Business email compromise (BEC) scams have been one of the hotter trends in the cyber crime world in the past two to three years. These attacks, which usually target senior-level executives and convince the company to issue seemingly legitimate payments, strike businesses all over the world and have typically come from disparate sources. It appears that Russian hackers may be moving to become the market leaders in this segment of crime, however.
A new study from security firm Agari suggests that one particular group based in Russia, dubbed Cosmic Lynx, has been on an unprecedented tear of BEC scams since July of 2019. The Russian hackers have struck over 200 businesses in 46 countries during that time, usually taking amounts in the hundreds of thousands (and sometimes in the millions of dollars) from each of their targets.
Russian hackers cornering the market
Cosmic Lynx is noteworthy not just for the sheer amount of targets it has hit within a year, but the amount of money it has been extracting right out of the gate. BEC scams generally start small and build up, but the Russian hackers have been targeting prominent (to include Fortune 500) companies immediately and managing to successfully pull off operations against them.
The Agari report indicates that Cosmic Lynx is very deliberate in choosing each target company and focuses in on mergers and acquisitions as an area of specialty. The security researchers theorize that the Russian hackers are operating with infrastructure and experience from other types of scams (such as malware campaigns) and have shifted gears as automated defenses have made attacks with a social engineering focus more profitable.
Originating from Africa in the mid-2010s as an evolution of the more basic email-based wire fraud hustles, BEC scams have typically been appealing to less sophisticated operators as they do not require a tremendous amount in the way of technical knowledge or hacking infrastructure. The more experienced players like Cosmic Lynx seem to be using their advanced cyber crime knowledge and access to improve upon elements of BEC scams, doing things like masking the sources of emails more effectively and doing some lower-level snooping in target networks to get a bead on their email authentication policies.
The contact emails from Cosmic Lynx are also generally better-written in the target language (in this case mostly English but with some examples in French) and formatted to look more like a legitimate business email. Cosmic Lynx has a particular process in which it targets the executives of a company that is being acquired, first impersonating the CEO and then later an external legal counsel from a UK law firm representing the partner company to request payments. 75% of its targets were vice presidents, general managers or managing directors. The email address of the CEO is spoofed as is the address and identity of a prominent lawyer in the United Kingdom.
Once the funds are transferred, the group immediately launders them through a mule system based in Hong Kong and a handful of countries in Eastern Europe.
Cosmic Lynx is not thought to be state-sponsored at this time, but the Agari researchers believe the outfit is Russian based on timestamps sent during Moscow business hours and the use of IP addresses that have previously been linked to underground merchants that sell forged Russian identity documents.
More advanced BEC scams?
Agari believes that this recent activity from Cosmic Lynx portends a general uptick in more sophisticated cyber crime operators adopting BEC scams as a primary moneymaking measure. Many scammers will come to the same conclusion that the Russian hackers apparently have; it makes sense to pivot to a lucrative social engineering attack as automated defenses against and general awareness of things like ransomware grow.
While BEC scams have been on a general uptick and have taken in plenty of money ($3.5 billion in the United States alone in 2019), until now they have been the province of less sophisticated criminals. Even the successful BEC scams are often perpetrated via emails riddled with grammar and spelling errors and have observable “tells” that they originate from a spoofed source. The solid rate of success in spite of this general lack of competency indicates that bad things are coming if forces on the level of these sophisticated Russian hackers decide to make this a new area of focus.
James McQuiggan, Security Awareness Advocate for KnowBe4, stresses the importance of Domain-based Message Authentication, Reporting & Conformance (DMARC) given that spoofing executive email accounts is central to making this scam work : “From a technology perspective, implementing verification of domains by using DMARC configuration in the mail server allows the organization to request the domain to be checked for validation before allowing the email into the inbox. The Sender Policy Framework configuration in the mail server is used to authenticate the sender’s email address. Finally, using encryption of the headers prevents man-in-the-middle attacks with the DKIM or domain key identified mail. For the human element, a robust security awareness program educating employees to be aware of the red flags and spot fake emails is essential. End users should always check the email address and verify the user to determine if there is the expectation of the email.”
David Jemmett (CEO for Cerberus Sentinel) also noted that though the Russian hackers are more sophisticated than most, they are not perfect about evading detection: “While these emails seem legitimate on the surface, there is still a suspicious nature about them. For example, the location of the fraudulent sender and the location of the attorney that they were impersonating did not match up. Similarly, the phone number on the email was not correct. When it comes to potentially fraudulent emails, one of the only ways to verify the authenticity is to conduct thorough research … Most frequently, these fraudulent emails contain malicious documents or PDFs often with the header: ‘BILL’ or ‘Important legal update’ or ‘Pending legal action.’ In this case, it was the latter containing a Ryuk type program to run as soon as the file was clicked and adobe opened to execute on my system.”
The same sort of organizational training that is done to recognize phishing email scams is helpful here, particularly if the C-suite is not exempted from it. Another simple measure can drastically cut down on the success rate of even sophisticated BEC scams: requiring that a secondary non-email confirmation policy be in place for transfers of this nature.