Phishing attacks: This sophisticated new group has been operating undiscovered for at least a year

July 07, 2020

A newly uncovered phishing group is targeting big companies around the world. It’s thought to be the first major scam gang of its type operating out of Russia, indicating a potential shift in the cyber-threat landscape.

Business email compromise (BEC) scams can be highly lucrative for cyber criminals, with organisations losing hundreds of millions of dollars a month after being tricked into sending finances into accounts owned by criminals.

Uncovered and detailed by cybersecurity researchers at Agari – who’ve named it Cosmic Lynx – the campaign has targeted individuals in 46 countries across six continents and combines in-depth research on target organisations and their executives alongside two spoof email chains sent to the victim that touches on current themes, including the coronavirus pandemic.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Cosmic Lynx appears to be the work of a gang that has previously stuck to trojan malware attacks.

Researchers say the infrastructure behind the email operation has links to Trickbot and Emotet campaigns and the shift indicates that the potentially lucrative returns of phishing campaigns against businesses is leading some cyber-criminal groups to shift their tactics.

“A Russian cybercrime organization moving into the BEC space is significant because it shows that more advanced attackers are realizing the return on investment for BEC attacks is significantly greater than more technically sophisticated email-based attacks,” Crane Hassold, senior director of threat research at Agari, told ZDNet.

Not only that, but the Russian outfit is using its expertise to craft much more sophisticated attacks that are harder for potential victims to detect.

“Unlike traditional BEC groups, Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see everyday,” Hassold added.

The people targeted by the campaign mostly hold the job titles vice president, general manager or managing director, and the attack begins with a spoofed email – but one that looks legitimate – which appears to come from the CEO of the targeted company.

In almost all cases, the initial emails detail a supposed acquisition of an Asian company, which the person receiving the email is told is both time-sensitive and secret, so shouldn’t be discussed with anyone else.

Researchers note that unlike other BEC schemes, the messages are well written and come complete with businesses and financial terms all used in the proper context.

Following the initial email, the “CEO” then CCs in a lawyer to help complete the financial transaction. The emails from law firms – almost entirely based on real practices in the UK – are also operated by Cosmic Lynx and even attempt to mimic communication patterns and real language used by the mimicked firm in the public sphere, once again demonstrating how the Russian group has taken BEC to the next level.

“It is very rare for a BEC group to use a dual impersonation scheme, which demonstrates the amount of additional effort Cosmic Lynx is willing to put into their attacks to make them more realistic,” said Hassold.

It’s after the ‘lawyer’ is involved that the attack finally attempts to coerce the victim into transferring the hundreds of thousands, sometimes millions, of dollars supposedly required for the acquisition that are directed to mule accounts in Hong Kong and then into the hands of the cyber criminals.

SEE: FBI: BEC scams accounted for half of the cyber-crime losses in 2019

Such is the nature of BEC schemes that the victim might not even suspect they’ve fallen victim to a scam.

Researchers believe that the group has been active in these campaigns for at least a year. It’s not possible to tell how many organisations have fallen victim to the attacks or how much money the criminals have made, but that the campaign is still active demonstrates that it’s proving lucrative.

The well-researched and legitimate-sounding emails designed to look like they come from people known to the victim might be difficult to defend against, but it isn’t impossible.

“To detect these pristine socially engineered attacks, companies have to think in news ways. They cannot just block bad emails,” said Hassold.

If someone believes that they might be being targeted by a BEC phishing attack claiming to be from someone they know, they could also send a fresh email to the person – or better, ask to speak to them on the phone – to confirm if the request is legitimate or not in order to be safe rather than sorry.