Security researchers have uncovered a Russian cybercrime gang that creates fake merger and acquisition (M&A) scenarios over email to trick senior employees into transferring vast sums of cash.
The criminal gang, dubbed ‘Cosmic Lynx’, is believed to be the first reported case of a business email compromise (BEC) criminal ring operating out of Russia.
Cosmic Lynx has targeted executives spanning 46 countries and six continents according to Agari, the US cybersecurity firm that discovered the gang. The targets tended to be large, multinational organisations with a global presence – including Fortune 500 or Global 2000 companies.
BEC attacks use phishing and social engineering techniques to harm an organisation, usually to trick employees into transferring money to criminals.
Cosmic Lynx’s elaborate attack method sees scammers impersonate the target company’s CEO and an external legal counsel over email.
This impersonation is possible when companies do not have a DMARC protocol in place to verify the authenticity of an email.
Just 15% of Fortune 500 companies have a DMARC policy set at the appropriate level to prevent email spoofing, according to Agari figures.
The majority of targeted employees – 75% – held the title of vice president, general manager, or managing director.
Once a victim falls for the ruse, Cosmic Lynx moves the stolen funds through money mule accounts in Hong Kong, with secondary accounts located in Hungary, Portugal, and Romania.
The gang has actively avoided using American mule accounts, Agari said.
Cosmic Lynx reflects lucrative nature of BEC scams
Like many other cybercriminals, Cosmic Lynx has been adopting its scams to take advantage of the coronavirus pandemic. Agari’s Cyber Intelligence Division (ACID) observed scammers wishing their victims good health and discussing the easing of restrictions to make their fraudulent correspondence seem more credible.
Crane Hassold, director of threat research at Agari and a former FBI analyst, told Verdict that while he has seen other scammer groups employ the M&A theme, they are “not nearly as sophisticated as Cosmic Lynx and generally ask for significantly less money”.
In one attempted scam, Agari noted a request for $2.7m from Cosmic Lynx. The average amount requested in a traditional BEC scam in which an executive is impersonated, such as an emergency funds transfer, is $55,000.
“We don’t have direct visibility into exactly how much Cosmic Lynx has made from their BEC attacks,” says Hassold.
“But because they have been active for more than a year, we can infer that their attacks have been successful or else they would pivot to a different attack method.”
Historically, Russian cyber gangs have focused on malware-based attacks, such as ransomware. Agari, which has been extensively tracking BEC gangs in West Africa for years, found a number of clues to suggest Cosmic Lynx is a Russian gang.
First, Cosmic Lynx used infrastructure linked to other types of malicious activity, including Emotet and Trickbot banking trojans, which are known to have Russian origin. Agari also saw that the criminal ring used IP addresses for its BEC scams that have ties to Russian black market websites. The scam emails were also sent in Moscow Standard Time,
Cosmic Lynx represents a step-change for BEC attacks, which have predominantly originated from Nigeria. The larger sums requested and elaborate nature of the scams reflects how lucrative BEC attacks can be for cybercriminals.
According to the 2019 FBI IC3 annual report, BEC attacks accounted for $1.7bn in fraud losses, which made up 40% of all cybercrime losses last year.
“Cosmic Lynx represents the future of organised crime rings that are shifting focus to socially engineered email fraud,” said Armen L. Najarian, CMO and chief identity officer at Agari.
“The more favourable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud.”