Agari: The Russian Cosmic Lynx cybercrime ring stole million dollars from companies in 46 countries with BEC attacks
It has been dubbed Cosmic Lynx, and it’s a Russian cybercrime ring who stole million dollars from companies in 46 countries. It has been discovered by Agari cyber security experts, who published a report on the gang. According the researchers, the malicious hackers since some time moved from the classic TTPs (banking trojans, malware, tools) to highly professional Business Email Compromise (BEC) attacks. They target specifically only senior executives at Fortune 500 or Global 2000 companies. Three quarters of the victims, in fact, are General Manager, Managing Director or Vice President. It puts a new spin on BEC phishing attacks by fabricating fake merger-and-acquisition scenarios that require a two-fold impersonation scheme involving the target organization’s CEO and external legal counsel.
How the BEC scam works according the cyber security experts
According the cyber security experts, Cosmic Lynx asks target employees to work with “external legal counsel” to coordinate the payments needed to close the purported acquisition. The cybercrime ring then impersonates the identity of a legitimate attorney typically at UK-based law firms whose job it is to facilitate the transaction. It then moves the stolen funds through money mule accounts in Hong Kong, with secondary accounts located in Hungary, Portugal, and Romania. The group has actively avoided using money mule accounts in the U.S. Moreover, all their email communications are not riddled with grammatical errors or misspelled words which might ring alarm bells for a recipient. Instead, they are detailed and use vocabulary that wouldn’t look amiss from the typical CEO. Furthermore, some of the messages open with a paragraph about the current COVID-19 situation to reinforce trust with their victim.