The Rise of the First-Ever Russian BEC Group Cosmic Lynx

Cybercriminals are increasingly shifting their focus to socially engineered email frauds. Researchers at the email security company, Agari, identified a first-ever reported Russian cybercriminal ring dubbed Cosmic Lynx in July, that was found conducting sophisticated email frauds.

A new class of money cons

Cosmic Lynx is a polished scammer group that had launched sophisticated and well-researched scam operations. In these Business Email Compromise (BEC) scams, Cosmic Lynx has added another layer of perceived legitimacy and used DMARC records to select its targets and methods of attack.
  • Cosmic Lynx forged fake merger-and-acquisition scenarios that require a two-fold impersonation scheme involving the target organization’s CEO and external legal counsel.
  • The group asks target employees - a senior executive (such as Vice President, General Manager, or Managing Director) to work with “external legal counsel” to coordinate the payments needed to close the purported acquisition.
  • The group then impersonates the identity of a real lawyer and sends an introductory email to the victim giving an overview of the procedure.
  • Finally, Cosmic Lynx convinces the target employee to send payments to mule accounts in Hong Kong with secondary accounts located in Hungary, Portugal, and Romania.

Innovation for profit

Cosmic Lynx has a well-defined victim profile consisting of large, multinational corporations. The group tries to score big and launches never-seen before-level of complex attacks.
  • In March, Cosmic Lynx began exploiting COVID-19 themes in their BEC scam attacks.
  • Since July 2019, Cosmic Lynx has targeted professionals in 46 countries across six continents and launched more than 200 BEC attacks, asking for large sums (hundreds of thousands or even millions of USD).

The Russian link

Here are some facts that support the assumption that Cosmic Lynx is based in Russia.
  • Cosmic Lynx relies on the same infrastructure linked with malware campaigns from Russian-linked Emotet and TrickBot malware and fake Russian documents websites.
  • The metadata of documents delivered to victims used Russian cultural references and contained time and date stamps set to Moscow Standard Time.