New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Exaggerated Lion Using G-Suite in Business Email Compromise Campaigns

Exaggerated Lion: A newly discovered threat group, dubbed Exaggerated Lion, is believed to have targeted over 2,100 organizations in the US with Business Email Compromise (BEC) campaigns since 2013. The group is distributed between multiple countries around Africa including Nigeria, Ghana and Kenya. The group frequently used Google’s G-Suite platform to send email messages to organizations, trying to trick employees into sending money to pay for invoices that the group fraudulently produces. Researchers from Agari engaged with the group and found that unlike most BEC cybergangs, this one typically asked their victims to send the money via physical check, as opposed to bitcoin or gift card. This component of the attack leads researchers to believe that the group is used to working with fraudulent checks from previous campaigns. The scammers ask the victims to send checks to an address were a money mule will cash them and then proceed to transfer the money to the threat actors via bank transfer or bitcoin. The group has registered over 1,400 domains since 2017, 98% of which used Google G-Suite. Using G-Suite to send email helps the group evade some email threat scanners, because the email messages originate from trustworthy Google servers. The group uses domains that are very long and include words such as “secure” and “mail” to help give the appearance that these domains are legitimate.

Analyst Notes

: The techniques that the group uses in their attacks have allowed them to be successful. By making the emails and domains look legitimate, it becomes easier to trick their victims into sending the money. Business Email Compromise has cost US businesses over $26 billion since 2016, according to the latest report from the FBI. Phishing is still one of the most utilized ways by threat actors to break into companies to gain access to their infrastructure or initiate fraudulent money transfers. Proper security training for company employees can help stop the success of this attack technique. Monitoring for compromised email account passwords allows organizations to be alerted when a corporate email has been leaked online. The Binary Defense Counterintelligence service monitors for compromised email accounts online and alerts clients when their employees’ email addresses appear. This forewarns organizations about who will most likely be targeted in BEC attacks or other scams and allows them to work with those employees and monitor their email to stop these types of attacks. More information can be found here: