One of the last times business email compromise (BEC) scams were covered in this publication was when the Federal Bureau of Investigation (FBI) revealed that businesses and individuals had lost an estimated 12 billion USD over just under five years. Since then ransomware, and in particular the work of human-operated ransomware gangs, has dominated cybersecurity news feeds. While massive global organizations were becoming victims of these ransomware gangs, BEC scams never disappeared but their approach and demands became more brazen. Scammers are now looking to steal 80,000 USD on average from targeted companies per attack a new report reveals. The previous report noted that demands were on average 54,000 USD, signaling a significant jump from the first quarter of 2020 to the second. Before we take a look at the contents of the report it is wise to see exactly what amounts to a BEC scam.
A BEC scam is a type of phishing attack where a cybercriminal impersonates an executive, often a CEO, and attempts to get an employee, customer, or vendor to transfer funds or sensitive information to the phisher. Unlike traditional phishing attacks, which target a large number of individuals across a company, BEC attacks are highly targeted and focussed. Cybercriminals will scrape compromised email inboxes, study recent company news, and research employees on social media sites to make these email attacks look as convincing as possible. This high level of targeting helps these email scams to slip through spam filters and evade email whitelisting campaigns. This makes it far harder for employees to decide whether the email is legitimate or not.
The recent report was compiled by the Anti-Phishing Working Group (APWG), an industry coalition made up of more than 2,200 organizations from the cyber-security industry, government, law enforcement, and NGOs sector. APWG has been releasing reports on phishing and other email scams since 2004 and is considered one of the largest groups of its kind. Initially, the reports for the most part dealt with phishing scams, however, since the 2010s the reports have increasingly dealt with BEC scams. The current reality is that the reports now view BEC fraud as the predominant scam needing analysis.
This shift in attention has resulted because several criminal gangs have made conducting BEC scams a priority. Some groups get greedy and demand large pay-outs which inevitably attracts the attention of law enforcement resulting in some gangs and individuals being caught. These incidents remain rare as the vast majority of groups remain under the radar, at a sweet spot where the sums are low enough to dissuade companies from following through with investigations and legal actions, but still big enough to net the groups a profit.
One of these groups capable of operating under the radar for extended periods has been Cosmic Lynx. The group's name might read like a great name for a progressive rock band but the group’s actions against businesses place them more like a villain than a rock god. Security firm Agari, a member of APWG, has been tracking the BEC scam gang since 2019 and the group appears to have been active from July 2019. In summarising the group’s modus operandi Agari researchers noted that,
“We have observed more than 200 BEC campaigns linked to Cosmic Lynx since July 2019, targeting individuals in 46 countries on six continents. Unlike most BEC groups that are relatively target agnostic, Cosmic Lynx has a clear target profile: large, multinational organizations. Nearly all of the organizations Cosmic Lynx has targeted have a significant global presence and many of them are Fortune 500 or Global 2000 companies. The target employees of Cosmic Lynx are senior-level executives. Like other BEC groups, it seems Cosmic Lynx identifies employees to target based on their title. Three quarters of employees targeted by Cosmic Lynx hold the titles of Vice President, General Manager, or Managing Director.
Cosmic Lynx employs a dual impersonation scheme. The pretext of their attacks is that the target organization is preparing to close an acquisition with an Asian company as part of a corporate expansion. First, they impersonate a company’s CEO, asking the target employee to work with “external legal counsel” to coordinate the payments needed to close the acquisition. Then, Cosmic Lynx hijacks the identity of a legitimate attorney at a UK-based law firm whose job it is to facilitate the transaction. Cosmic Lynx prefers to use mule accounts in Hong Kong to receive stolen funds. The group is actively resistant to using mule accounts in the United States, but has provided secondary accounts located in Hungary, Portugal, and Romania.”
The group namely abuses Domain-based Message Authentication, Reporting, and Conformance (DMARC) policies to spoof email addresses of CEOs and other important figures within companies to lend more credence to the scam. If a company has not implemented a DMARC policy or has a policy set to monitor-only (p=none), Cosmic Lynx will directly spoof the CEO’s email address and set the Reply-To email to their operational email account they use to actually correspond with a victim. If an organization has an established DMARC policy set to reject or quarantine (p=quarantine), Cosmic Lynx will not spoof the sending email address. Instead, the group changes the display name impersonating the CEO to include their email address, which still gives the look that the email is coming directly from the CEO’s account (e.g., “John Smith - jsmith(at)acme.com”).
Not only has the group looked to exploit DMARC policies but like many other cybercriminal gangs, has looked to leverage the COVID-19 pandemic to better carry out scams. This was done in the same way other gangs have looked to exploit from the pandemic by using COVID-19 lures and themes to attract a potential victim’s attention and increase the likelihood of an attack being successful. Researchers noted that in March the group began inserting language referencing the pandemic into their BEC campaign emails as a social-engineering icebreaker that preceded their main request.
Because COVID-19 has impacted nearly everyone in the world, it afforded Cosmic Lynx an opportunity to disarm a target’s suspicions by building rapport with them at the beginning of an initial email regardless of where the target was located effectively turning the pandemic into a social engineering goldmine.
The Other End of the Scale
Cosmic Lynx represents the savvy operator who demands smaller amounts of money to keep operating under the radar. The other end of the scale then is Evaldas Rimasauskas, a Lithuanian man who plead guilty to defrauding Google and Facebook out of 123 million USD by using fake invoices to trick employees into wiring money to his bank accounts. Rimasauskas defrauded these companies by setting up a company with a name similar to Quanta a recognized provider of data center hardware products. He targeted the two tech giants as they were known to have business relations with Quanta. According to the court documents related to his trial, the 50-year-old, operated by sending emails made to look like they were coming from Quanta to both Google and Facebook, and demanding payment for alleged services and products.
The fake invoices were enough to fool both Facebook and Google employees into sending the requested amounts to banks in Latvia and Cyprus. From those initial banks, the funds would be transferred to other banks in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong which were all controlled by the accused.
Whether the victim falls for small demands made by organized gangs or by single scammers who got greedy, the danger of these scams is apparent. Agari concluded that,
“Business email compromise has become the predominant cyber threat businesses face today. Since 2016, businesses have lost at least $26 billion as a result of BEC attacks and, based on the most recent FBI IC3 report, losses from BEC attacks grew another 37 percent in 2019, accounting for 40 percent of all cybercrime losses over the course of the year. Evidence that more sophisticated threat groups are adding BEC to their attack repertoire should concern everyone. Unlike traditional BEC groups, Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see everyday.”
What makes BEC scams appeal to cybercriminals and scammers alike is that they require very little in advanced technical knowledge. Rather, they are a low cost and low tech socially engineered attack method that is capable of defrauding companies out of millions.