Business Email Compromise: Cosmic Lynx
Business Email Compromise
Business Email Compromise (BEC), sometimes known as Email Account Compromise (EAC), is a common scam that leverages social engineering tactics to deceive victims into allowing large cash transactions. BEC scams target weaknesses in business processes that rely heavily on email to manage finances. To appear legitimate, attackers often spoof the identities of their victims’ coworkers, vendors, customers, and other contacts to request fraudulent money transfers, payments, or other actions.
The sharp rise of BEC can be partly attributed to the high return on investment of successful social engineering attacks, compared to developing and deploying sophisticated malware. While some BEC attacks involve malware, many simply rely on communications between attacker and victim, costing little more than time.
Cosmic Lynx
Cosmic Lynx is a Russian criminal organization that has conducted more than 200 BEC-centric campaigns since July 2019[1], posing a significant threat to businesses worldwide. Tactics include spear-phishing high-priority executives and spoofing the identities of prominent lawyers, law firms, and other organizations. Cosmic Lynx leverages the power of social engineering and an overwhelming lack of Domain-based Message Authentication, Reporting and Conformance (DMARC) policies deployed to corporate email. Given Cosmic Lynx’s success, it is important to understand this specific brand of attack and develop methods that your organization can use to better secure itself against similar tactics.
Process of Cosmic Lynx BEC
Cosmic Lynx targets large, multinational businesses, including many Fortune 500 and Global 2000 companies in pursuit of large payouts.[2] Furthermore, the group specifically targets companies that either lack a DMARC policy or have an ineffective policy deployed. Without a DMARC policy, organizations are unable to screen for illegitimate emails from senders. In instances where a company does have a DMARC policy, Cosmic Lynx targets weaknesses in its configuration to change display names, email addresses, and other key indicators to appear legitimate.
Cosmic Lynx primarily targets employees who hold positions in upper management due to their access to and authority over corporate funds.[3] Once a target is identified, the group employs social engineering tactics to deceive the victim into sending money. The group creates a merger/acquisition scenario with another company. For example, by impersonating as the CEO of the victim’s company, Cosmic Lynx directs employees to cooperate with “legal counsel.” However, Cosmic Lynx actors also spoof the identity of the specified counsel to keep the ruse going and ensure a smooth “acquisition.”1
In order to solidify the fake merger scenario, Cosmic Lynx applies three distinct social engineering principles: trust, authority, and urgency. Cosmic Lynx establishes a trust relationship with the victim through explicit wishes of wellbeing and conveying empathy towards issues of concern. By posing as a senior member in the organization, Cosmic Lynx exploits the fact that the employee naturally complies with the request due to the innate human tendency to follow authority figures and out of fear of discipline for ignoring a senior employee’s request. Cosmic Lynx projects a sense of urgency to manipulate the victim into bypassing standard processes set by the employee’s organization. Comments such as “let me know soonest by email,” or applying unrealistic deadlines by saying “it must be sorted out by close of business tomorrow,” put pressure on the victim to produce results and not think about the implications of the request.1
Concern for Vulnerable Organizations
Many organizations have experienced monumental shifts in the way they do business due to COVID-19. These adjustments include increasing their remote workforce and moving services online that were once handled in-person. BEC attackers have leveraged the confusion and uncertainty created by unexpected change to exploit new vulnerabilities in processes and procedures.
This kind of attack is not limited to corporations. An example of such exploitation occurred at Southern State’s Financial Services Department, whereby employees were tricked into paying a large amount requested from a fraudulent invoice. The malicious email impersonated a trusted local construction agency requesting to update bank and routing numbers. An effective DMARC policy and more traditional anti-fraud policies, such as two-person integrity, could have prevented this attack.
Another common target for BEC groups is the education sector. In several attacks against schools and universities, threat actors used compromised accounts of higher management positions such as Deans, Superintendents, and Principals to send emails to other employees in the system. Most fraudulent emails contained a malicious attachment for other employees to download, thus infecting the school network.
In other cases, the MS-ISAC observed threat actors contacting payroll departments to change direct deposit information. Emails were either spoofed to appear as though they came from employees within the school system or from employees whose accounts were compromised. Additionally, in the past year, the MS-ISAC has investigated several incidents related to Elections Offices receiving spoofed emails that appeared to generate from trusted sources.
Call to Action: Adopt DMARC
While Cosmic Lynx is a legitimate concern for all organizations, there is no direct evidence that Cosmic Lynx is targeting state, local, tribal, and territorial (SLTT) governments. However, SLTTs have been targeted by BEC scams that employ similar tactics and the MS-ISAC anticipates this trend will continue as SLTTs remain a ripe target due to the type of business transactions conducted.
The MS-ISAC recommends SLTTs adopt DMARC, if possible, and follow strict DMARC policies. When properly configured, DMARC allows SLTTs to determine whether an email is from a trusted source. Additionally, SLTTs should establish and follow cash transaction policies, such as two-person sign-offs for all large transactions, enhanced by training and awareness related to the threat of social engineering. Developing layers of defense through strong policies and an educated workforce will help reduce exposure even if an attacker gets past the outer layer.