Exaggerated Lion: A newly discovered threat group, dubbed Exaggerated Lion, is believed to have targeted over 2,100 organizations in the US with Business Email Compromise (BEC) campaigns since 2013. The group is distributed between multiple countries around Africa including Nigeria, Ghana and Kenya. The group frequently used Google’s G-Suite platform to send email messages to organizations, trying to trick employees into sending money to pay for invoices that the group fraudulently produces. Researchers from Agari engaged with the group and found that unlike most BEC cybergangs, this one typically asked their victims to send the money via physical check, as opposed to bitcoin or gift card. This component of the attack leads researchers to believe that the group is used to working with fraudulent checks from previous campaigns. The scammers ask the victims to send checks to an address were a money mule will cash them and then proceed to transfer the money to the threat actors via bank transfer or bitcoin. The group has registered over 1,400 domains since 2017, 98% of which used Google G-Suite. Using G-Suite to send email helps the group evade some email threat scanners, because the email messages originate from trustworthy Google servers. The group uses domains that are very long and include words such as “secure” and “mail” to help give the appearance that these domains are legitimate.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased