Feb 2020 – Week 3/4

Apologies for the combined weeks! The blog may not have been updated but there is a new part of the site that focuses on Romance Scams and the home page has a nice facelift!

Let’s jump into it.


  • Some of the biggest news in the last few week came from Barbara Corcoran of Shark Tank. After loosing $388,xxx in a business email compromise, money was stopped and returned to her.

New Attacks and Methodologies

  • Cofense reported that attackers have been using a scheme to harvest passwords by advising that users “Update their Office 365” using a Google Docs Form.
Copyright Cofense
  • Tax season is underway in the US and we all know what that means:
    • Per SCMagazine, if you receive a W2 attached in an email “The attached W2 file could be a genuine form that the attacker is hoping you’ll fill out and return, because it would give them information that may be used for further frauds and scams. Alternatively, the W2 may be a malware payload that’s triggered when you try to open the attachment.”
    • SpamTitan reported that activity has been seen in the form of both W2 and W9 malicious documents.
    • Proofpoint cautions to not only look for malicious documents but also “legitimate tax-focused websites that are compromised to deliver malware”.
  • Samuel West wrote a LinkedIn article about how scammers and attackers are using fears about the Coronavirus to manipulate victims.


  • Crane Hassold of Agari discussed Exaggerated Lion, a BEC group that favors physical checks and compromising G-Suite. Particularly, their research into how this group interacts with “Tier 1” romance scam victims was interesting:
    “The group’s history of check fraud and romance scams has resulted in a vast network of check mules across the United States. Over the course of our research into Exaggerated Lion, we have uncovered the identities and locations of 28 check mules, including seven “Tier 1” mules who are long-standing romance scam victims that are trusted with large sums of money and who interact more extensively with the main Exaggerated Lion actors.”
    The full report can be downloaded from Agari.
  • Interpol’s “ASEAN Cyberthreat Assessment 2020” report details not only phishing and BEC but also ransomware, cryptojacking, and other threats (report downloadable at the bottom of the page).


  • Patrick Peterson, Founder and CEO of Agari and Teresa Walsh, Head of Financial Services Information Sharing and Analysis Center Inc. (FS-ISAC) presented at RSA on “Disrupting BEC Attacks Utilizing Kill Chain”.
  • I found this a little late but Keith Turpin from Universal Weather and Aviation’s Blackhat presentation was posted on YouTube last month titled “Phishing for Funds: Understanding Business Email Compromise”.
  • The Ping Podcast focused on spear-phishing and Office 365 in an interview with Matt Brennan of SonicWall. This was a good introductory conversation on BECs but had a little sales pitch in there.

Upcoming Webinars

  • I did not find any upcoming in the immediate week but did discover that Agari has a historical record of their webinars on various threat groups posted online.
  • DarkReading has a related Webinar on “Preventing Credential Theft & Account Takeovers” coming up on March 10.

Please feel free to drop a comment below with any upcoming webinars, additions to this, or questions!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: