BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks

The pandemic, costly major illnesses, and other crises have made individual requests for help a regular occurrence on social media and via email. People who contribute want to help others get back on their feet after an illness or the loss of a loved one.

Unfortunately, there’s at least one criminal group that’s now fine-tuning the exploitation of people’s willingness to lend a hand to others when they’re sick or bereaved. These criminals are leveraging one of the pandemic era’s preferred instruments of person-to-person assistance to put a new, insidious twist on gift card scams, using manipulation and business email compromise (BEC) tactics.

Lilac Wolverine is a BEC group that compromises personal email accounts, then sends out very large email campaigns targeting everyone on each compromised account’s contact list asking for help purchasing gift cards for a friend or relative. Based on the active defense engagements we’ve conducted with Lilac Wolverine actors, the group is highly centralized in Nigeria, a historically common hot spot for BEC actors.

When BEC really took off around 2015/2016, attacks were primarily focused on impersonating executives to target employees with messages requesting payment for fake invoices. Over the years, though, the targets and tactics of BEC scammers have evolved, including their methods of extracting funds from victims.

The use of gift cards as a payment method in BEC attacks started increasing rapidly during the second half of 2017 and quickly became the most common form of payment requested in BEC attacks. The popularity of gift cards as a cash-out method for BEC attacks seems illogical–our data shows the average amount requested in gift card attacks this year is slightly less than $1,500, compared to nearly $80,000 for an internal impersonation payment fraud BEC attack–however, the main reason these attacks have become so popular is that the potential target population is exponentially larger.

For payment fraud BEC attacks, a scammer’s targets are generally limited to employees on a company’s finance team. Payroll diversion attacks can usually only be pulled off by attacking an employee in a human resources department. Gift card attacks, on the other hand, can target any employee at an organization, regardless of what department they sit in. Instead of having a limited number of targets available, a scammer has potentially hundreds of employees they can go after in a single campaign. And while the overall success rate may be much lower for each individual gift card BEC attack email, a scammer’s overall chance of success within a significantly larger email campaign goes up, since they just need a small percentage of a much larger target population to fall for the scam.

As we’ll see, Lilac Wolverine takes advantage of this broader target pool by launching some of the largest campaigns we see from any BEC threat group out there.

Lilac Wolverine’s overall tactics are similar to vendor email compromise (VEC) attacks, which we discussed at length in our financial supply chain compromise report. In a VEC attack, an attacker compromises the email account of a high-value employee at a vendor or supplier and leverages that account to target employees at other companies in a second-stage attack.

Instead of targeting businesses, Lilac Wolverine goes after personal email accounts, especially those hosted on AOL, Yahoo, BellSouth, Verizon, and Rogers webmail services. And the group goes after a lot of accounts. Lilac Wolverine’s extremely high attack volume makes the group one of the most prolific we track today.

Rather than sending messages directly from the accounts they compromise, Lilac Wolverine copies the accounts’ contacts to use in the next stage of their attack.

Using the same usernames as the compromised accounts or very similar ones, the group sets up lookalike email accounts on other free webmail services, usually Gmail, Hotmail, Outlook, or another service that’s different from the compromised account’s service.

Then, Lilac Wolverine uses the lookalike email accounts to reach out to the victims’ contact lists. These emails are spoofed to appear to be from the compromised email account, but they use the newly created lookalike account as the reply-to address.

The initial emails seem innocuous, asking for a favor, looking to catch up, or asking if the recipient shops on Amazon, according to the most frequently used subject lines. There’s no request for money or gift cards—yet.

Once recipients respond to the initial spoofed emails, Lilac Wolverine steers the conversation around to the goal: asking their targets to purchase gift cards for a friend’s birthday. These requests come with a plausible reason why the sender can’t buy the gift cards themselves, such as issues with their credit card or trouble making online purchases while traveling.

Lilac Wolverine typically requests easily available cards that recipients are likely familiar with, including Amazon, Apple, and Google Play, at amounts ranging from $100 to $500 per request. They often include the “friend’s” email address where the recipient can send the card.

Of course, there’s no guarantee that recipients will take the bait, even though the sender promises to pay them back. So, many Lilac Wolverine messages include sensitive topics chosen to pluck at the heartstrings of recipients. Sometimes the fictional birthday friend also has cancer or just lost loved ones to COVID-19—or both.

Considering the number of people who’ve lost friends and family to the pandemic, to say nothing of cancer, including these topics has a decent chance of triggering a sympathetic emotional response from recipients. That can push them to act quickly—before they have time to think critically about the message and possibly delete or report it. And because sending gift cards is so easy, it only takes a few clicks for recipients to unwittingly send Lilac Wolverine their money.

Security experts, law enforcement agencies, and consumer advocates have been warning people about gift card email scams for years. But these scams still work, especially when the appeals seem to come from someone the recipient knows and when they carry an emotionally-charged plea to help someone who appears to be having an especially tough time.

Human nature makes this type of BEC attack doubly hard to fight. Training staffers on BEC awareness and best practices for validating gift card request emails can help employees remember to take a breath, check by phone or in person with the sender, and report questionable emails instead of responding right away.

The most effective approach, however, is to keep BEC attacks and gift card scams from reaching their targets. Modern, behavioral AI-based solutions can analyze sender identity and activity, baseline known-good behavior, and use those insights to detect anomalies. This anomaly detection capability separates good emails from malicious messages that can evade detection by legacy systems.

See how Abnormal blocks email attacks before they can reach employee inboxes. Request a demo today.