Cosmic Lynx has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since July 2019.
The group are different from most others in that their spear phishing emails are extremely well written, and target organisations likely to be discussing “mergers and acquisitions”, and have either not configured DMARC or have poor sender verification measures implemented (or not).
Cosmic Lynx exploits DMARC controls to spoof the email addresses of impersonated CEOs, making their attacks appear much more authentic. For organizations that have implemented an established DMARC policy set to reject (p=reject) or quarantine (p=quarantine), Cosmic Lynx modifies the display name impersonating a CEO to include their email address, which still gives it the look that the email is coming from the CEO’s account.
Generally the group will operate on bulletproof hosting providers who provide arm’s length transactions on domain names (or can be bought with BTC). Previous occurrences have been witnessed to use the services of Nice IT Group and their associated organisations to provide infrastructure.
The group will then clone a legitmate law firm, even so far as operating personas of real individuals within the law firm. Complete with email signatures and bio photos of the impersonated identities.
The initial point of contact from the group will appear to be from a CEO, and be directed to a senior manager or managing director. Since the email is spoofing the CEO, poorly configured (or not implemented) spoofing detection will pass the email to the recipient, who will then see the email as if it came from the real person.
However, the reply-to flag has been configured to redirect the reply to a relay address associated with a cosmic entity related hostname. Note: this has been observed to have changed recently.
When a target responds to the phish, the impersonator will reply as the ‘CEO’ and advise that a legal counsel will be in contact shortly. Within minutes, an email will be received from the impersonated law firm (as described above) and from here a request for funds transfer will be raised.
Generally, the demand for payment will be in the order of 10’s to 100’s of thousands of dollars, however targets have been known to be asked for millions as well.
Cosmic Lynx’s infrastructure has also been linked to other types
of malicious activity, including Emotet and Trickbot banking Trojans, Android click fraud malware, a popular carding marketplace, and Russian fake document websites.
Technique – Email Spoofing (No DMARC)
Not validating senders as being from trusted / privileged organisations associated with yours is a recipe for disaster. This tactic aims to exploit the absence of Email Spoofing checks and DMARC to pass forged emails into a target organisation.
The replys will need to be something different to that of the forged address, and may well be a typosquat of the forged senders address.
If a company has not implemented a DMARC policy or has a policy set to monitor-only (p=none), Cosmic Lynx will directly spoof the CEO’s email address and set the Reply-To email to their operational email account they use to actually correspond with a victim.
If an organization has an established DMARC policy set to reject or quarantine (p=quarantine), Cosmic Lynx will not spoof the sending email address. Instead, the group changes the display name impersonating the CEO to include their email address, which still gives the look that the email is coming directly from the CEO’s account (e.g., “John Smith – email@example.com”).
Technique – Email Spoofing (Mailgun)
Another newly witnessed technique has been the use of Mailgun to send emails with a set From address, but with a different Reply-To address. Effectively permitting the same behaviour, but using a service which could be legitimately expected to send emails to a target organisation.
The reply-to addresses remain as observed above, being domains with a cosmic theme, or with words such as security, secure, or even ‘sec’ themed to potentially socially engineer those who spot the difference.
This method is really effective where a target organisation is not validating senders’ SPF record, or also where Mailgun has been permitted to send emails on behalf of the forged organisation.