Ride the Lightning

Cosmic Lynx Goes After the Big Fish in Over 200 BEC Campaigns

July 9, 2020

Wired published a post on July 7 about the Russian group known as Cosmic Lynx, which has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari.

Cosmic Lynx targets senior executives at large organizations and corporations in 46 countries. It specializes in scams related to mergers and acquisitions, requesting hundreds of thousands or even millions of dollars as part of its scams.

The researchers don't really know how much money they collect – but they haven't lowered their demands in a year and have built many new campaigns, including compelling COVID-19 related scams. This certainly suggests that they have found a nice, profitable niche in the cybercrime would.

Rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they're harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC and does reconnaissance to assess its targets' specific system DMARC policies to circumvent them.

The folks are not the "lowlifes" of cybercrime. Their emails are clean and credible in appearance. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve "external legal counsel" to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, often impersonating a real lawyer from a well-regarded law firm in the United Kingdom.

Cosmic Lynx generally corresponds in English regardless of the nationalities of the companies involved. How do we know they are Russian? First, Cosmic Lynx emails generally appear to be sent in Moscow Standard Time, though the researchers note that this time stamp can be manipulated. Second, the Agari researchers have uncovered some connections between the group's infrastructure and that used by the notorious Trickbot and Emotet trojans, which are both believed to have Russian ties. Also, the researchers have repeatedly seen Cosmic Lynx use IP addresses in its BEC campaigns that are also used by websites that sell fake Russian documents like birth certificates and death certificates. Finally, in analyzing the metadata of documents sent by Cosmic Lynx, Agari has found Russian cultural references. Agari saw no indication that Cosmic Lynx is a state-backed group.

Though business email compromise requires less technical investment than malware-based scamming, it still demands a specialized skill set. That may explain why scammers around the world haven't adopted it more widely. As BEC attackers make more and more money, though, it will become an increasingly appealing option.

"Not everyone has the necessary know-how or the necessary infrastructure to conduct a successful business email compromise attack," says Alex Guirakhoo, head of threat research at the security firm Digital Shadows. "The kinds of groups that are pulling these types of big heists are definitely not random low-level cybercriminals. These are organized groups that have a lot of support and a lot of experience. And clearly there's incentive for attackers to keep doing this. BEC works."

BEC works, but it does require a higher level of sophistication. So if you are going after the big fish, you're going to assemble a team with a lot of sophisticated skill sets. The BEC numbers for 2020 will likely be off the charts.

Hat tip to Dave Ries.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson