Cosmic Lynx Group Using BEC Scams to Steal from Corporations
Russian cybercriminals are targeting corporations across 40 countries in an ongoing business email compromise (BEC) attack. The cyberattack attempts to trick victims into paying a fraudulent invoice for a fake business acquisition. If the invoice is paid, the money is transferred to a bank account in Hong Kong or Eastern Europe that is controlled by the threat actors.
Cosmic Lynx seems to choose targets based on their job title. The messaging in the attacks impersonates a payment processing company. The target is directed to send payments two accounts controlled by Cosmic Lynx.
The Russian fraudsters use social engineering to obtain the names and job titles of corporate employees. The employees are then targeted with a spearfishing phishing email message that asks them to pay a fake business-related invoice. if the target is fooled by the messaging in the phishing email, the money is transferred away from the corporation to bank accounts in Hong Kong, Hungary, Portugal, or Romania that are controlled by the hackers. The target employee maybe even asked to split up payments across multiple accounts to avoid supposed daily limits on wire transfers.
Cosmic Lynx uses an impersonation scheme. The messaging in their initial email impersonates the target company’s own CEO. The email introduces an appointed legal firm in the UK and the employee is instructed to work with them for payments concerning a business acquisition. A second impersonation scheme uses the identity of the UK law firm to request the payments.
About 75 percent of the attacks targeted upper level employees with the titles of vice president, general manager, or managing director.
“In many cases, Cosmic Lynx targets organizations that lack security protections and authentication checks, such as the Domain-based Message Authentication, Reporting and Conformance – or DMARC. The gang often sends emails that spoof the CEO’s profile, according to the report.”
What is a BEC scam?
A business email compromise, or BEC scam, is a type of cyber attack where the fraudster sends a simple email with the intentions of stealing money, credentials, or sensitive data. Frequently the threat actor sends a highly targeted phishing email to someone in a business who is capable of paying invoices or transferring money. The threat actors have usually done some work ahead of time – generally through social engineering – to identify the name, title, and contact information the target. They send highly crafted emails which seem plausible and familiar to the recipient . For example, the threat actor may send an invoice that claims to be originating from a company or an industry that the recipient is accustomed to doing business with. Because the contents of the email appears familiar, the recipient is more likely to follow the instructions in the email without taking the time to scrutinize the sender or the request.
This type of scam is far more lucrative then setting up a malware attack.
According to the FBI, financial losses due to BEC attacks increased 37% 2019. BEC tax account for 40% of all cybercrime losses last year .