Hundreds of MNCs become the target of new Russian BEC group

Hey, y’all. What’s up?

Today, we’re going to look into a Russian threat actor that specializes in business email compromise (BEC). Researchers say the Cosmic Lynx group has been keeping itself busy by aiming at hundreds of huge multinational corporations over 40 countries. Apparently, this recently discovered Russia-based BEC gang has been operating since 2019. 

Before we get into details, let’s understand some basics. 

What is BEC?

Business Email Compromise (BEC), or previously known as Man-in-the-Email scams, is a type of scam that aims at corporations that conduct wire transfers and have suppliers abroad. BEC incorporates spoofing/compromising corporate or publicly available email accounts of executives or high-level employees who are related to finance or are involved with wire transfer payments. This is done via keyloggers or phishing attacks to do fraudulent transfers that ends up in the company losing a huge sum of money. 

Attackers behind BEC scams depend heavily upon social engineering tactics to deceive oblivious victims. They usually pose as CEOs or any executive who’s authorized to do wire transfers. To make sure they pose as the right person, attackers perform intricate research and keep a close watch on potential targets and their organizations. 

‘Request’, ‘payment’, ‘transfer’, ‘urgent’ are among the top words used in BEC email subjects.

According to the FBI, there are 5 types of BEC scams: 

  • Bogus Invoice Scheme
    • Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
  • CEO Fraud
    • Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
  • Account Compromise
    • An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
  • Attorney Impersonation
    • Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters.  Normally, such bogus requests are done through email or phone, and during the end of the business day.
  • Data Theft
    • Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.

Cosmic Lynx

Named by security firm Agari, Cosmic Lynx includes a blend of social engineering tactics and solid, well-written emails that are specifically aimed at high-level executives. Researchers in Agari suspect that the gang has performed at least 200 of these types of schemes - some of which are still ongoing in June 2020. 

About ¾ of Cosmic Lynx’s BEC attacks are aimed at victims with positions such as vice president (VP), general manager (GM), or managing director (MD). Apparently, this group frequently sends emails that spoof the CEO's profile. In several instances, the targeted organizations are those that do not have security protections and authentication checks, like  Domain-based Message Authentication, Reporting and Conformance (DMARC).

Modus Operandi

The Cosmic Lynx fraudsters have presented themselves in 2 ways. 

  • An Asian-based company that’s working with the targeted organization to process payments for a potential acquisition. 
  • Assuming identities of legitimate U.K.- based law firms, saying they’re ‘external legal counsel’ working on fictitious deals. 


Figure 1: BEC email by the Cosmic Lynx gang


Figure 2: Fake attorney signature profile

Agari says Cosmic Lynx’s end goal is to persuade targeted victims to perform fund transfers to bank accounts controlled by the cyber criminals, that are located in Hong Kong or Eastern Europe. This is what Agari’s report says: 

"The final stage of a Cosmic Lynx BEC attack is getting the target to send one or more payments to mule accounts controlled by the group. While the average amount requested in most executive impersonation BEC attacks is $55,000, the average Cosmic Lynx attack request is $1.27 million."

Although Agari has not revealed any details of the targeted companies due to an active investigation, researchers estimate that the total losses due to these BEC schemes may exceed $400 million.

Well-thought Strategy

Taking advantage of commercial services, the BEC gang conducts thorough research to come up with a list of individuals. These individuals will then receive their fake emails where they pose as other executives and begin information manipulation. Cosmic Lynx has put in effort to bypass email protection tools, such as DMARC. 

Crane Hassold, Senior Director of Threat Research at Agari says: 

“For organizations that have implemented an established DMARC policy set to reject (p=reject) or quarantine (p=quarantine), Cosmic Lynx modifies the display name impersonating a CEO to include their email address, which still gives it the look that the email is coming from the CEO's account.”

Besides this, Cosmic Lynx also sends email from domains that come off as authentic law firms based in the U.K.. These domains are also hosted on untouchable or anonymous domain providers. The purpose of these domains is to aid in making the ongoing ‘acquisition deal’ with potential victims as legitimate as possible. 

Russian Affairs 

According to Agari, Cosmic Lynx is one of the first organized Russia-based groups to explore BEC fraud. Researchers have discovered a few factors in Cosmic Lynx’s infrastructure that ties its operators to Russian actors. These factors include the gang’s infrastructure overlapping with Trickbot and Emotet malware, which is believed to be used by Russian groups.

Agari’s report says:

"In addition to these potential connections, we have also observed multiple instances where IP addresses linked to Cosmic Lynx's BEC domain have overlapped with infrastructure used to host Russian fake document websites. These sites, which seem to be catering to individuals in Russia and Ukraine, sell a variety of false Russian-language documents such as diplomas, birth certificates and death certificates."

Agari’s Chief Identity Officer, Armen Najarian, notes: 

"Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud. The more favorable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud."

That’s it for the blog today, y’all! Feel free to drop comments and share this blog if you found it interesting.

Stay safe and stay tuned. 

Until next time, friends!

Credits: BankInfoSecurity & TrendMicro

Add comment