Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



BEC Group Abuses Google G Suite in Scheme Targeting Thousands of Firms

A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.

A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.

More than 3,000 employees at nearly 2,100 companies were targeted by the same scammers over the course of five months alone, between April and August 2019, the security firm says. The targets were spread out all around the country.

The group, which Agari’s security researchers refer to as Exaggerated Lion, is comprised of African individuals, located in Nigeria, Ghana, and Kenya. The threat actor appears to have started engaging in BEC activities in 2017, but it was an established fraud ring long before that.

Active since at least 2013, the group engaged in check fraud schemes in 2014, and has sent out thousands of fake checks since then, “adding up to millions of dollars in fraudulent funds using this scheme and others like it,” Agari says in their report (PDF).

The cybercriminals appear to prefer victims in the U.S. likely because checks are their preferred checkout method. However, the aforementioned 3,000 individuals, who are located in 49 of 50 U.S. states, and the District of Columbia, are likely only a small portion of the group’s overall target set.

“A vast majority of the targets identified held a title that indicates they work in the accounts payable department of an organization. The use of keywords in an employee’s title is a common way BEC groups quickly identify targets that are likely to handle transactions they are trying to exploit,” Agari notes.

While other BEC scammers request wire transfers, Exaggerated Lion clearly prefers physical checks instead, likely a reflection of their long-standing experience in check fraud.

Advertisement. Scroll to continue reading.

The cybercriminals use a network of check mules primarily comprised of romance scam victims, which are often told they are helping their romantic partner recover a large inheritance being distributed slowly over time, due to legal issues.

The security researchers discovered that the group used two distinct tiers of mules. Since April 2019, the researchers identified 48 mule accounts used by the group, as well as 28 check mules, including seven “Tier I” mules.

Tier I mules are long-standing romance scam victims that built up a significant amount of trust and which would handle large amounts of money. Tier II mules, newer to the network and not yet trusted with significant components of the BEC process, usually send money to the Tier I mules.

Mules deposit checks into their bank accounts, after which the money is sent to the Exaggerated Lion scammer, usually via Western Union or MoneyGram money transfers. However, Bitcoin transfers via Bitcoin ATMs and gift cards are also used.

Since April 2019, the group was observed evolving tactics and switching to the use of fake invoices and W-9s, documents that are commonly used in authentic business transactions.

Exaggerated Lion used a free invoice generator that only required the attackers to enter the target company’s details, the mule’s information, some fake services supposedly being provided, and a price. They also used old, fillable versions of the W-9 form that are publicly available on the Internal Revenue Service (IRS) website. The mule’s actual social security number was used on the form.

The scammers have been abusing G Suite, Google’s collaboration and productivity solution, as part of their delivery infrastructure, with 98% of more than 1,400 domains used by Exaggerated Lion registered with Google.

Because Google only starts charging G Suite users after the first month, the scammers could register new domains and use each for the 30-day free trial period, which was more than enough to perform fraud. Moreover, they don’t need to set up additional infrastructure, and G Suite allows them to “maximize the amount of potential emails they can send in a day,” Agari notes.

Exaggerated Lion also registered domains that would use words meant to induce a sense of security, including “secure,” “ssl,” “portal,” “server,” “apps,” “office,” “mail” and “executive.” The majority of the domains are hosted on the .MANAGEMENT top-level domain (TLD), the researchers say.

Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI

Related: Lithuanian Man Sentenced to Prison Over BEC Scheme Targeting Facebook, Google

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...