2016, $ 40 million in 2017, and $ 53 million in the first nine months of 2018 alone.  "Con artists prefer these cards because they can get cash quickly and the transaction is largely irreversible and they can remain anonymous," wrote Emma Fletcher, a fraud specialist at the FTC, in the October report.
When fraudsters can tempt victims into buying gift cards – and send them photos of physical cards or digital card screenshots – they do not have to rely on middlemen to get referrals and start the money laundering process. Instead, they can use online marketplaces to buy cryptocurrencies with the gift cards. Agari noted that Scarlet Widow specifically uses the US peer-to-peer market Paxful to buy Bitcoin with stolen gift cards. Then they move the Bitcoin from a Paxful wallet to a wallet on the Remitano cryptocurrency platform, where they can resell it by bank transfer.
Scarlet Widow generally requests Apple iTunes or Google Play gift cards. The FTC notes that other scammers also prefer these cards, although some need cards for branches such as CVS, Walmart, Target or Walgreens. Although it may seem difficult in a business environment to get people to pay for gift card services, scammers have developed narratives that make the proposal fit. During the holidays, for example, Hassold says that Scarlet Widow, who pretends to be a contractor, claims that they need gift cards for employees at the end of the year. A Scarlet Widow cheater played with some urgency, "OK, I'm in the middle of something, and need Apple iTunes gift cards to send to a supplier, can you do that, if so, let me know now So guess the amount and dominance you can get. "
And nothing is gift cards for speed. In a scam Agari analyzed in August 2018, Scarlet Widow had targeted an Australian university and tricked an administrator into buying and shipping $ 1,800 of iTunes gift cards. The victim said the request came from the university's finance department, sold the cards through Paxful, and converted the bitcoin into cash within 139 minutes.
Gift cards do a lot of difficult and dangerous money laundering, but they also have their downsides. For one thing, iTunes gift cards can fluctuate from 80 cents to 40 cents in dollars if you convert them to cryptocurrency on platforms like Paxful. It's also difficult to create narratives that make people buy gift cards worth several thousand dollars at the same time. If a fraudster tries to outsmart a business of tens of thousands of dollars in an operation, he will probably still need a referral.
Even if there is not the hacking mystery of a more technically-sounding attack Cryptojacking, a business email compromise, is one of the biggest threats facing businesses today. The same measures that can help avoid remittance transfers – such as the requirement for multiple employees to review and unsubscribe payments – also apply to gift card fraud.
More great WIRED stories