7 min read

Exaggerated Lion and Business Email Compromise – Don’t Send That Check!

Graham Cluley

February 26, 2020

Exaggerated Lion and Business Email Compromise – Don’t Send That Check!

More and more businesses are falling victim to Business Email Compromise, where scammers fool companies into transferring money into the bank accounts of criminals.

Sometimes the fraudsters perpetrate such attacks by posing as a senior member of staff, and direct a more junior employee into wiring funds into an account – often describing the money transfer as urgent or sensitive in an attempt to expedite the theft.

Other times, and increasingly, attackers will break into email accounts, learn about projects being undertaken by a company’s supplier, and then send bogus invoices in for genuine work that has been completed – hoping that the targeted business will not query the change in bank account details.

Whichever method is used, I don’t think I’ve ever seen a case where the money which is being stolen isn’t transferred electronically.

Until now.

Researchers at Agari report on their investigation into a cybercriminal gang operating out of Nigeria, Kenya, and Ghana, known as Exaggerated Lion.

One of the elements that makes the activities of Exaggerated Lion different from other BEC attacks is that they don’t ask for money to be transferred electronically, but instead for a check to be sent through the post.

In many parts of the world checks are less frequently used than in years gone by, and this might be the reason why the Exaggerated Lion gang has focused its efforts on the United States, where payment by a physical check appears to still be not that unusual.

According to the researchers, over 2000 US businesses were targeted in the space of just four months by the Exaggerated Lion group.

And, perhaps surprisingly, the way in which the scammers persuade their victims to send a check through their post is not that sophisticated.

Unlike other scammers, who might use a compromised business email account, spoof the CEO’s email address, or create a lookalike domain intended to fool the recipient, the Exaggerated Lion game send their emails from domain names they have registered which suggested they might come from “secure infrastructure”.

For instance, imagine you received an email which came from the following domain name:

office-secure-ssl-sl-mail71521-apps-server-portal-apps-mai [dot] management

That’s obviously a very long domain name! And no-one, I suspect, would mistake it as an email coming from your company.

But they might believe that it is somehow a “secure” email because of the cocktail of security-related keywords contained within it.

And if you’re anything like me you might never have seen a .management top-level domain before, and not realised they even exist!

According to Agari, the criminals have been very busy making .management email addresses for their attacks – typically using Google Suite accounts opened using fraudulent credit card details:

“Our research has uncovered more than 1,400 domains used by Exaggerated Lion since July 2017 that have been used to launch BEC campaigns. Domains registered by Exaggerated Lion actors comprise more than 10% of all .MANAGEMENT domains that have ever been created and nearly 75% of all .MANAGEMENT domains that have ever been registered with Google.”

So the criminals are using social engineering to dupe unsuspecting workers into sending out sometimes substantial checks without proper authorisation.

The next twist in the tale is that the checks are sent to middle-aged women.

According to Agari, the Exaggerated Lion scammers have been building up a network of romance scam victims - telling their romantic partner that their large inheritance is tied up with legal red tape.

These women do not realise that they have been recruited as a money mule for a cybercrime gang, and even when skeptical can be convinced to help.

So the company sends a check to the romance scam victim (the “mule”), who deposits it into their bank account.  And because the checks are completely legitimate, no warnings are triggered at the bank.

The mule may then be told by the scammer who is romancing them to keep a little for themselves, or forward the money to another mule – often in the belief that they are passing money on to an inheritance attorney.

In due course the funds end up in the hands of the criminals, whether it be via Western Union or MoneyGram (although this is getting harder because of more rigorous vetting or branches) or a Bitcoin ATM.  The explanation for the unorthodox money transfer is often that it is to avoid unnecessary bank fees.

As we have reported previously, the FBI says that business email compromise (BEC) attacks cost victims $1.7 billion in 2019.

Only some of that has been perpetrated by the Exaggerated Lion gang, but clearly a great deal of effort is put into scamming businesses out of money. 

You need to similarly place serious effort into helping your staff detect when they are being targeted by scammers.



Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

View all posts

You might also like