A newly discovered, sophisticated threat group that targets organizations without DMARC implemented and relies on business email compromise is heralding what researchers call “a new age” of business email compromise.
The group, called Cosmic Lynx, is the first reported Russian BEC cybercriminal ring, and it’s bringing the once run-of-the-mill email scam attack vector to the next level. The group has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. It uses clear, articulate emails — with vocabulary like “accretive” and “synergistic” — that purport to be related to an a “merger and acquisition,” keeping with a sensitive theme that targeted employees likely won’t discuss.
Ronnie Tokazowski, senior threat researcher at Agari, talks to Threatpost about cybercriminals are viewing BEC scams as more lucrative – and how enterprises can avoid falling victim.
BEC and enterprise email fraud is surging, but DMARC can help – if it’s done right. On July 15 at 2 p.m. ET, join Valimail Global Technical Director Steve Whittle and Threatpost for a FREE webinar, “DMARC: 7 Common Business Email Mistakes.” This technical “best practices” session will cover constructing, configuring, and managing email authentication protocols to ensure your organization is protected. Click here to registerfor this Threatpost webinar, sponsored by Valimail.
A lightly edited translation of the podcast is available below.
Lindsey O’Donnell-Welch: Hi, everyone, welcome back to the Threatpost podcast. You’ve got your host, Lindsey O’Donnell-Welch with Threatpost, here today. And I’m joined by Ronnie Tokazowski with Agari today, who is here to talk about business email compromise (BEC) and other email related phishing threats. So Ronnie, thank you so much for joining us.
Ronnie Tokazowski: Thanks for having me, Lindsey.
LO: Yeah, so you have had a busy week I know Agari’s team this week came out with new research on a BBC game that was called Cosmic Lynx. You basically were saying that you know, this is a really interesting BBC threat actor because it is showing a new level of sophistication in BEC. And I know with previous threat actors, you have researched that they always kind of seem to raise the bar each time with the sophistication and different tactics that they use. But this one in particular, was kind of the first ever reported Russian cyber criminal ring that was launching BEC scams. And there were a couple of other really cool features about it in terms of what they were doing and how they were launching attacks. So just to start, can you kind of tell us the most unique parts of this group and really the process of looking into it?
RT: Sure, I can go ahead and do that. So one of the most interesting things that we found about Cosmic Lynx was that they were completely different from a lot of the other BEC groups that we follow. Usually when you see a BEC group, they’ll usually use things like romance scams in order to try and exploit their victims. In this case, this was one of the first groups that we’ve seen where they solely created their own infrastructure, and they had their own managed infrastructure. So they would set up domains. They were extremely secure with the systems that they had set up. And this is very much the first time we’ve seen that. The other interesting piece with that too, is that the more we looked at it, and the more we tried to pin this on the Nigerian group. It was something where the weirder it kept looking. And it took it probably took us a good several weeks to a good month of looking at the information and the intelligence to rule out that no, this is not a Nigerian group, this is not the normal stuff that we’ve seen. This is something much more different than what the industry has seen. Some of the most interesting things that we did see with this group is they had targeted – we were able to capture – over 200 different campaigns since July 2019. And they were pretty they were pretty sophisticated in their attacks. Some of them, I think the average was like $1.2 million that they asked in for the transfers, and they had targeted 46 countries and six continents. So they’re very much very familiar with how to do these operations. They like trying to ask for large sums of money. And a lot of the content that they had was extremely well written, which again, is something very different than what we’ve seen in historic BEC actors.
LO: Right? I think that was something that stuck out, at least to me is that you were saying that they, the emails that they were using the launch, these attacks were written in nearly perfect English and not only that, but they were using like vocabulary that was very on point and sophisticated. Like I think you said they used “synergistic” and things like that. So not your typical grammatically error speckled email, if you will.
RT: Yeah, it was very well written documents, and a lot of cases where we had seen them using other languages, even those other languages were very well written to. We had observed one case where the email was written in French. And we had passed it over to a colleague who was who’s fluent in French. And they were saying yes, that looking at this stuff, it’s a well written French piece of material. So it’s something where either they have translators working for them, or they’re fairly fluent in multiple languages, to be able to know the different linguistic aspects of each culture for a lot of these things.
LO: Right, and looking at kind of the lure that they were using in their emails. I think that the level of vocabulary there is important because they were looking at these fake “merger and acquisition” scenarios. Can you talk a little bit about how they went ahead and were launching these types of attacks?
RT: Whenever Cosmic Lynx would go after the mergers and acquisitions, a lot of their emails would say, “hey, you have to have this level of confidentiality” and once they would actually get somebody to respond back. They would say, okay, the our UK law firm is getting in contact with you. So they would come back with the UK law firm, they would make it to where it was a legit email, sometimes they would have a picture of a person in there. And they would be like, “okay, you have to keep this confidential or else it’s gonna hurt, how the, how the acquisition is gonna go.” And at that point, you now have somebody who’s like, “okay, legally, I can’t talk about this.” So you don’t have somebody who’s gonna go talk and say, “Hey, this looks suspicious.” And when you have that level of sophistication in the email, you have very well written emails, very professional written emails, you kind of have to say, hey, that actually makes sense with why they would do that. And it’s something where when we, again, when we think of traditional BEC actors, they’re responsible for over 40 percent of all cyber crime reported to the FBI, for 2019. And that that comes directly from IC3 themselves. And I think that’s the biggest thing right now is a lot of malware attacks, when you look at that ransomware attack, they have to go ahead and set up email infrastructure, they have to have proxy infrastructure to come from, they have to remain hidden, they have to go by the malware they have to maintain persistent access, they have to go ahead and maintain the infrastructure, the bitcoin wallets. And if any one of those pieces fall, it’s gonna be much more difficult for that attacker to continue operating the way they do. Whereas here essentially all they have to do is set up an email account, ask for money, and that’s it. So it’s where a lot of attackers seem to be moving away from that malware game and that sophisticated encryption methods towards other things such as the response based attacks such as BEC.
LO: Right, and I think I was reading some news article yesterday, I think Microsoft when they cracked down on those domains having to do with phishing attacks. And in the blog post that Microsoft’s spokesperson wrote out he basically was like, “this is not a nation state actor. This is just your typical run of the mill, like cyber criminals, but that’s the threat that people need to be looking out for,” you know, I mean. From the media standpoint, like I find myself writing a lot about you know, like Spectre and Meltdown type of attacks or like malware attacks or things like that, and then in you kind of forget that BEC is really the underrated threat here, and it’s so easy for so many cyber criminals to kind of launch it and yet make so much money or create so much type like brand damage on the companies who are victimized. So, I think that’s something that we’re going to continue seeing in the future too.
RT: Yeah, I totally agree with you there. It’s like for me, I’ve been in the industry for a little over a decade now. And when I started I was hunting APT malware and that was what my job was and that was what my role was so much so that that’s a lot of the reason to my handle is literally @IHeartMalware, and it’s something where a lot of these actors are quickly figuring out, that they don’t need to use this malware in order to get money. That’s why you have the rise of things such as gift card scams where someone could go ahead and take a gift card and convert that over to things such as Bitcoin. And at that point, everything you’re bypassing international law, where you’re not having to worry about wiring money from one bank account to another, you’re not having to worry about the financial institutions picking up you’re not having to worry about the suspicious activity reports. So it’s something where it becomes much more difficult for your defenders and your security organizations to pick up on these things.
LO: Right. And, you know, one part of the cosmic link research too that stuck out to me was the amount of money they request and that really indicates that these types of attacks are a lot more lucrative for cyber criminals, right? Because you guys were saying that the average amount requested in most executive impersonation BEC attacks is $55,000. But then Cosmic Lynx was asking for up to millions of dollars. So that just goes to show kind of the how the damage is really accelerating for these types of BEC attacks.
RT: Yeah, and that’s the biggest thing is that we used to think of APT attacks, that they were the sophisticated ones of trying to steal different weapons technology. But when you actually look at the damage BEC is the one causing the most damage. It’s like and just with that, in general, you have the victims on the ground who are now being abused and have to deal with emotional turmoil of talking with somebody, many of them are now acting as money mules. We’ve seen cases where people have lost homes and yeah, BEC is the one that’s causing the most damage. And it’s like you may have a weapon, you may have like a weapons document that gets leaked by an APT. But at the end of the day, BEC is the one that’s actually affecting human lives. And unfortunately, in many cases, many have even taken their lives due to the emotional abuse associated with the romance scams. So I will say one thing worth noting for Cosmic Lynx, we have not we did not observe any romance scams associated with that group. Again, that’s one very different tactic compared to a lot of things that we’ve seen with previous BEC actors. The other interesting piece with them too is a lot of the bank accounts they were they were using. They were not U.S.-based, they were not UK based. They were a bank accounts located out in Hong Kong. So even if we were to try and go investigate them, it makes it that much more difficult in order to detect and identify and try and figure out how this scheme works. So there, this group is very much more sophisticated than a lot of other BEC groups that we’ve seen in the past.
LO: Right. And one other thing I wanted to point out about them that you had covered was that they were also targeting specifically organizations that don’t have an established DMARC policy, which, for our listeners, prevents malicious actors from directly spoofing an org domain when when sending an email. Is that something that you’re seeing – Was that something that set this group apart? Is that something that other BEC threat actors are also doing or what are you seeing with that tactic? I just thought that was kind of interesting.
RT: Yeah, so specific, specific to DMARC, we actually saw three different pieces around Cosmic Lynx. So the first piece is they would actually do checks for the organizations to see if they had DMARC enabled. And then depending on how DMARC was enabled, if it was enabled, then they would send the email in one way to where it would actually look like it was still coming from the external email account. The second thing was, if the organization did not have DMARC enabled, that meant that they were allowed to spoof somebody else within the company, so that they would go ahead and use an email spoof in order to spoof where that email was coming from, in order to help make it look like yes, this is actually the legit person. And that’s the whole reason DMARC exists is to prevent email spoofing from one security organization to or from one organization to another. The third piece that was really interesting about the DMARC is that contrary to most other attackers, Cosmic Lynx actually had DMARC implemented on their own servers. So for whatever reason, they didn’t want people impersonating them. So they went ahead and actually lock it down to where only the emails coming out from that email infrastructure was from them. And we’ve seen a couple of cases where there’s been some overlaps like that. But this was the first really large case where we saw the actor intentionally saying no, you’re not going to impersonate me. I’m putting DMARC and configuring it on my own server.
LO: Yeah, no, that is really unique. Why do you think they did that? Was that for the sake of, you know, preventing that from happening with other cyber criminals? Or what’s kind of behind that?
RT: To be honest, I’m really not sure on the true intent on why they did that. We did a lot of talking internally, and the only thing that we could come up with was that they either didn’t want people spoofing them, or it was a secure way that they tried to prevent people from engaging with them. And that was another thing too is they are a very secure group. They’re very conscious about how about operational security, the infrastructure that they were using was was pretty sophisticated. So much so that nice VPS, which was the one of the services that they had used, even had a subpoena Canary on that. And what they said was, if any subpoena comes to this infrastructure and this document does not get updated, then then you can’t trust the integrity of this of the servers. You can’t trust the fact that these are not under 100% our control and that was one of the things that NiceVPS tried to market was they tried to market it where they would say yes, everything is now under our control. The other interesting piece with that too, being under “being under their control,” was we also found overlaps with other malware families to such as TrickBot, Emotet and Azorault. And it was interesting seeing the overlaps of infrastructure with NiceVPS and the Russian BEC actors behind Cosmic Lymx, and this was on the first instances where we saw pretty solid evidence that the group was more on the Russian underground and involved in that side of things as opposed to that Nigerian side of things where they’re engaging with romance victims doing check fraud and other things like that.
LO: Right. Yeah, that’s, that’s fascinating to kind of those ties to the infrastructure used by a TrickBot and Emotet and certainly goes to show that, you know, BEC is kind of turning into that a lot of cyber criminals are looking to be see, even if they were maybe using malware before or whatnot. So that’s something to think about as well. But I’m curious too. Did you get any sense of the the group behind this in terms of you know, I know you that when you usually come out with research, you talk about kind of the organization and how, how the scams are organized, you know, how many people are within the group or how it’s grown over time? Were you able to get any sense of of that with Cosmic Lynx at this point, or is that still to be determined at this point?
RT: That’s still to be determined. And again, a lot of the reason for that is just because of the nature of the infrastructure the way it was hosted. The amount of operational security that they went into, they really did a lot to cover their tracks on this one. So they made it much more difficult to try and identify who was behind the infrastructure, who is the ones running the email domains who manage that. But a lot of what we’ve seen a lot of the little pieces and clues that we found along the way, we were able to tie it back to more than likely being in Russia. And the other interesting piece of that too, is with Nigerian fraud. We were actually talking internally about this. But if we were looking at it, and we found like one tie to Nigeria, we would be like, okay, yeah, this is a Nigerian fraud. But when we were looking at trying to identify where it was coming from, there were several cases that such as like the TrickBot, the TrickBot relationships, the relationships with other infrastructure, they were even using Moscow time and some of their phishing emails. And like all together though, each one of those little pieces would not have been a smoking gun. But when you put all of those together it builds that bigger picture that to say, hey, maybe there is something going on. So much so that when the actors were using, they would set in the mergers and acquisition documents. Some of the times, they would actually use a Word document or a PDF. And when you actually look at the metadata of those documents, it ties back to a Russian DJ named Serge Devant . So we’re not saying that Serge is the one doing it, but just from a pop culture reference, that’s something very interesting. It kind of gives insight into that actor who is doing that. It’s very reminiscent of Stuxnet and other families of malware too, because in the case of Stuxnet, one of the references that they had that pointed to it being back to the United States, there was references to the show “Dexter,” and there was references to the show on Showtime and that was something that was very popular here around that time. So that’s how a lot of people here in the states or abroad were able to tie that specific family of malware back to potentially being in East Coast timezone.
LO: Right. Yeah, that’s a that’s really interesting for sure. Definitely a telltale sign there. So I wanted to talk a little bit to before we wrap up about with BEC scams getting more sophisticated, like this one is definitely a wake up call. How can enterprises better protect themselves? Because there’s a bunch of different ways that they can go about educating employees about these types of scams. But I feel like there there are some ways that, there’s different methods and companies seem to be using a variety of different methods, and some of them might work. Some of them might not, I don’t know, but what are you seeing that that’s working?
RT: I would say one of the biggest things is implement DMARC. Although some organizations don’t have it, and it’s one of those very low hanging fruit things have just like at this point in this day and age, like you got to implement DMARC. Another area to help training your users and to not clicking the emails and to kind of give them the information and say, “Hey, here’s how this type of scam works, you need to be aware of this.” That’s another way that they can do it. One of my personal favorites when it comes to helping protect against BEC attacks, is have making sure that your processes and procedure is reflected the possibility that somebody might come into that chain. So for example, if the CFO comes in says, “Hey, can you wire me $50,000?” What is your process look for that? How many people do you have to have sign off on that transaction before it finally goes out? And a lot of cases when you have BEC actors who come in and say, “Hey, I need this wire transfer.” A lot of the reason that the money goes out is because of those failed transactions. That’s because of those failed processes. And by clearly defining your processes by clearly sticking to them, it makes it much less likely to fall victim to these type of things. And if something is suspicious of something saying, hey, I need this wire transfer to go out today. Chances of actually having to go out today is very is rather slim. So unfortunately, a lot of what what we see in BEC is a lot of your basic security practices and a lot of process related things that your security organizations can implement, and just kind of being aware of how they work and kind of being up on the news of how BEC works in general.
LO: Right. And to your point about having those kind of clear communication paths, I’m sure that certainly would help with this specific BEC scam because of kind of the merger and acquisition scenario, you were mentioning earlier that part of the reason why this works is because employees don’t talk to each other about it due to the sensitive nature of it. And that helps you know, the Cosmic Lynx kind of get the scan through and kind of skirt by any sort of detection. So that’s certainly a very good point.
RT: Yeah, and that’s very much one of the things, is that with Cosmic Lynx, they really kind of pushed the cuff on this one to make it that much more difficult for your security organizations, or anybody seeing that to actually try and say, “Hey, I got this weird thing, can you check on it?” Because when you’re being told, “hey, this is confidential, you can’t go talk to anybody on it.” It’s like, your employee now is putting this weird dilemma to where they’re like, “Okay, this is suspicious, but I can’t really say anything about it.” So that’s another thing that plays into this too, is it makes it that much more harder for that end user to see and understand, “okay, this really is a scam.”
LO: Right. Yeah, definitely. Well, I finally wanted to ask you, what is kind of the future of these types of sophisticated BEC scams or of Cosmic Lynx in general? I mean, do you see more of these types of groups emerging that are more advanced than kind of your run of the mill, Nigerian BEC group or, you know, where do you see that going?
RT: So I’ve been tracking BEC for the last five years. A lot of my five years has been trying to have people care about BEC. And I’ve been screaming that this is a problem since $1.2 billion was lost back in 2015. So and right now we’re up to almost like $30 billion, I think I’ve kind of I’ve kind of lost, unfortunately lost count at this. But when it comes to finding BEC, a lot, especially seeing what Cosmic Lynx did, how they did it, a lot of people are now kind of starting to look into say, “Hey, this is a more lucrative way to make money. And all I have to do is ask somebody to send me a wire. And that’s it.” It’s like you don’t have the risk of trying to run our infrastructure. You don’t have to worry about buying a packer to make sure your malware was encoded to be picked up by an endpoint antivirus solution. So a lot of the protections that we have in the industry right now are focused on those malware samples. However, when we go and look at business email compromised, it’s very much a wild wild west, where it’s a very lucrative way for people to make money. And even if you go and look at “Hushpuppi” he’s a great example, where he’s been convicted he’s been in he was indicted for hundreds of millions of dollars in fraud but and he was very brazen with his stuff too and with how he did it so much so that he would post pictures of him and Dubai up on Instagram, he had multiple cars, he had a custom made Rolls Royce. So it’s something where a lot of the actors who were bringing in the money, there’s a lot of money to be made here. And and when you actually look at a lot of the fraud that happens on the malware side, this is a much more lucrative way and easier way to make money that a lot of people just aren’t looking at and that’s the biggest thing that we need is we need a lot more people looking at BEC trying to understand to figure it out. And again, this is coming from the guy who his handle is literally @IHeartMalware so a lot of damage I’ve seen on the BEC side has gone multitudes beyond the stuff I ever saw. Reversing malware.
LO: Right yeah, and I’m sure you know it’s it’s fun to cover to you know, look at malware but these are the attacks that are really hurting a lot of companies though, and they just are coming from emails, like not even needing any sort of malicious code or anything. So, yeah.
RT: And that’s and that’s the biggest thing too is like, we all go and look at our sample. It’s like, Okay, cool. This encrypts the computer system. Or I can look over here on the BEC side, where people are literally taking their lives because they were in the scam for over a decade. So it’s like, Okay, which one is the more important one to me, human life is pretty important. So it’s something where I’m like, okay, maybe we need to figure this one out, instead of staring at binary and bits. So it’s something where it’s trying to refigure our priorities as an industry to say, do we want to go ahead and start fighting this cybercrime over here, which is causing the biggest the biggest piece of the pie, it’s causing the most damage? Or are we going to sit up, come over here and stare at bits and bytes all day? So it’s a matter of trying to refigure how we need to do that as an industry and as an organization.
LO: Right, and I’d be curious how the industry changes in the coming years to you know, see whether that shift in priorities does happen. But Ronnie, thank you so much for coming on today to talk about Cosmic Linx and about BEC and, you know different email based threats.
RT: Yep. Thanks for having me, Lindsey.
LO: Great. And to our listeners. Thank you so much for tuning in with the Threatpost podcasts. If you have any questions or comments about BEC scams or anything that we’ve discussed here today, please don’t hesitate to reach out and comment on our Twitter page @Threatpost and we would love to keep the discussion going with you. So be sure to catch us next week on the Threatpost podcast.