Cybersecurity researchers have discovered a new phishing campaign crafted by a group of threat actors operating out of Russia. Aimed at large-scale enterprises, the attacks outline a change in tactics and highly sophisticated methods.

A complex and informed email assault

A highly lucrative tool for cybercriminals, Business Email Compromise (BEC) schemes have cost corporations around the word hundreds of millions by fooling personnel into sending funds to criminal-owned accounts.

The new campaign was revealed and documented by researchers based at Agari, who have entitled it Cosmic Lynx. The complex campaign has targeted users located in 46 different countries over six continents to date. Cosmic Lynx employs a mix of deep penetrative research on target enterprises and executive personnel, combined with two bogus emails chains that employ current themes such as the coronavirus to hit its victims.

A shift in cybercriminal strategy

The ring responsible for the Cosmic Lynx campaign appears to have previously employed only malware attacks such as trojans. Researchers at Agari examined the infrastructure behind the email-based assaults and discovered links to both Emotet and Trickbot campaigns and say that this move to phishing schemes is a sign that cybercriminal outfits are changing tactics.

Agari’s senior director for threat research, Crane Hassold, commented:

“A Russian cybercrime organization moving into the BEC space is significant because it shows that more advanced attackers are realizing the return on investment for BEC attacks is significantly greater than more technically sophisticated email-based attack.”

On top of this, the Russian gang is crafting ever more sophisticated attacks using its skills and experience to make it more difficult for potential targets to detect them and raise the alarm. Hassold added:

“Unlike traditional BEC groups, Cosmic Lynx has demonstrated the capability to develop much more complex and creative attacks that sets them apart from other more generic BEC attacks we see every day.”

Anatomy of an attack

The new campaign targets personnel in executive positions such as managing director or vice president, and uses a spoof email that appears legitimate originating from the targeted enterprise’s CEO.

In almost every recorded case, the first spoofed emails sent involve the supposed acquisition of a company based in Asia, with the recipient told the matter is secret and should not be discussed with others. To initiate a rapid response, the email also informs that the situation is time sensitive.

Unlike most BEC scams reported, researchers observed that the email content used in the new phishing scheme was of a much higher calibre. Messages were well-written and contained correct use of financial and business terminology in the appropriate context.

After the first email the bogus CEO CCs a lawyer to assist with completing the financial transactions. The emails appear to be from real law firms, using details of real UK practices but in fact are also run by Cosmic Lynx. Using next level deception, the Russian ring mimics the communication style and real language adopted by the law firm in public communications.

Researchers warn that cybersecurity experts will need to develop new methods to beat these advanced attacks, and that simply trying to block them will no longer be an effective defence.