A unique cybercriminal group launched business email compromise (BEC) attacks against more than 2,100 companies in the US between April and August 2019, according to researchers at Agari. The group, which Agari calls “Exaggerated Lion,” is based in Nigeria, Ghana, and Kenya, and it’s been conducting online scams since at least 2013. In 2017, the gang started carrying out BEC scams, and they’ve continually improved their tactics ever since.
Almost all of the group’s emails are sent from domains registered with Google’s G Suite, and most of these domains end with the “.management” top-level domain. Agari notes that only about 12,000 “.management” domains have ever been registered, and more than ten percent of these belong to Exaggerated Lion. Additionally, the group’s domains don’t host any content and are only used for sending emails, indicating that the domains are purely meant for launching BEC attacks.
Interestingly, Exaggerated Lion’s domains don’t try to spoof a company’s website. Rather, they use long strings of technical-looking keywords separated by hyphens. For example, the emails are sent from addresses like “personnel[@]office-secure-ssl-sl-mail71521-apps-server-portal-apps-mai [dot] management.” This method is meant to remove any suspicion on the part of the recipient, since they’ll assume the email was sent from a secure infrastructure and they won’t wonder why it didn’t come from a familiar domain.
The attackers use fake invoices generated by a free online tool, which allows them to easily change the details for each targeted company. They send these invoices to employees who work in the targeted organization’s accounting department. Agari says the gang has generated millions of dollars using these techniques.
Business email compromise is an extremely profitable criminal enterprise, and it’s not surprising that organized crime groups have it down to a science. This is their full-time job, so they can afford to put a great deal of effort into crafting convincing, targeted attacks. You can’t assume that your employees will be able to spot any visible warning signs in these emails, because there often won’t be any. New-school security awareness training can enable your employees to thwart these attacks by teaching them the fundamentals of social engineering.