A prolific and dangerous group called Exaggerated Lion has been hitting targets in the United States with business email compromise (BEC) attacks that follow a very specific model. They have racked up thousands of attempts and hundreds of millions of dollars stolen every month.
The latest estimates place BEC at the front of online fraud, with companies registering a total of $26 billion in losses since 2016. While many groups try to profit from BEC attacks, the most prolific one has been named Exaggerated Lion by the Agari Cyber Intelligence Division (ACID).
Exaggerated Lion has been around for years, but specialized mostly in check frauds until they switched to BEC attacks in 2017. The group is based in Africa, with bad actors spread through Nigeria, Ghana and Kenya.
While BEC attackers abound, Exaggerated Lion stands out because it prefers to use physical checks instead of wire transfers. There are a few reasons for this particular choice, but the main one is that the United States is one of the few countries that still uses this form of payment. Also, not using wire transfers forces law enforcement to take an extra step when they try to track them.
Research from Agari shows that almost 2,100 companies have been targeted in the few months from April 2019 to August 2019. By using fake invoices and the W-9 form from the Internal Revenue Service (IRS), the scam emails were infused with elements that mimicked authenticity.
Furthermore, the messages were coming from email addresses with long domain names, hosted on G Suite, and contained words such as “SSL” and “secure” in an effort to trick people into sending checks to specific addresses.
Researchers intercepted many of these messages and engaged the attackers, gathering information about the people used as unwitting “mules.” All details gathered in this operation were forwarded to law enforcement agencies.
The method used by attackers to get ahold of the money is also interesting. Exaggerated Lion was using primarily “mules,” which in this case were actually romance scam victims; basically, people who were tricked to cash checks, under various ruses, and send them overseas using money transfer companies.
The best way to protect against BEC scams is for companies to educate people to recognize fraudulent emails. BEC is only successful when the human link in the cyber chain is the weakest. Of course, having a complete security suite covering all aspects of the company is implied.