First-Ever Russian BEC Gang, Cosmic Lynx, Uncovered

cosmic Lynx

Researchers warn that Cosmic Lynx targets firms that don’t use DMARC and uses a “mergers and acquisitions” pretext that can lead to large sums of money being stolen.

Researchers say they have discovered the first-ever reported Russian business email compromise (BEC) cybercriminal ring, showing that sophisticated attackers beyond the usual Nigerian scammers are setting their sights on the email-based attack vector.

The BEC gang is called Cosmic Lynx, and has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. The threat group sets itself apart from other run-of-the-mill BEC scams in that it uses extremely well-written emails, targets victims without DMARC policies and leverages a fake “merger-and-acquisition” scenario that allows it to steal larger sums of money from victims.

“This is a historic shift to the global email threat landscape and portends new and sophisticated socially engineered phishing attacks that CISOs around the world must brace for now,” according to researchers with Agari, who published a Tuesday analysis on the new threat group.

While many BEC groups are relatively target-agnostic, Cosmic Lynx has a well-defined victim profile, researchers say. It hunts out large, multinational organizations with a significant global presence, including many Fortune 500 or Global 2,000 companies. The target employees of Cosmic Lynx schemes are typically senior-level executives, with 75 percent holding the titles of vice president, general manager or managing director, according to Agari.

The pretext in almost all attacks observed is that the victim’s company is preparing to close an acquisition deal with an Asian company. Cosmic Lynx purports to be the Asian company’s CEO and asks the target employee to work with “external legal counsel” to coordinate the payments necessary to close the acquisition. The target employee is asked to keep the details of the transaction confidential until it has been finalized, due to its sensitive nature – making it easier for the scam to move forward undetected.

Researchers said that Cosmic Lynx emails are articulate, setting the attack apart from other BEC attacks that commonly use poor grammar.

“Unlike most BEC emails that are riddled with misspelled words and grammatical errors, Cosmic Lynx emails are usually very detailed and written in nearly perfect English,” researchers said. “In some cases, Cosmic Lynx uses words that are likely not in most people’s vocabulary, like ‘accretive’ and ‘synergistic,’ and uses them in their proper context.”

cosmic lynx BEC gang

Credit: Agari

The targeted employees are then introduced to a “lawyer” to assist with the payments for the fake acquisition. In reality, Cosmic Lynx has hijacked the identities of real attorneys at high-profile U.K.-based law firms to add another layer of legitimacy to their attack.

They first register a domain closely resembling the law firm’s actual domain, and create a detailed email signature featuring a picture of the impersonated lawyer, a link to the legitimate law firm’s website and even a confidentiality disclaimer.

Finally, the target employee is asked to send one or more payments to mule accounts controlled by the group, as part of the “acquisition.” It then moves the stolen funds through money mule accounts in Hong Kong. Other accounts are also located in Hungary, Portugal and Romania, researchers said. The group has actively avoided using money mule accounts in the U.S., they said.

cosmic lynx BEC gang

Credit: Agari

Cosmic Lynx attacks are unique in the amount of money they request. While the average amount requested in most executive impersonation BEC attacks is $55,000, researchers said Cosmic Lynx emails have asked for hundreds of thousands, and sometimes even millions, of dollars.

Cosmic Lynx also sniffs out organizations that do not have an established DMARC policy. DMARC was created to prevent malicious actors from directly spoofing an organization’s domain when sending an email. If the target does not have a DMARC policy, the threat group will directly spoof the CEO’s email address and set the Reply-To email to their operational email account they use to actually correspond with a victim.

“This enhances the authenticity of their emails by directly spoofing the email addresses of CEOs when possible,” said researchers. “Based on our analysis of historical Cosmic Lynx attacks, it is clear that the group is aware of which target organizations have implemented an effective DMARC policy, and which organizations have not.”

Based on analysis of the threat group’s attacks and infrastructure, researchers believe that Russia-based actors are behind Cosmic Lynx. For instance, the time/date stamp in the email headers are set to +0300 (MSK), which corresponds to Moscow Standard Time. Another clue is that some of the infrastructure used by Cosmic Lynx to send BEC emails overlaps with infrastructure used by Trickbot and Emotet malware, which they said is believed to be tied to Russian actors.

Phishing scams continue to hit companies hard in terms of losses. In February, the FBI in its IC3 annual cybercrime report said that business email compromise (BEC) attacks cost victims $1.7 billion in 2019. In 2019, these types of attacks scammed media conglomerate Nikkei ($29 million), a Texas school district ($2.3 million) and even a community housing nonprofit ($1.2 million). Other victims of scams include the City of Ocala in Florida, which was swindled out of $742,000, and a church in Brunswick, Ohio that was scammed out of $1.75 million in August. However, Cosmic Lynx represents new breed of more sophisticated, harder-to-detect BEC attacks, researchers warn.

“Unlike traditional BEC groups, Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see everyday,” they said.

BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to register for this Threatpost webinar, sponsored by Valimail.

Suggested articles