Agari, a provider of phishing defense solutions for the enterprise, revealed details of the threat actor group dubbed Cosmic Lynx, the first-ever reported Russian cybercriminal ring to conduct business email compromise (BEC) phishing scams.
This is a historic shift to the global email threat landscape and portends new and sophisticated socially-engineered phishing attacks that CISOs around the world must brace for now. Cosmic Lynx was uncovered by the Agari Cyber Intelligence Division (ACID).
“Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud,” said Armen L. Najarian, CMO and Chief Identity Officer, Agari. “The more favorable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud.”
Email fraud originated in West Africa in the form of 419 fraud schemes more than 30 years ago, and today 90% of BEC scams still emanate from the region. Meanwhile Russian and Eastern European gangs have historically innovated and perfected technology-based malware heists.
Over the years, however, traditional email-based identity deception schemes have produced greater financial returns relative to highly technical malware attacks. Based on the 2019 FBI IC3 annual report, BEC attacks accounted for $1.7 billion in fraud losses, which made up 40% of all cybercrime losses last year. Comparatively, the report documents only $8.9 million in losses attributed to ransomware attacks.
Innovation for profit
Cosmic Lynx puts a new spin on BEC phishing attacks by fabricating fake merger-and-acquisition scenarios that require a two-fold impersonation scheme involving the target organization’s CEO and external legal counsel. The cybercrime group asks target employees, who tend to hold a VP or higher title, to work with “external legal counsel” to coordinate the payments needed to close the purported acquisition. The target employees of Cosmic Lynx schemes are typically senior-level executives, with 75% holding the titles of vice president, general manager, or managing director.
Cosmic Lynx then impersonates the identity of a legitimate attorney typically at UK-based law firms whose job it is to facilitate the transaction. It then moves the stolen funds through money mule accounts in Hong Kong, with secondary accounts located in Hungary, Portugal, and Romania. The group has actively avoided using money mule accounts in the US.
These schemes can translate into high-dollar impersonation scams as reflected in a $2.7 million request in a recent Cosmic Lynx scheme. By comparison, the average amount requested in traditional executive impersonation BEC attacks is $55,000.
Remarkably only 15% of the Fortune 500 have a DMARC record set at an enforcement policy that would stop malicious actors in their tracks — meaning 85% of companies have left their front doors wide open to fraudsters. Cosmic Lynx takes advantage of these lax DMARC controls to spoof the email addresses of impersonated CEOs, making their attacks appear much more authentic, in contrast to the vast majority of BEC attacks that use free webmail accounts or registered domains to send malicious emails
Like many other organized fraud rings, Cosmic Lynx has capitalized on the COVID-19 pandemic. To break the ice with targets, its emails cast an empathetic tone to the global crisis and have adjusted as the crisis has evolved. For example, Cosmic Lynx began using COVID-19 themes as early as March 2020 wishing targets good health and then transitioned to discussing lifting of restrictions and business reopening.
Since July, 2019 the Agari Cyber Intelligence Division has observed more than 200 BEC campaigns associated with Cosmic Lynx targeting professionals in 46 countries across six continents. Unlike most BEC groups that are relatively target agnostic, Cosmic Lynx has a well defined victim profile of large, multinational organizations. Nearly all Cosmic Lynx target organizations have a significant global presence, with many Fortune 500 or Global 2000 companies.