Email Security Blog

Business Email Compromise (BEC) and G Suite: How the Exaggerated Lion Cybercrime Group Cashes Out

Crane Hassold February 20, 2020 BEC, Business Email Compromise

Business email compromise (BEC) has become the predominant cyber threat businesses face today. These basic social engineering scams are having a huge impact, to the tune of more than $700 million every month. To make matters worse, the recently-released Internet Crime Report from the FBI’s Internet Crime Complaint Center shows that BEC isn’t going away any time soon, as losses from BEC attacks grew another 37% in 2019 and accounted for more than 40% of all cybercrime losses last year.

Today, we released our latest threat actor dossier on a BEC group we have been tracking for almost a year, which we have named Exaggerated Lion. This report shows how cybercriminal groups are continually adapting and developing new and innovative tactics to increase the effectiveness of their crimes.

Exaggerated Lion is an African cybercriminal organization that has been active since at least 2013. Since April 2019, we have conducted more than 200 active defense engagements against Exaggerated Lion actors. Our visibility into Exaggerated Lion’s operations as a result of these engagements has given us an in-depth look at how their BEC attacks unfold and have evolved over time.

Comprised of actors in Nigeria, Ghana, and Kenya, Exaggerated Lion built a prolific check fraud operation before evolving to BEC attacks starting in mid-2017. One of the most intriguing aspects of Exaggerated Lion’s BEC attacks is their clear preference to use physical checks as a cash out method rather than wire payments, which makes them unique in the BEC threat landscape.

The group’s history of check fraud and romance scams has resulted in a vast network of check mules across the United States. Over the course of our research into Exaggerated Lion, we have uncovered the identities and locations of 28 check mules, including seven “Tier 1” mules who are long-standing romance scam victims that are trusted with large sums of money and who interact more extensively with the main Exaggerated Lion actors.

During our research, we identified more than 3,000 individuals employed by more than 2,100 companies that had been targeted by Exaggerated Lion BEC campaigns between April 2019 and August 2019. All of these targets were located in the United States, in 49 of 50 states and the District of Columbia, an indication of Exaggerated Lion’s square focus on American targets.

As our engagements with Exaggerated Lion continued, the group evolved their tactics and started using fake invoices and W-9s to inject a sense of authenticity into their attacks. The invoices were created using an easily accessible free invoice generator and the W-9 forms were obtained from the Internal Revenue Service’s public website. Since these documents are commonly used in legitimate business transactions, including them gives Exaggerated Lion’s attacks a better chance of succeeding without any questions being asked.

Exaggerated Lion’s M.O. has remained remarkably consistent over the years. They use very long domain names hosted on G Suite containing words that give the appearance that an email was sent from secure infrastructure. Our research has uncovered more than 1,400 domains used by Exaggerated Lion since July 2017 that have been used to launch BEC campaigns. Domains registered by Exaggerated Lion actors comprise more than 10% of all .MANAGEMENT domains that have ever been created and nearly 75% of all .MANAGEMENT domains that have ever been registered with Google.

To protect against threats like Exaggerated Lion, organizations first need to understand and accept the state of today’s cyber threat landscape. Most email-based threats today, like BEC attacks, are very simple social engineering attacks that are technically unsophisticated. To effectively protect against these threats, companies need to make sure they have defenses in place that are equipped to detect identity deception attacks that traditional inbound filters are not accustomed to handling. Additionally, organizations should have good internal processes in place, so payment requests, regardless of source, are verified before they are processed.

For more information on Exaggerated Lion, you can download the full report or attend the webinar.

For a list of historical Exaggerated Lion domains, please see our supplemental report appendix.

Agari Blog Image

April 7, 2021 Ronnie Tokazowski

Big Email Concern: IC3 Report Confirms that BEC (Unsurprisingly) Remains a Problem

When it comes to reports from the security industry, one of our yearly favorites is…

Banner: New BEC Attack 7x more costly

March 3, 2021 Crane Hassold

Agari Report: New BEC Scam 7X More Costly Than Average, Bigger Phish Start Angling In

Sophisticated new threat actors, evolving phishing tactics, and a $800,000 business email compromise (BEC) scam…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

man working on computer

December 14, 2020 Ronnie Tokazowski

BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

This post originally appeared on Medium and is published here courtesy of Ronnie Tokazowski. For…

woman working on computer

December 1, 2020 Ronnie Tokazowski

BEC Cash-out Methods: Email Fraudsters Experimenting With Alternative Approaches

Business email compromise (BEC) actors are exploring alternative cash-out methods for spiriting away the profits…

mobile image