Russian scammers are conning senior executives into giving away $2.7 million by impersonating real CEOs and lawyers

• New research by the Agari Cyber Intelligence Division (ACID) has uncovered a new group of Russian scammers targeting senior executives.
• Dubbed Cosmic Lynx, these email scammers have duped businesses out of at much as $2.7 million.
• With impeccable grammar and spelling, they derive targets from DMARC records impersonating of recently acquired companies and real lawyers.

Russian scammers are the ‘new kid on the playground’ when it comes to siphoning off money in digital cons. On average, business email compromise (BEC) attacks ask for around $55,000 but these Russian con artists dubbed Cosmic Lynx are known to ask for much higher amounts of up to $2.7 million.

Discovered by the Agari Cyber Intelligence Division (ACID), Cosmic Lynx aren’t scammers sitting in Nigeria asking you to send over money to rescue a stranded prince but polished scammers targeting senior executives in large organisations and corporations across 46 countries.

"This is a very sophisticated and well-researched operation, run by experienced hackers who have done their homework. The hackers looked into companies that were completing an acquisition, identified a senior executive target, and impersonated the CEO of the company being acquired in order to deceive their target into wiring money to a fraudulent account,” Tim Sadler, CEO of Tessian, told Business Insider.

This group of hackers has been behind more than 200 BEC campaigns since July 2019, according to ACID. Yet, researchers don't have a clear sense of how often Cosmic Lynx actually succeeds at obtaining a payout.

A new class of money cons
Most BECs can be spotted because of the numerous grammatical mistakes in the email or rush to get money transferred as soon as possible. Email from Cosmic Lynx, on the other hand, are clean with flawless spelling as they impersonate the CEO of the organisation that’s being acquired.

“To add another layer of perceived legitimacy, the hackers also impersonated an external lawyer at a well-regarded law firm, making it very difficult for the target to think that they are being scammed,” said Sadler. According to ACID, this lawyer — normally impersonating a real lawyer from a well-regarded law firm in the United Kingdom — is brought in to facilitate the necessary payments, adding an air of legitimacy to the entire transaction.

Rather than use free accounts, Cosmic Lynx makes the effort to register strategic domain names for each individual BEC campaign to appear more convincing. It also shields these domains so that it’s harder to trace back the account to the true owner.

“Cosmic Lynx represents the future of organized crime rings that are shifting focus to socially engineered email fraud,” said Armen Najarian, the CMO and Chief Identity Officer at Agari.

DMARC and how Cosmic Lynx uses it to its advantage
DMARC stands for domain-based message authentication, reporting & conformance. It is an email authentication, policy, and reporting protocol.

Cosmic Lynx uses DMARC records to select its targets and methods of attack. “This tactic highlights why companies cannot rely on the email authentication protocol as a silver bullet to prevent email impersonation scams,” said Sadler.

DMARC records are publicly available, it's easy for hackers to identify companies that do not have the protocols in place, allowing them to directly impersonate a company's domain and pose as the CEO to convince targets they are opening a legitimate email. Of the Fortune 500 companies around the world, only around 15% have a DMARC record and an enforcement policy. The other 85% have left their doors wide open.

"Even if your company does have a DMARC policy in place, be aware that attackers can also assess how strictly you've configured it,” Sadler explained. According to him, even if a company has a strict email policy in place, the attacker can still carry out an advanced spear-phishing attack by registering a look-a-like domain.

“They bank on the fact that a busy employee may miss the slight deviation from the original domain,” said Sadler.

Here’s why Agari researcher believe Cosmic Lynx is a Russian criminal group:

• Cosmic Lynx emails appear to be sent as per Moscow Standard Time.
  
• Connections between the group's infrastructure and that used by the notorious Trickbot and Emotet trojans, which are both believed to have Russian ties, have been uncovered.
  
• Cosmic Lynx uses IP addresses in its BEC campaigns that are also used by websites that sell fake Russian documents like birth certificates and death certificates.
  
• The metadata of documents sent by Cosmic Lynx used Russian cultural references, including one to a popular Saint Petersburg–based DJ.
  

Even though in the past the division between the Russian government and criminal hackers has not always been absolute, ACID has found no evidence to believe that Cosmic Lynx is a state-backed group.

What’s scary is that BEC requires less technical investment than malware-based scamming, which has seen a large uptake during the coronavirus era. However, it still demands a specialised skill set, which could explain there hasn’t been a large uptake in BEC scams. Hackers normally follow the money and as BEC attacks become more profitably, it’s likely that they will become a more appealing option in the near future.