Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

BEC Group Abuses Google G Suite in Scheme Targeting Thousands of Firms

A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.

A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.

More than 3,000 employees at nearly 2,100 companies were targeted by the same scammers over the course of five months alone, between April and August 2019, the security firm says. The targets were spread out all around the country.

The group, which Agari’s security researchers refer to as Exaggerated Lion, is comprised of African individuals, located in Nigeria, Ghana, and Kenya. The threat actor appears to have started engaging in BEC activities in 2017, but it was an established fraud ring long before that.

Active since at least 2013, the group engaged in check fraud schemes in 2014, and has sent out thousands of fake checks since then, “adding up to millions of dollars in fraudulent funds using this scheme and others like it,” Agari says in their report (PDF).

The cybercriminals appear to prefer victims in the U.S. likely because checks are their preferred checkout method. However, the aforementioned 3,000 individuals, who are located in 49 of 50 U.S. states, and the District of Columbia, are likely only a small portion of the group’s overall target set.

“A vast majority of the targets identified held a title that indicates they work in the accounts payable department of an organization. The use of keywords in an employee’s title is a common way BEC groups quickly identify targets that are likely to handle transactions they are trying to exploit,” Agari notes.

While other BEC scammers request wire transfers, Exaggerated Lion clearly prefers physical checks instead, likely a reflection of their long-standing experience in check fraud.

The cybercriminals use a network of check mules primarily comprised of romance scam victims, which are often told they are helping their romantic partner recover a large inheritance being distributed slowly over time, due to legal issues.

Advertisement. Scroll to continue reading.

The security researchers discovered that the group used two distinct tiers of mules. Since April 2019, the researchers identified 48 mule accounts used by the group, as well as 28 check mules, including seven “Tier I” mules.

Tier I mules are long-standing romance scam victims that built up a significant amount of trust and which would handle large amounts of money. Tier II mules, newer to the network and not yet trusted with significant components of the BEC process, usually send money to the Tier I mules.

Mules deposit checks into their bank accounts, after which the money is sent to the Exaggerated Lion scammer, usually via Western Union or MoneyGram money transfers. However, Bitcoin transfers via Bitcoin ATMs and gift cards are also used.

Since April 2019, the group was observed evolving tactics and switching to the use of fake invoices and W-9s, documents that are commonly used in authentic business transactions.

Exaggerated Lion used a free invoice generator that only required the attackers to enter the target company’s details, the mule’s information, some fake services supposedly being provided, and a price. They also used old, fillable versions of the W-9 form that are publicly available on the Internal Revenue Service (IRS) website. The mule’s actual social security number was used on the form.

The scammers have been abusing G Suite, Google’s collaboration and productivity solution, as part of their delivery infrastructure, with 98% of more than 1,400 domains used by Exaggerated Lion registered with Google.

Because Google only starts charging G Suite users after the first month, the scammers could register new domains and use each for the 30-day free trial period, which was more than enough to perform fraud. Moreover, they don’t need to set up additional infrastructure, and G Suite allows them to “maximize the amount of potential emails they can send in a day,” Agari notes.

Exaggerated Lion also registered domains that would use words meant to induce a sense of security, including “secure,” “ssl,” “portal,” “server,” “apps,” “office,” “mail” and “executive.” The majority of the domains are hosted on the .MANAGEMENT top-level domain (TLD), the researchers say.

Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI

Related: Lithuanian Man Sentenced to Prison Over BEC Scheme Targeting Facebook, Google

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.