A group of business email compromise (BEC) scammers that targeted thousands in the United States employed Google’s G Suite for their infrastructure, Agari reports.
More than 3,000 employees at nearly 2,100 companies were targeted by the same scammers over the course of five months alone, between April and August 2019, the security firm says. The targets were spread out all around the country.
The group, which Agari’s security researchers refer to as Exaggerated Lion, is comprised of African individuals, located in Nigeria, Ghana, and Kenya. The threat actor appears to have started engaging in BEC activities in 2017, but it was an established fraud ring long before that.
Active since at least 2013, the group engaged in check fraud schemes in 2014, and has sent out thousands of fake checks since then, “adding up to millions of dollars in fraudulent funds using this scheme and others like it,” Agari says in their report (PDF).
The cybercriminals appear to prefer victims in the U.S. likely because checks are their preferred checkout method. However, the aforementioned 3,000 individuals, who are located in 49 of 50 U.S. states, and the District of Columbia, are likely only a small portion of the group’s overall target set.
“A vast majority of the targets identified held a title that indicates they work in the accounts payable department of an organization. The use of keywords in an employee’s title is a common way BEC groups quickly identify targets that are likely to handle transactions they are trying to exploit,” Agari notes.
While other BEC scammers request wire transfers, Exaggerated Lion clearly prefers physical checks instead, likely a reflection of their long-standing experience in check fraud.
The cybercriminals use a network of check mules primarily comprised of romance scam victims, which are often told they are helping their romantic partner recover a large inheritance being distributed slowly over time, due to legal issues.
The security researchers discovered that the group used two distinct tiers of mules. Since April 2019, the researchers identified 48 mule accounts used by the group, as well as 28 check mules, including seven “Tier I” mules.
Tier I mules are long-standing romance scam victims that built up a significant amount of trust and which would handle large amounts of money. Tier II mules, newer to the network and not yet trusted with significant components of the BEC process, usually send money to the Tier I mules.
Mules deposit checks into their bank accounts, after which the money is sent to the Exaggerated Lion scammer, usually via Western Union or MoneyGram money transfers. However, Bitcoin transfers via Bitcoin ATMs and gift cards are also used.
Since April 2019, the group was observed evolving tactics and switching to the use of fake invoices and W-9s, documents that are commonly used in authentic business transactions.
Exaggerated Lion used a free invoice generator that only required the attackers to enter the target company’s details, the mule’s information, some fake services supposedly being provided, and a price. They also used old, fillable versions of the W-9 form that are publicly available on the Internal Revenue Service (IRS) website. The mule’s actual social security number was used on the form.
The scammers have been abusing G Suite, Google’s collaboration and productivity solution, as part of their delivery infrastructure, with 98% of more than 1,400 domains used by Exaggerated Lion registered with Google.
Because Google only starts charging G Suite users after the first month, the scammers could register new domains and use each for the 30-day free trial period, which was more than enough to perform fraud. Moreover, they don’t need to set up additional infrastructure, and G Suite allows them to “maximize the amount of potential emails they can send in a day,” Agari notes.
Exaggerated Lion also registered domains that would use words meant to induce a sense of security, including “secure,” “ssl,” “portal,” “server,” “apps,” “office,” “mail” and “executive.” The majority of the domains are hosted on the .MANAGEMENT top-level domain (TLD), the researchers say.
Related: BEC Losses Surpassed $1.7 Billion in 2019: FBI
Related: Lithuanian Man Sentenced to Prison Over BEC Scheme Targeting Facebook, Google