Security researchers have uncovered a global business email compromise (BEC) gang that is sending millions of customized messages each month to targets.
Fortra said the “Scripted Sparrow” collective spans three continents and at least five countries, with fraudsters posing as executive coaching firms to send an estimated 4-6 million “highly targeted” emails to victims each month.
The group has also registered at least 119 domains and 245 webmail addresses to further its schemes, and uses 256 bank accounts, according to Fortra’s report, Scripted Sparrow: A Prolific BEC Threat Group.
“The group operates by posing as various executive coaching and leadership training consultancies,” the report explained.
“They send a message to a member of the victim organization’s Accounts Payable team, typically with two PDF attachments: an invoice, containing ACH or wire transfer instructions, and a completed W-9 form. The body of their initial message contains a spoofed reply chain between the fictitious consultancy and an executive of the victim organization.”
Read more on BEC: BEC Attacks Surge 20% Annually Thanks to AI Tooling
In some recent attacks, the group has intentionally omitted the two attachments it claims to include with the email, in order to avoid exposing its money mule bank account until it has a victim gullible enough to ask for the attached invoice to be resent.
The group has been active since at least June 2024, with Fortra having recorded 496 unique engagements
“To better gauge the scope of the group’s operations, we looked at the domain kornferry.ws, which was used in one of our 496 engagements, to see if any of our Cloud Email Protection (CEP) customers saw activity from that domain. Looking at CEP data, we found that 23 organizations had been sent mail from that domain, with 70 users targeted,” Fortra continued.
“While I wish that every company in the world was protected by Fortra CEP, a more realistic estimate would be that one out of every 1,000 companies worldwide uses CEP. In other words, a conservative estimate would be that for each message seen by our team, Scripted Sparrow likely sent 70,000 messages. The 94 engagements we conducted in September likely represent about 6.6 million targeted messages sent by the group.”
Scripted Sparrow’s Infrastructure
Digging deeper, Fortra noticed that most interactions it had with the BEC actors were with Windows computers running Remote Desktop Protocol (RDP). As well as RDP, Scripted Sparrow appears to use location spoofing and browser plugins to throw investigators off the scent.
“After running our algorithm against the raw data, we mapped only the high-confidence locations,” the report noted.
“Based on our analysis, we believe the Scripted Sparrow group has members located in Nigeria, South Africa, Türkiye, Canada, and the US.”
The group mainly uses a combination of webmail (55%) and email addresses on domains it controls (43%), with preferred registrars NameSilo and Dynadot. It uses mainly Skia to create its PDFs and some members use Telegram for comms, Fortra explained.
Analyzing the group’s shared browser fingerprints, bank accounts and email addresses, Fortra concluded that Scripted Sparrow is a “loose collective of fraudsters, all working off the same basic playbook.”
The vast majority of observed BEC attacks have been conducted in English, although Fortra has also seen some in Swedish. It’s unclear whether the group is already using generative AI (GenAI), although if it is not, this won’t be the case for long as it continues to evolve and refine tactics, the report noted.
“Organizations should ensure that standard payment approval protocols are followed, regardless of the invoice amount involved. Never trust a reply chain contained in an email from an external source, as this is easily spoofed,” Fortra concluded.
“Always verify expenses with the employee who allegedly purchased a product or service, and make sure you use the official communication channel(s) for that employee, rather than simply replying to the original message you received.”
BEC fraudsters made nearly $2.8bn off their victims in 2024, according to the FBI.