Cyberattacks Targeting K-12 Schools, Boy Scouts & Nonprofits: Agari

A Nigeria-based scammer gang dubbed “Scarlet Widow” is unleashing email fraud attacks against K-12 schools, universities and nonprofits around the world, according to a report from Foster City, Calif.-based Agari.

Agari, which uses predictive artificial intelligence to stop advanced email attacks, has uncovered and documented the practices of Scarlet Widow that has evolved a different strategy. “Rather than focusing on corporate targets, which are devoting increased resources to cyberdefenses, the group focuses on more vulnerable sectors such as school districts, universities, and nonprofits, which the group likely believes are softer targets,” Agari revealed.

Targets include dozens of small-town schools and school districts in Indiana and Wisconsin; U.S. and U.K. nonprofits including Boy Scouts of America and the Salvation Army; and universities in Florida, the United Kingdom, New Zealand and Australia,

According to Agari, to launder its proceeds, Scarlet Widow is using Paxful, a U.S.-based peer-to-peer cryptocurrency exchange, that allows it to move scammed funds beyond the reach of authorities within minutes. Scarlet Widow and other West African scammers use this exchange to convert fraudulently obtained gift cards into cryptocurrency for 40 to 80 cents on the dollar.

Agari has been gathering information on Scarlet Widow since 2017 and has documented its evolving operations going back to 2015, when its focus was on romance scams and property rental fraud. In 2016, Scarlet Widow moved into tax fraud, successfully submitting dozens of fraudulent returns and scoring thousands of dollars in tax refunds with minimal effort. “By 2017, like so many West African cybercrime groups, the group moved into the lucrative world of BEC, where it continues to focus its efforts to this day.”

During Agari’s investigation into Scarlet Widow, researchers identified a combined database holding targeting information for more than 30,000 individuals at more than 13,000 organizations in a dozen countries. This list included in excess of 3,400 individuals at more than 5,500 nonprofits, and more than 1,800 individuals at 660 educational institutions. Scarlet Widow uses a web scraper to navigate online directories and gather email addresses, a process it refers to as “bombing” the directory.

The Boy Scouts was the nonprofit with the highest number of individual targets, other major U.S.-based nonprofit organizations appeared frequently in Scarlet Widow’s target database, according to Agari, including a West Coast United Way chapter, a nationwide anti-hunger charity, a Texas ballet foundation, a large hospital and physician group in North Carolina, a Midwest archdiocese of the Catholic Church, a well-known annual arts festival, and numerous chapters of the YMCA.

Scarlet Widow also recently targeted universities in Florida, Massachusetts, and Oregon, including Harvard University, Massachusetts Institute of Technology, Oregon State University, University of Florida, University of Miami, University of Oregon, and others.

In the U.K., Scarlet Widow secured individual information at more than 1,300 large and small nonprofits, including the country’s leading children’s charity, a large advocacy and support group for the disabled, and the national Salvation Army; and academic targets such as the Universities of Oxford and Cambridge, Imperial College London, and University of Glasgow.

It went after Australia’s Curtin University, the University of Newcastle, New Zealand’s University of Canterbury and Victoria University Wellington. More than one-third of the email addresses in Scarlet Widow’s educational database were for universities and K-12 schools in New Zealand.

Agari also issue a dire warning: “While the bulk of its recent BEC attacks has focused on schools and nonprofits, Scarlet Widow also seems to be preparing for phishing campaigns targeting tax preparation firms. In September 2018, the group began collecting targeting information on thousands of United States-based tax preparers, likely to target these individuals with W-2 BEC attacks prior to tax season.”

The Agari report also specified, “It is important to note that while these nonprofits were targeted, the attacks weren’t necessarily successful. Any individual email has a low probability of success—previous Agari research found a success rate of 0.37%—with the scam groups depending on a huge volume of attacks to gain a satisfactory return.”

Nevertheless, business email compromise attacks are growing fast, with reported BEC losses in the U.S. rising 88% between 2016 and 2017, according to the FBI’s Internet Crime Complaint Center.

In investigating Scarlet Widow, Agari observed while the group depended on on wire transfers in its early BEC scams, it has now switched to using Apple iTunes and Google Play gift cards. This scheme removes the necessity to manage a network of money mules inside the target country.

This reflects 2018 U.S. Federal Trade Commission report findings: from January through September 2018, gift cards and reload cards (like MoneyPak) were reported as a payment method in 26% of the fraud reports in which people revealed how they paid, up from just 7% in 2015 – a 270% increase.

“Con artists favor these cards because they can get quick cash, the transaction is largely irreversible, and they can remain anonymous,” the FTC said. Among those who paid a scammer with a gift or reload card, 42% used iTunes or Google Play cards.