Gain an unprecedented insight into a Nigerian scamming group

An Inside Look at the Evolution of a West African Cybercriminal Startup Turned Enterprise

Over the last few years, business email compromise (BEC) has become one of the most profitable of all cyber crimes. The latest report from the FBI’s Internet Crime Complaint Center (IC3) for 2018 states that 20,373 victims lost a total of $1.3 billion to BEC. This was the single largest category of reported internet crime, representing approximately 48% of the total losses of £2.2 billion. However, the remaining £1.1 billion loss clearly demonstrates that BEC is not the only threat in play.

After a security company, Agari was contacted by a scammer attempting to defraud them, they decided to investigate and follow the trail. What it discovered (PDF) is a criminal organization that started from a single Nigerian criminal entrepreneur (called Alpha) in 2008 and developed into a complex organization of at least 35 actors (hackers) today. Agari calls this group Scattered Canary, and demonstrates that BEC is just one of many types of fraud perpetrated by the gang.

“We were able to map out dozens of relationships,” say the researchers, “an entire infrastructure, thousands of email discussion threads, hundreds of romance and fraud victims, dozens of scam kits, and other evidence that helps connect the dots between a wide universe of threat actors and actions associated with this West African fraud ring.”

Alpha started his criminal career with early Craigslist scams, being mentored by a more senior criminal named as Omega. During the first 15 months, Alpha delivered more than 100 addresses to Omega, who was responsible for sending the fake checks to victims — typically in the £2,000 to £4,000 range. The desire to maximize profits may lie behind the continuous expansion of Alpha’s organization, and its move towards larger targets and more profitable scams.

Alpha’s first diversification, in 2010, was into romance scams. Romance fraud taken together with confidence fraud was the second most costly fraud noted by the FBI’s report, with losses of £332.5 million in 2018. There is nothing romantic about romance fraud. The criminals first extract every penny possible from the victim, and then carry on using them by migrating them into mules.

‘Jane’ was such a victim. By 2016, her ‘boyfriend’ had extracted as much money as he could from her, and converted her into a mule. Over 18 months she opened five mule accounts and bought 20 prepaid cards for her ‘boyfriend’. An early password for an account was ‘weare4ever’. A late password was ‘iam2wornout’. Jane died in 2017; but even after her death, “Scattered Canary continued to use her details as they attempted to take out an car loan using Jane’s personal information, providing more evidence that these groups are only interested in one thing — money.”

Credential phishing

The romance frauds have continued even though Scattered Canary, led by Alpha, started looking at more immediately profitable targets in 2015. This started with credential phishing, largely general in nature and via a Google Docs phishing page. Towards the end of 2015, the attacks began to focus on North America and primarily the U.S. This paused in February 2016.

It restarted in March 2017, but with a new focus. Credential phishing now almost entirely focused on enterprise credentials, using phishing pages mimicking common business applications such as Adobe, DocuSign and OneDrive. Over the next 18 months, say the researchers, “Scattered Canary received more than 3,000 account credentials as a result of their phishing attacks.”


Until late 2015, Alpha had done the greater part of the work himself, with just the help of few delightful colleagues. However, Alpha recruited his first new full employee, Beta whose role, then and now, is to act as the group’s ‘mule herder’, and have primary responsibility for sending out fake checks in mystery shopper scams. 19 other individuals joined the gang over the next three years, working on generating mule accounts and taking part in other scams. There are three specific examples: Delta (joined in April 2016) provides mule accounts probably established by romance scam victims; Epsilon (joined in June 2016) provides access to systems that can be accessed by remote desktop protocol (a Microsoft tool to remotely access a computer); and Gamma (joined in January 2017) provides compromised bank account details.

The gang started its business email compromise operation by spoofing target company domains and requesting payment by bank transfer to a fictitious vendor. By 2017, the group had its BEC and other scam tools and tactics sufficiently established to define functional roles for its different revenue streams.

Monitoring the criminal

An interesting observation was a request from the gang for proof of the funds transfer by the victim. With many different individual actors all ultimately working for Alpha, the requirement prevents a go-between skimming profits by pretending that the scam had failed since a ‘manager’ could check the email account or even contact the mule directly. “Working as an opportunistic criminal, alongside other opportunistic criminals, does not come without its challenges,” comment the researchers from Agari.

A continuing theme in the evolution of Scattered Canary is the move toward scams with the highest return over the shortest period. So, just as it had earlier moved from individual to business targets, in 2017 it started targeting government agencies, including IRS, FEMA, Social Security, the Postal Service and many others. BEC in its various forms has, however, remained a primary scam from the group. It has performed both gift card scams and payroll diversions.


The history of the evolution of Scattered Canary is valuable for giving an insight into the motivation and methods of West African criminals. Money is everything, and as quickly as possible. The preferred attack is the one that nets the highest return as quickly as possible, and victims are milked for every penny possible. But more than anything else, it shows the interrelationship of social engineering attacks. There are no separate BEC gangs, and romance scam gangs, and agency fraud gangs — in this instance at least it is just one social engineering gang that has honed its skills over many years and multiple simultaneous operations and different types of attacks.

Whats next

Education is critical in this day and age. You don’t know what you don’t know. With this in mind, I have recently launched a book on cyber security called “One Click and You’re Done” which is easy to read and will help you identify threats and more importantly, protect yourself. This is available on Amazon in Kindle and Paperback format.

Click here to take a look

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.