A newly reported and unusually sophisticated Business Email Compromise (BEC) operation may serve as a model for other cybercriminals looking to up their social engineering game and cash in on a lucrative illegal pastime.

In a press release, blog post and detailed dossier (accessible via the blog post), researchers from Agari who discovered the operation — dubbed Cosmic Lynx — claim that this is the first-ever reported case of a Russian cybercriminal outfit running an organized BEC phishing scam.

Historically, the preponderance of BEC scams are based out of Nigeria, Agari reports. But other organized cybercrime gangs based around the globe may begin to follow Cosmic Lynx’s lead because email-based social engineering scams are simpler and less expensive to execute than malware-based criminal activity, and can yield more immediate financial dividends.

“Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud,” said Armen Najarian, CMO and chief identity Officer, Agari. “The more favorable economics of socially engineered schemes targeting enterprise victims have driven groups like Cosmic Lynx to defocus on the more costly and less lucrative ransomware fraud.”

Operating since at least July 2019, Cosmic Lynx has conducted more than 200 BEC campaigns targeting high-level employees of multinational Fortune 500 or Global 2000 companies, with prospective victims located in 46 countries, including the U.S.

The malicious emails are typically addressed to senior-level executives — most commonly managing directors, VPs and general managers, but also CFOS and CEOs and presidents. The goal is to convince them that the CEO or another corporate executive is requesting the wire transfer of bank funds to a fraudulent account under the false pretense of a mergers and acquisitions deal.

Cosmic Lynx is shooting for the moon in terms of profits: While BEC attacks that impersonate executives typically ask for, on average, $55,000 in wire transfers (according to Agari statistics), the average Cosmic Lynx attack seeks $1.27 million in ill-gotten funds, with the highest known transfer request topping out at $2.7 million.

Additionally, Cosmic Lynx is putting own personal stamp on the BEC scene, by introducing several layers of sophistication that Agari says is not often observed in such schemes.

“The scary thing about Cosmic Lynx is that they are clearly putting significantly more effort into their attacks than other BEC attacks we see every day,” said Crane Hassold, blog author and senior director of threat research at Agari, in an interview with SC Media. “They take time to develop extremely well-written emails. They understand their targets’ infrastructure and adapt their attacks accordingly. And they have hardened their own attack infrastructure so it is more resilient.”

The lure of a merger and acquisitions scenario is played out over a pair of phony emails. The first email pretends to be from the CEO asking the targeted employee to coordinate with legal counsel to execute a time-sensitive money transfer in order to consummate a supposed business deal.

Then a second fake email impersonates a legitimate law firm and provides account information to facilitate the money transfer, which in reality goes to a money mule based in Hong Kong or Europe. The adversaries feign authenticity by using a credible-looking email signature that contains a picture of the lawyer, a link to the law firm website and a confidentiality disclaimer.

When a targeted company fails to implement stringent DMARC protections, the attackers will try to spoof the email address of said company’s CEO. If DMARC protections are in place, then the adversaries will modify the display name to include the CEO’s email address, so that the communication still appears to come from the top executive, but without triggering a detection that could block or quarantine the message.

David Jemmett, CEO at at IT management and cybersecurity company Cerberus Sentinel, said his company has received five of these suspicious emails in the last one-to-two weeks. “These emails have been becoming more sophisticated in their nature, complete with official-looking signatures from law firms,” said Jemmett. “While these emails seem legitimate on the surface, there is still a suspicious nature about them. For example, the location of the fraudulent sender and the location of the attorney that they were impersonating did not match up. Similarly, the phone number on the email was not correct. When it comes to potentially fraudulent emails, one of the only ways to verify the authenticity is to conduct thorough research.”

Agari notes that email addresses and domains created by Cosmic Lynx “are named in a way to mimic secure email and network infrastructure (e.g., secure-mail-gateway[.]cc, encrypted-smtp-transport[.]cc, mx-secure-net[.]com). The mailbox referenced in a Cosmic Lynx email address usually references celestial bodies, like planets and stars… similar to the naming convention of some SMTP or DNS name servers.” Moreover, some of the domains are registered with NiceVPS, a bulletproof hosting an anonymous domain provider, in order to bolster infrastructure resiliency and hide the involvement of the actors.

Agari further notes that “While most BEC actors tend to gravitate to free webmail accounts or remotely-hosted cloud services, Cosmic Lynx consistently chooses to host their own email infrastructure with a small number of hosting providers. By hosting, managing, controlling, and running their own email infrastructure, Cosmic Lynx is able to be more resistant to law enforcement operations which may target their campaigns.”

Hassold told SC Media that Agari first began investigating Cosmic Lynx in early 2000, and noted that the firm attributes the operation to Russian cybercriminals “based on a combination of email header, infrastructure, and metadata analysis, each of which contained clues that Cosmic Lynx had Russian ties.”

For example, Agari found that the time/date stamp in certain Cosmic Lynx email headers includes a UTC (Coordinated Universal Time) offset that reflects Moscow Standard Time. Also, some of Cosmic Lynx’s infrastructure overlaps with that of Trickbot and Emotet malware, which also has Russian connections, and certain Cosmic Lynx IP addresses overlap with infrastructure used for hosting Russian fake document websites.

To protect themselves against Cosmic Lynx and similar threats, James McQuiggan, security awareness advocate, at KnowBe4, suggests that organizations implement DMARC and introduce “a robust security awareness program,” so employees are better at spotting malicious emails designed to elude DMARC protections.

“End users should always check the email address and verify the user to determine if there is the expectation of the email. Trust, but verify is an appropriate way to make sure you don’t fall victim to any email scams,” said McQuiggan. “Finally, organizations that send money to vendors or suppliers should have procedures in place that do not rely solely on email for account changes, payments, or financial changes. Using a verification method, with multiple parties and based on a tiered payment system, can help to reduce the risk of losing money to criminals.”