Russian Group Called “Cosmic Lynx” Exposed for Massive BEC Operation

  • The “Cosmic Lynx” actor has launched over 200 BEC campaigns during the past 12 months.
  • The Russian group of hackers was making more than a million USD from each targeted transaction.
  • The same group is involved with banking trojans, click-fraud apps for Android, and carding forums.

Agari researchers have discovered a new BEC (business email compromise) group of Russian cybercriminals, and they’re calling them “Cosmic Lynx.” The operation’s size is dizzying, counting over two hundred individual campaigns since July 2019, which targeted companies and individuals in 46 countries. As shown in the map below, Cosmic Lynx made no exceptions other than Russia, hitting most developed countries worldwide. They mainly went after big companies and multinational organizations in the “Fortune 500” and “Global 2000” lists.

cl_map
Source: Agari

BEC works best when you manage to grab the credentials of those that stand the highest in an organization’s hierarchy, as sending emails from these accounts has massively better chances of achieving the goal. Thus, Cosmic Lynx targeted mainly the Managing Directors, Vice Presidents, and General Managers of the companies.

role_graph
Source: Agari

As for how to first contact is made, there are obviously many custom tricks used by the group, all deploying some form of social engineering traps. In one case, for example, they impersonate a UK-based law firm, urging the recipient to discuss payment details with an “external legal counsel.” That person is sending bank account details that point to a money mule in Hong Kong, diverting a $1.55 million payment to the actors in just a single case. In general, Cosmic Lynx had an average attack request of $1.27 million, whereas the average of BEC scammers, in general, is “only” $55k.

bec message
Source: Agari

To succeed when targeting the “big fish,” one must take care of all details, even the smallest ones. For this reason, Cosmic Lynx is leaving nothing to chance. They register domains that can be used to spawn email accounts that mimic the entities they need to impersonate and exploit DMARC controls to spoof CEOs’ email addresses. They also register the domains through NiceVPS, which is an anonymous provider.

Beside the BEC campaigns, the same actors have been confidently linked with operations involving the Emotet and Trickbot banking trojans’ deployment and the spreading of click-fraud malware on the Android platform. Moreover, they have also been linked with the operation of a popular Russian carding marketplace on the dark web and various fake document websites that help other actions launch malicious campaigns. Thus, Cosmic Lynx is an actor that spreads across numerous fields, having a substantial direct or indirect impact in a series of cyber-crime operations.

READ MORE:

REVIEW OVERVIEW

Recent Articles

F1 Emilia Romagna Grand Prix 2020 Live Stream: Start Time, TV Channel

The next Formula One race is going back to Italy, and we plan on watching the event online. The Formula One Emilia...

Apple Could Really Be Preparing Its Own Web Search Tool

Experts claim that Apple is preparing its own search engine to replace Google’s on iOS.There are reports about Apple’s web crawlers being...

NordVPN’s ‘Cyber Month’ Deal 2020 – Save 68% (2-Year Subscription) & Get an Extra Plan on Top!

For a limited time, NordVPN comes priced at only $3.71/month.This offer includes a two-year subscription, where you’ll be charged $89.00. On top of...