Cosmic Lynx is a new Business Email Compromise (BEC) group. Unlike most BEC scams that originate in Nigeria, this one comes from Russia. To date, it has launched over 200 BEC campaigns, targeting individuals in 46 countries. It targets senior-level executives at Fortune 500 and Global 2000 companies.
BEC scams are a multi-billion pound industry. Email security company Agari puts the money lost to BEC attacks as more than US$26 billion. In a 28 page dossier (registration required), researchers from Agari Cyber Intelligence Division (ACID) provide details of how Cosmic Lynx works and how they linked it to Russian cybercriminals.
“Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud,” said Armen L Najarian, CMO and Chief Identity Officer, Agari.
“The more favorable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud.”
How does Cosmic Lynx work?
Cosmic Lynx exploits the need for confidentiality during the acquisition of a company. The targeted employee receives a faked email from their CEO. It focuses on the purchase of a new business and tells the employee they will be working with external legal counsel.
As part of the process, the target is told they will need to sign an NDA. The email also emphasises that this is a time-sensitive matter. That statement is designed to pressure the target into acting without referring questions to other people inside their company.
The target is then contacted by the “lawyer”. They provide a little more information about the acquisition. The lawyer ramps up the need for secrecy by the target, saying they are the only one allowed to handle the details. It adds more pressure by saying that disclosure to anyone will cause the acquisition to be cancelled.
Unlike the majority of BEC emails, Agari says that they are well written, proofread and contain no language errors. It speaks to the professionalism of the cybercriminals and creates an air of authenticity around the emails. If the employee still has any suspicions and decides to investigate the lawyer, they are directed to a professional website.
To seal the deal, the target is asked to authorise the transfer of funds. The ACID team say that the average amount is $55,000, although it has seen requests for millions of dollars. The funds are sent to money mules in Hong Kong. When the ACID researchers who engaged with Cosmic Lynx said this was not possible, they were provided with accounts in Hungary, Portugal and Romania.
Exploiting poorly configured DMARC controls
One easy way to spot most phishing, malware and BEC attacks is the email addresses that are used. They tend to be free webmail accounts or from domains that have only just been created. Those domains are often quickly blacklisted and change regularly.
ACID researchers say that Cosmic Lynx is very different. They are not just relying on the professionalism of the emails and the creation of realistic websites. To make their emails look as if they have come from the CEO, they are exploiting the DMARC standard.
The DMARC (Domain-based Messaging Authentication, Reporting and Conformance) standard is a way for organisations to authenticate email messages. Organisations can create their own policy on authenticating email. If an email fails the policy it is rejected, often not reaching the user at all. Policies rely on multiple existing standards to verify where the email came from and whether it has a valid signature. If not, the email is either rejected or flagged as suspicious.
The analysis of Cosmic Lynx attacks by the ACID researchers shows it targeted organisations with no effective DMARC implementation.
According to Tim Sadler, CEO of Tessian: “This tactic highlights why companies cannot rely on the email authentication protocol as a silver bullet to prevent email impersonation scams. The problem is that, as DMARC records are publicly available, it’s easy for hackers to identify companies that do not have the protocols in place, allowing them to directly impersonate a company’s domain and pose as the CEO to convince targets they are opening a legitimate email.
“But even if your company does have a DMARC policy in place, be aware that attackers can also assess how strictly you’ve configured it. If your company has a strict email policy in place, the attacker can still carry out an advanced spear phishing attack by registering a look-a-like domain, banking on the fact that a busy employee may miss the slight deviation from the original domain.”
What is the evidence for Cosmic Lynx being Russia-based?
Attribution of attacks is always a grey area. Many organisations rush in, claim state-sponsored attack groups and get embarrassed when the truth comes out. Look at the attribution of the attack on the German Government in late 2018. Researchers rushed out press comments saying it was complex, nation-state sponsored and was about political interference. It turned out to be the work of 20-year old German student who was hacked off with the state.
To avoid that risk, the ACID researchers have detailed their analysis of the infrastructure and attacks from Cosmic Lynx. They cite the time/date stamp in email headers using the offset for Moscow Standard Time (MST). They accept that this can be faked but say the consistency of its use suggests it is not.
It also found that the Emotet and Trickbot malware share some of the infrastructure as that used to send the BEC emails. These have been linked back to Russian actors by many cybersecurity researchers. Other parts of the infrastructure used have the same IP addresses as Russian fake document websites.
While all of this is far from an absolute, the evidence certainly seems to support the theory that Cosmic Lynx is a Russia-based organisation.
How to spot a Cosmic Lynx attack
The ACID researcher report provides a list of IP addresses and domain names that it has seen Cosmic Lynx use. A common theme is to start the domain name with the word ‘secure’. Another is to use ‘encrypted’. Almost all of the domains are registered using cc, the Internet country code for the Cocos Islands.
There is also a list of email subject lines that are used. This seems to change every two to three months. The most recent email subjects contain entries with Project Gemini, Project Pegasus or Project Viking.
This information can be used by email administrators to create rules to block those emails, something Enterprise Times strongly recommends.
Enterprise Times: What does this mean?
Phishing, spam, BEC and other attacks that use email have been around a long time and will continue to be around. The vast majority are easy to spot because they are poorly written or completely unbelievable. However, like all criminals and conmen, BEC groups are evolving to be more believable and professional. Cosmic Lynx has undoubtedly raised the bar in that respect. It has also exploited ineffective DMARC controls.
As Sadler says: “This is a very sophisticated and well-researched operation, run by experienced hackers who have done their homework. The hackers looked into companies that were completing an acquisition, identified a senior executive target, and impersonated the CEO of the company being acquired in order to deceive their target into wiring money to a fraudulent account.
“To add another layer of perceived legitimacy, the hackers also impersonated an external lawyer at a well-regarded law firm, making it very difficult for the target to think that they are being scammed. Lastly, they have made sure their grammar and spelling is faultless.”
Organisations often blame BEC attacks on staff not following the right processes. As Cosmic Lynx shows, IT is just as likely to be the failure point as users.