Security company Agari has unearthed a massive Russian business email compromise (BEC) operation that it says has been operating under the radar for at least a year. The group, nicknamed Cosmic Lynx, targets large multinational companies, the security researchers said.
Detailing the group’s activities in a report this week, Agari said that it had been involved in over 200 BEC campaigns since July 2019. It believes that Cosmic Lynx has targeted senior executives in 46 countries spanning six continents.
Cosmic Lynx’s modus operandi is more sophisticated than many BEC groups, using what Agari calls a dual impersonation scheme. The attacks begin with an email supposedly from a senior executive at the target company to an employee, informing them of an attempt to take over a company in Asia. The email says that the employee is the only person entrusted with this information and asks them to manage the acquisition.
The scammers then introduce the victim to a lawyer who is supposed to be coordinating the acquisition payment. The lawyer arranges for the payment, often running into millions of dollars, to be sent to a mule account in Hong Kong. Cosmic Lynx impersonates a real UK-based lawyer in its emails, spoofing the law firm’s address with a similar-looking domain name.
The group uses excellent English in its emails, unlike many BEC scams, noted Agari. It is also fastidious about its infrastructure. It registers domains that provide an air of authenticity by using security terminology such as secure-mail-gateway.cc. It even used Fortinet, the name of a popular security company, in some of its domains. The group then points the top-level domains to web infrastructure and security company Cloudflare to make it look more legitimate, while conducting its nefarious activities via a subdomain.
Cosmic Lynx also takes DMARC into account, which is a protocol that makes it difficult to spoof domains. When it does target a DMARC user, it uses one of its own domain names instead of faking the target company’s domain in the email’s reply-to field. However, it modifies the email’s display name to include the CEO’s email address and make it seem more legitimate.
Agari believes that Cosmic Lynx is a Russian group based on several indicators. These include the Moscow time zone on sent emails and the use of its infrastructure for other Russia-linked operations, including websites selling fake Russian documents.
“Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see every day,” Agari concluded.