Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

‹ Back

We decided to treat ourselves like a client and spend a few cycles addressing the deluge of Business Email Compromise (BEC) scam emails CyberAGroup has been receiving. This is a repeating cluster attack coming from the same threat actor using rotating domains. They were using Google's free business Workspace email service via AWS-hosted clients and evaded spam filters by abusing legitimate infrastructure. This methodology provides scammers with the "authority" of Google’s mail servers and reputation without requiring a paid subscription.

Our outreach to Google and Amazon successfully dismantled their shared root infrastructure, eliminating a large-scale phishing farm. For good measure, since the threat actor was using the same budget domain registrar for all their rotating domains, we also submitted a takedown request to the registrar with supporting technical information.

In most instances, even for cheap domain registrars preferred by scammers, properly documented takedown requests with the threat of follow-up to ICANN usually generate prompt action. In many cases, we have received quicker and better responses from these domain registrars than from mainstream infrastructure and social media providers.

While most organizations simply ignore or filter these emails, proactive reporting can significantly disrupt the reach of these campaigns. By holding infrastructure providers accountable for the abuse on their platforms, we can achieve measurable results in dismantling threat actor operations. While we may never fully eliminate BEC scams, collective reporting creates a hostile environment for scammers and serves as a highly effective control against large-scale digital "plagues."