Business Email Compromise (BEC) Criminal Ring

A criminal group called Cosmic Lynx seems to be based in Russia:

Dubbed Cosmic Lynx, the group has carried out more than 200 BEC campaigns since July 2019, according to researchers from the email security firm Agari, particularly targeting senior executives at large organizations and corporations in 46 countries. Cosmic Lynx specializes in topical, tailored scams related to mergers and acquisitions; the group typically requests hundreds of thousands or even millions of dollars as part of its hustles.

[…]

For example, rather than use free accounts, Cosmic Lynx will register strategic domain names for each BEC campaign to create more convincing email accounts. And the group knows how to shield these domains so they’re harder to trace to the true owner. Cosmic Lynx also has a strong understanding of the email authentication protocol DMARC and does reconnaissance to assess its targets’ specific system DMARC policies to most effectively circumvent them.

Cosmic Lynx also drafts unusually clean and credible-looking messages to deceive targets. The group will find a company that is about to complete an acquisition and contact one of its top executives posing as the CEO of the organization being bought. This phony CEO will then involve “external legal counsel” to facilitate the necessary payments. This is where Cosmic Lynx adds a second persona to give the process an air of legitimacy, typically impersonating a real lawyer from a well-regarded law firm in the United Kingdom. The fake lawyer will email the same executive that the “CEO” wrote to, often in a new email thread, and share logistics about completing the transaction. Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean.

Posted on July 10, 2020 at 6:12 AM9 Comments

Comments

Clive Robinson July 10, 2020 8:02 AM

@ ALL,

<

ul>“Unlike most BEC campaigns, in which the messages often have grammatical mistakes or awkward wording, Cosmic Lynx messages are almost always clean.”

That’s where you find that,

    If it looks like a duck, waddles like a duck, and quacks like a duck, it’s a duck

Reasoning lets you down and only later do you find out that not only was it a goose, but you got goosed…

This is not the first time this sort of thing has happened with technology. I think the first technology one was with Fax machines, but we know back in Queen Elisabeth 1st of Englands reign that falsifing letters and seals was a speciality of her spymaster. So it’s likely that letters of marque etc had been forged at some point.

Funny how old tricks just need that bit of polish to a fine finish to become new again…

But the lesson to learn is always double check your instincts, especially when it could save you not just money but your job and reputation…

Chris July 10, 2020 11:05 AM

I’ve always found scam mails with lots of grammar mistakes or bad typography particularly insulting. Although, I read somewhere that this is likely intentional – if one is blind enough to not see the red flags the mistakes raise, one is more likely to not realize it is a scam.

MikeA July 10, 2020 11:32 AM

@Clive: So, Richelieu (or maybe Voltaire) should have said something more like

… six lines allegedly written by the hand …

@Chris:

You choose your bait to entice the prey you seek. A firehose campaign “from” a deposed president for life has a different target than a narrowly targeted attack on a C-level executives and their companies.

What I wish is that banks, insurance companies, and government entities would stop making their real missives such “obvious fakes”, right down to coming from one third party with no verifiable (or even apparent) connection to the alleged principal, and including links to other third- (fourth?) parties with again no connection.

Why is it a goal to train the average person to just click “I Agree” and “get on with it”?

Thunderbird July 10, 2020 1:11 PM


I’ve always found scam mails with lots of grammar mistakes or bad typography particularly insulting. Although, I read somewhere that this is likely intentional – if one is blind enough to not see the red flags the mistakes raise, one is more likely to not realize it is a scam.

It makes a lot of sense when you consider that the scams are pretty obvious and you’re fishing with millions of emails for “a few good men.” That approach doesn’t make sense when you shift over to a con against a single fat target. In that case you do not want to scare off the smart ones, because there is only one.

vas pup July 10, 2020 1:58 PM

Something related to cybercrime and fraud:

Hushpuppi’s lawyer says FBI ‘kidnapped’ Nigerian Instagrammer from Dubai
https://www.bbc.com/news/world-africa-53361490

How e-mail scam usually work:

“◾An individual may contact you via e-mail, explaining he needs help to transfer money
◾Will tell you that political turmoil or a natural disaster makes it difficult for him to make the transfer
◾Will ask you to give him your financial details so that he can transfer the money into your account
◾This allows him to access and steal from your account
◾Be careful what you post on social media and dating sites as scammers use the details to better understand you and target you.”

Before Internet, they sent many fraud letters with similar pretext around the globe.

Thank you, FBI! Good job even not all procedural things were kosher.

Chris July 10, 2020 4:32 PM

I find it very strange that people on this Security blog, takes such a personal stand in this Covid-19 arena.

I dont even see how it has anything to do with Computer security one way or the other
and i am not trolling.

However, if we are to discuss what ive seen this week is:

  • I have been here much longer than you have
    and I know more about science than you do kind of nonsense.

Seriosly ?
I am not a scientist but i know bullshit for what it is, and telling trollers to stop trolling by trolling is not very scientific

1&1~=Umm July 10, 2020 4:57 PM

@chris:

“I dont even see how it has anything to do with Computer security one way or the other”

COVID-19 has been the largest shake up of the West in particular the US and Europe in over a century.

Much of the population is not in their normal places of work. Whilst some can not work from home many are trying to.

From an ICT Security point of view this has broken the traditional perimeter security model where internal networks are protected ‘at the gateway’ by Firewalls and other intrusion sensing/preventing devices as well as a uniform AV policy and regular patching.

Now workers are on home PCs that are compleate unknowns to the ICT staff especially those responsible for security. Many if not most of those home PCs are way more vulnerable than the office PCs even if they were not behind a security perimeter.

If you think this does not present a major security concern, then I do not know what you think would.

There have been atleast two threads on this blog specifically highlighting security issues and COVID-19. Which you must have seen if you’ve been a regular reader for more than a few months.

Impossibly Stupid July 10, 2020 6:00 PM

the group typically requests hundreds of thousands or even millions of dollars

The group will find a company that is about to complete an acquisition and contact one of its top executives

Dear CEOs with the resources to close multi-million dollar deals:

At least hire an IT staff competent enough to set you up with a disposable email address just for messages related to that transaction. Nobody who isn’t a key player should get it. Ignore (or investigate) any attempts to use a public/published address to gain anything of value.

Peaceforth July 12, 2020 7:28 PM

Don’t these companies have a policy to confirm this kind of high risk activity with a phone call?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.