Scripted Sparrow is a newly identified Business Email Compromise (BEC) group operating across three continents.
Their operations are vast, leveraging significant automation to generate and distribute attack messages on a global scale.
The group primarily targets organizations by masquerading as executive coaching or leadership training consultancies to deceive unsuspecting employees.
The attack typically begins with an email sent to an Accounts Payable team member. These messages often include a spoofed reply chain simulating a conversation between a vendor and a company executive.
The goal is to lend legitimacy to the request, which usually involves a fraudulent invoice for services like “The Catalyst Executive Circle” and a W-9 form.
.webp "Scripted Sparrow Uses Automation to Generate and Send their Attack Messages 2")
The invoices are often crafted to fall just under $50,000, specifically $49,927.00, to avoid triggering higher-level financial approval workflows.
Recently, Fortra analysts identified that the group has evolved its tactics to bypass security filters. Instead of attaching malicious documents directly, they sometimes intentionally omit them, prompting the recipient to reply and ask for the missing files.
This conversation builds trust before the final payload is delivered. The scale is massive, with estimates suggesting the group sends millions of targeted messages monthly.
This volume heavily implies the use of automated scripting tools to manage such a high quantity of correspondence.
For example, metadata analysis revealed that 76% of their PDF attachments were generated using the Skia/PDF library, indicating a streamlined, programmatic approach to document creation.
Operational Security and Evasion Tactics
A distinct aspect of Scripted Sparrow is its attempt to mask its tracks through various operational security measures.
During active defense engagements, researchers observed the group using browser plug-ins to spoof their geolocation.
However, these attempts often revealed their lack of technical sophistication and understanding of Remote Desktop Protocol (RDP).
For instance, some actors appeared to be operating from unlikely remote locations due to the poor configuration of their tools.
Further analysis of browser fingerprints exposed more inconsistencies. In one case displayed in Figure 6, a threat actor appeared to travel from San Francisco to Toronto in mere seconds, confirming the use of location-masking software.
Additionally, a technical review of user agent strings identified entries such as “TelegramBot (like TwitterBot).”
This specific data point suggests the group utilizes Telegram for internal communication and coordination.
These technical slips provide defenders with valuable signals to identify and block their infrastructure effectively.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
