Business Email Compromise (BEC) , Email Security & Protection , Email Threat Protection

BEC Group Favors G-Suite, Physical Checks: Report

Agari Says 'Exaggerated Lion' Has Targeted Businesses Throughout US
BEC Group Favors G-Suite, Physical Checks: Report

A business email compromise group targeting U.S. businesses is using G-Suite for their scams and collecting money through physical checks instead of wire transfers, according to the security firm Agari.

See Also: Evaluating Software Security Training Providers - A Buyers Guide

Researchers first took notice of the group, which they call "Exaggerated Lion," in April of 2019, but the BEC gang appears to have been operating since at least 2013 and may have targeted some 2,000 enterprises over the years, according to Agari’s newly released report.

Like many other BEC scammers, this group primarily runs its activities from Nigeria, but it also has operations in Ghana and Kenya, according to the report.

Between April and August 2019, Agari analysts tracked several BEC schemes stemming from Exaggerated Lion fraudsters. In addition to BEC scams, the group has attempted romance-scams, phishing and use of fake invoices and tax forms to target employees at U.S enterprises, the rsearchers say.

"All of these targets were located in the United States, in 49 of 50 states and the District of Columbia, an indication of Exaggerated Lion’s square focus on American targets," the report states.

Although the BEC gang originally focused on more traditional check fraud when it started operations in 2013, the group switched to BEC schemes starting around mid-2017, the researchers determined.

In the majority of cases, the Exaggerated Lion gang has focused their efforts on corporate employees working in financial departments.

Google G-Suite Use

In their new report, the Agari researchers say they first became aware of the group that they would call Exaggerated Lion in April 2019, when the fraudsters targeted one of the security firm's clients, according to the report.

In that case, the fraudsters attempted to impersonate the target company's CEO with an email sent to other employees asking if a check could be sent to a "vendor," according to the report.

As the Agari researchers began to study how these fraudsters work, the noticed that they relied heavily on Google G-Suite to host domains that they used to send out various fraudulent emails, which also gave the illusion that these messages were sent from a safe location, the researchers say.

Example of Exaggerated Lion email scam (Source: Agari)

The researchers also noticed that the fraudsters took advantage of different Google services, such as free monthly services and trial periods, to send out as many emails as possible, the report states.

"With standard Gmail accounts, users can only send a maximum of 500 messages a day," the report notes. "Once a G Suite account is out of the trial period, however, it is capable of sending 2,000 messages each day, which is more than enough to do some serious damage, especially considering that most BEC actors still manually send out their BEC emails rather than automating the process."

The researchers identified over 1,400 domains used by Exaggerated Lion gang dating to July 2017. Of these, 98 percent were registered with Google, the report notes.

Over time, the fraudsters changed their tactics to include invoices and W-9 forms downloaded from the U.S. Internal Revenue Service website to add a layer of legitimacy in the e-mail.

The Agari report says these fraudsters prefer physical checks to wire transfers. In the case that Agari examined involving a client, the gang eventually asked for a $17,000 check to cover "professional services." It's believed that if that check had been sent out, it would have been sent to a money mule who would then deposit it in a bank account controlled by the gang before the target company knew the fraud was taking place, the report notes.

Spike In BEC Scams

Over the last two years, security firms and law enforcement have reported a significant uptick in BEC scams, also referred to as CEO fraud.

In a report released earlier this month, FBI's Internet Crime Complaint Center showed BEC scams accounted for nearly half of cybercrime-related financial losses in the U.S. last year. The FBI received nearly 24,000 complaints about BEC scams in 2019, with a total loss of $1.7 billion and an average loss of about $72,000, according to the report (see: FBI: BEC Losses Totalled $1.7 Billion in 2019)

In January, Agari researchers described another variation on BEC scams, where fraudsters attempted to access companies' financial documents, which provide useful information to support the theft of funds (see: BEC Fraudsters Targeting Financial Documents: Report)

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.