A Russian group dubbed as Cosmic Lynx initiated more than 200 Business Email Compromise (BEC) campaigns targeting hundreds of multinational companies, as uncovered by security firm Agari. Cosmic Lynx was revealed to have been launching campaigns in over 40 countries including the United States, Canada, and Australia since 2019. The average amount requested from the targets is at US$1.27 million.
Tactics used by the group
Like many groups behind BEC scams, Cosmic Lynx targets senior-level executives with positions such as managing director (28% of the data), vice president (24%), general manager (23%), CEO (8%), chief finance officer (7%), president (7%), and others (4%).
To deceive these targets, the cybercriminal group makes use of a dual impersonation scheme: they first impersonate the company’s CEO, then a legitimate lawyer at a UK-based law firm.
First, the attackers, pretending to be the company’s CEO, send an email to a target employee about the need for an “external legal counsel.” The email states that the matter is time-sensitive, in an attempt to create a sense of urgency.
If the target employee replies to the email, they will be asked to exchange emails with an impersonated lawyer's email account. The employee will then be requested to send money to accounts that are purportedly connected to the law firm but are actually mule accounts controlled by the group. The payment requests amount to millions of US dollars.
Most of the attacks use free email accounts and domains that mimic secure email and network infrastructure (for example, secure-mail-gateway[.]cc, encrypted-smtp-transport[.]cc, mx-secure-net[.]com). The group also registered some of their domains with bulletproof hosting and an anonymous domain provider.
Besides BEC, the group has also been linked to other malicious schemes such as propagating Emotet, Trickbot, and click-fraud malware. They are also said to be behind a carding marketplace and fake document websites.
BEC attempts detected by Trend Micro™ Cloud App Security rose from over 100,000 in 2018 to almost 400,000 in 2019, totaling to a 271% increase. As a threat that causes massive financial losses to different industries and countries, the continued growth of the number of BEC campaigns could be disconcerting for companies.
This spike is interesting to note considering that many BEC campaigns do not need to employ innovative tactics for them to succeed. The impersonation of company key figures, implication of urgency, and use of current events as a lure (such as the coronavirus pandemic) are only some of the tried-and-tested strategies exploited by cybercriminals to hoodwink unsuspecting employees. With cybercriminals’ constant development of novel techniques such as the use of deepfakes, new channels, and various attachment file formats, BEC continues to mutate into an even more serious threat.
To avoid the risk of financial loss caused by BEC schemes, companies are advised to educate their employees about the following best practices:
Verify fund transfer payment requests by confirming with the sender using other means besides email. Establishing a secondary sign-off process is also advised.
Scrutinize emails to spot spoofed email addresses. Some campaigns use emails that closely resemble the real addresses except for a slight difference in a few characters.
Keep updated with the latest email scams to spot them easier and faster.