Scripted Sparrow: The Automated BEC Group Deceiving Organizations Worldwide
A newly identified Business Email Compromise (BEC) group, dubbed Scripted Sparrow, has been operating across three continents, employing extensive automation to execute large-scale phishing campaigns. By impersonating executive coaching or leadership training consultancies, they aim to deceive employees into processing fraudulent invoices.
Tactics and Techniques
The group’s typical attack begins with an email directed at a member of the Accounts Payable team. These emails often contain a spoofed reply chain that mimics a conversation between a vendor and a company executive, lending credibility to the fraudulent request. The emails usually include an invoice for services such as The Catalyst Executive Circle and a W-9 form.
Notably, the invoices are often crafted to fall just under $50,000, specifically $49,927.00, to avoid triggering higher-level financial approval workflows.
Evasion and Automation
To bypass security filters, Scripted Sparrow has evolved its tactics. Instead of attaching malicious documents directly, they sometimes intentionally omit them, prompting the recipient to reply and ask for the missing files. This conversation builds trust before the final payload is delivered.
The scale of their operations is massive, with estimates suggesting the group sends millions of targeted messages monthly. This volume heavily implies the use of automated scripting tools to manage such a high quantity of correspondence. Metadata analysis revealed that 76% of their PDF attachments were generated using the Skia/PDF library, indicating a streamlined, programmatic approach to document creation.
Operational Security and Evasion Tactics
Scripted Sparrow employs various operational security measures to mask its tracks. During active defense engagements, researchers observed the group using browser plug-ins to spoof their geolocation. However, these attempts often revealed their lack of technical sophistication and understanding of Remote Desktop Protocol (RDP). For instance, some actors appeared to be operating from unlikely remote locations due to the poor configuration of their tools.
Further analysis of browser fingerprints exposed more inconsistencies. In one case, a threat actor appeared to travel from San Francisco to Toronto in mere seconds, confirming the use of location-masking software. Additionally, a technical review of user agent strings identified entries such as TelegramBot (like TwitterBot). This specific data point suggests the group utilizes Telegram for internal communication and coordination.
These technical slips provide defenders with valuable signals to identify and block their infrastructure effectively.
