New Threat Research: Uncovering Adversarial LDAP Tradecraft

Read Threat Research


Russian Threat Actor Targets Fortune 500 Companies in BEC Scam

Cosmic Lynx: A new Russian cybercrime group named Cosmic Lynx has been targeting Fortune 500 companies over the past year in a new BEC (Business Email Compromise) scam. Most BEC scams come from Nigerian actors and will target companies, no matter the size, relying on basic social engineering tactics to trick their victims into completing fraudulent wire transfers for financial gain. In this newest campaign, the Russian actors utilize a creative and complex phishing scheme to trick top-level managers at large, multi-national companies into completing wire transfers averaging over one million US dollars each. The group is responsible for over 200 different attacks. The two-step attack begins by the threat actor imitating the CEO of the target company asking the mangers to close an acquisition with a Chinese company. The email instructs the recipient that they will be working with a lawyer in the United Kingdom to finalize the transaction. In the second step of the attack, the threat actor pretends to be the lawyer from the United Kingdom by hijacking the identity of a real lawyer and instructs the original victim where to send the money via wire transfer. By registering fake domains, the threat actor sets up a legitimate-looking website to impersonate a real law firm. Most BEC attacks target companies for tens of thousands of dollars but in the case of Cosmic Lynx, they are attempting to extort an average of $1.27 million USD from their victims. The level of technical ability is higher with Cosmic Lynx versus other BEC scammers and they control the entire email infrastructure that is being used. Cosmic Lynx has been linked to the Russian criminal underground through the overlap of IP addresses used in the BEC scheme that have also been used in Android click fraud scams and Trickbot campaigns by Russian criminals.

Analyst Notes

The group has used NiceVPS, a “bulletproof” hosting service that does not respond to law enforcement requests and an anonymous domain registration service for their fake websites. NiceVPS advertises its service as “Uncensored Bulletproof Hosting… Professional hosting for High-Risk Business.” By doing this, Cosmic Lynx prevents their identity from being disclosed with the anonymous registration. This BEC scam targets bigger corporations for more money than most other BEC scams, and the group is careful as to which countries they send the stolen money to. They avoid the United States when doing the transfer and rely heavily on Hong Kong. Preventing BEC scams is crucial within big organizations, which stand to lose significant amounts of money resulting from a single employee mistake. The two-step process in this attack makes the victim believe that it is being initiated by the CEO. By doing this, the threat actors are relying on the victim to not confirm the transfer, thinking that has already been done by the CEO. In any case, money transfers within an organization should always be confirmed through a multi-step process to avoid BEC attacks no matter who initiates the transfer. Configuration of DMARC controls to reject spoofed email messages and filtering to detect when an email address in the “display name” does not match the email address in the “from” field is a useful security control. It is also helpful to detect when the CEO or the names of other executives are used in the “from” field of email messages originating from outside the organization. Typosquatting domain monitoring from the Binary Defense Counterintelligence team can also detect the creation of fraudulent websites and identify when mail servers have been set up with these domains that could be used in attacks such as these.

More can be read here: