Editor’s Note: This blog post was originally found on the Agari Email Security Blog.
By Ronnie Tokazowski
When we think of business email compromise (BEC), the first thing that comes to mind is likely an executive spoof — an email sent to an employee from someone pretending to be the CEO or other high-profile executives. One of the things that people don’t traditionally think about is love, or more specifically, the role that romance victims play in the BEC game.
Behind the Scenes with a Romance Scam Victim
How are attackers able to send and receive money without funds being directly tied back to them? During a BEC engagement, cybercriminals often use romance mules as human proxies to send money from point A to point B. In order to steal money, romance and BEC scammers will often collaborate in order to make use of stolen romance victim account information.
But shouldn’t a romance victim know that what they are doing is wrong? Everyone knows that they shouldn’t share sensitive things, like bank accounts, credit card numbers, or passwords. That’s where the lines start to blur, and it’s not as clear as we think it should be.
Picture this. You love kids and you love your family. So much so that you dedicate your entire livelihood to staying home with them, teaching and raising them. It’s a struggle, but in the end you know it’s all going to be worth it. You blink, and in that instant, those three kids are now adults and moving out of the house. You blink again, and you’re blessed with grandchildren. How could over two decades fly by so quickly?
But your house is empty. Something that was once filled with noise, mess, excitement, tears, dirty diapers, markers, colored pencils, craft paper, Elmer’s glue…it’s all gone. Perhaps your husband recently passed away, or after years of unhappiness, you’re going through a divorce.
You’re alone. You’re only a few years away from retirement, and you just want someone else to spend the rest of your days with. Someone else who is alone. Someone that is your forever, or as you put it — two hearts, one love.
This is the story of Jane and her tragic relationship. This is the story of Alpha — the mastermind behind cybercriminal organization Scattered Canary — and his friend Beta, an experienced romance scammer who tugged on one too many of Jane’s heartstrings.
Connecting the Dots Between Romance Scams and BEC
While we don’t have visibility into how Jane found the person we have codenamed Beta, we do know that Beta had access to her banking account as early as March 2016. Based on open-source intelligence, this relationship with Beta may have started as early as 2013.
Jane really trusted her new companion, so much so that she shared the password to her banking account with him. Based on her email exchanges with him, we can see that she used passwords like love4ever to provide credentials access. On the other side, Beta and the Scattered Canary group had built out a dossier on her, with information like her address, banking account numbers, date of birth, and even her social security number.
As the relationship progressed, Jane became more enamored with her online lover and started opening new credit card accounts, all of which were provided to Beta. Unbeknownst to Jane, Alpha took this as an opportunity to try to cash out and attempted to use her information to purchase a laptop from Best Buy in August 2016. Alpha also used her information to order clothing from Tommy Hilfiger, purchase a pair of Nikes, and buy items from American Eagle.
Unfortunately for Jane, the Scattered Canary cybercriminals did not stop there. In January 2017, Beta received account information for Green Dot cards, with account names like 4everloveu and strong4u. As the relationship continued, Jane opened additional credit union accounts using phrases like weare4ever and 2hearts1love. It’s clear beyond a reasonable doubt that Jane was an unwitting romance victim in this story, while Scattered Canary took advantage of her love for monetary gain — especially as they expanded their BEC business.
The Romance Wears Off
As time went on, Beta really started to wear Jane down, who started using phrases like 2tired4this and 2muchmystery for her account passwords. That said, she ramped up the distribution to include more GoBank, NetSpend, and Walmart money cards.
In June 2017, Alpha received an email from Beta with the subject “IRA”. The forwarded contents contained a username, password, and security questions for a capital investment firm. This same month, Jane sent a BankMobile card to her lover. Based on intelligence, this is the last time that Beta and Jane talked — at least via email.
What happened to Jane, and why did they lose contact? At this point, we are not certain that Scattered Canary cashed out her retirement account, but based on the level of access that the scammers had, we strongly believe this to be the case. Just three months later, Jane passed away at the young age of 55, survived by several children, her parents, and multiple grandchildren. We give our deepest condolences to her and her family, and the emotional and financial turmoil that Beta and Alpha put her through.
Scammers Remain Ruthless, Even in Death
Even in death, that’s not the end of Jane’s story. In October 2017, just one month after she passed, we have reason to believe that an actor from Scattered Canary tried to sign up for an auto loan in her name. Romance scammers are ruthless, cutthroat, and will do anything to make a dollar — or in this case, tens of thousands of dollars.
The emotional turmoil that someone goes through after being identified as a romance victim can be devastating. Unfortunately, suicide does play a part in romance scams, and while this may seem like an isolated event, it is likely more common than we may realize based on the number of open-source reports available.
When someone who is alone and vulnerable finds that little spark of hope and love, they cling to it — and often will not let go, no matter how many red flags there may be. Admitting that their new love might be fake is painful, and the fear of “losing” yet another loved one may play into the reason on why so many romance victims are in the schemes for years before they are identified as victims.
For more information on how romance scams play into business email compromise organizations, download a recent threat actor dossier on the cybercriminal organization Scattered Canary.