In the first reported case of its kind, a phishing ring in Eastern Europe is exploiting companies’ own Domain-based Message Authentication, Reporting and Conformance (DMARC) controls to impersonate CEOs in business email compromise (BEC) scams worth millions.
As detailed in our new threat actor dossier on a group we call Cosmic Lynx, the Agari Cyber Intelligence Division (ACID) has identified the first known Russian cybercrime group to conduct BEC attacks. During its investigation, the ACID team documented more than 200 Cosmic Lynx BEC scams targeting large, multinational companies in 46 countries just within the last 12 months.
BEC has emerged as one of the costliest forms of cybercrime, accounting for more than $26 billion in business losses since 2016. Because these attacks employ social engineering ploys instead of malicious links or malware, they easily evade signature-based email security controls. And while the typical BEC scam nets $55,000, Cosmic Lynx has developed a mergers-and-acquisitions ruse that can net tens of millions of dollars.
Cosmic Lynx is also the first group known to specifically factor a targeted company’s level of DMARC adoption, or lack thereof, into its plans to impersonate corporate executives in the emails that drive its schemes. For companies that fall prey, the result can be as calamitous as it is preventable. Yet most organizations leave themselves wide open to attack.
First introduced in 2012, DMARC was developed by a group of industry leaders that includes Agari founder and CEO Patrick Peterson.
At its most essential DMARC is an open standard email authentication protocol that enables email receiver systems to recognize when an email isn’t coming from a specific company’s approved domains, and gives the company the ability to tell email receiver system what to do with these unauthorized email messages.
Its most aggressive enforcement policy is reject (p=reject), which means that email messages that do not pass DMARC authentication will be rejected by a mail server and not delivered to its intended recipient.
When implemented with this enforcement level, DMARC has proven effective at thwarting fraudsters seeking to pirate an organization’s domains to launch phishing-based brand impersonation scams targeting its customers, partners, and the general public.
But the vast majority of companies have yet to implement DMARC, including 85% of the Fortune 500—a fact Cosmic Lynx leverages to maximum effect.
As we report in our Q1 ’20 Email Fraud & Identity Deception Trends Report, most BEC groups leverage free webmail accounts or registered domains to send malicious emails.
But Cosmic Lynx is part of the 4% of all attacks to exploit organizations that do not have an established DMARC policy. Hijacking an organization’s domains enhances the voracity of email messages by directly spoofing a legitimate corporate email address, including that of the CEO, when possible.
Based on our analysis, Cosmic Lynx is the first threat group known to actively assess and then act on a targeted organization’s level of DMARC adoption.
If a company has not implemented a DMARC policy, or has a policy set to monitor only (p=none), Cosmic Lynx will directly spoof the CEO’s email address and set the Reply-To email to the operational email account the fraudsters use to correspond with recipients it hopes to victimize through the impersonation.
But if the organization has an established DMARC policy set to reject or quarantine (p=quarantine), Cosmic Lynx will forego spoofing the sending email address. Instead, the group settles for changing the display name to include the impersonated CEO’s email address (e.g., “John Smith – email@example.com”), which at least offers some appearance of legitimacy.
There’s another troubling aspect to Cosmic Lynx relative to DMARC. It turns out that while the group is more than happy to spoof a company’s email infrastructure to target the organization or others in a BEC attempt, Cosmic Lynx isn’t so keen to having someone spoof its own domains.
By implementing properly configured DMARC policies itself, the group is able to monitor any attempts at spoofing its domains, just as any legitimate enterprise would do. It also helps prevent spam bots and other parties from being able to piggyback on the reputation of the group’s sending domains, which would negatively impact the reputation if those domains and reduce the likelihood that its malicious emails would reach their intended targets.
And there’s more. Cosmic Lynx’s DMARC-enabled domains are configured to send spoofs to abuse@(domain), with variations that include legal@(domain), and dmarc@(domain). This serves two rather devious purposes. Yes, Cosmic Lynx receives a copy of any emails attempting to impersonate its domains. But the approach also adds an appearance of legitimacy that can help fool organizations investigating their domains into refraining from reporting fraud attacks against them.
That last part may be especially instructive. If cybercriminals are using DMARC to protect themselves from impersonation, why are only 15% of all corporate domains likewise defended, especially when phishing-based impersonation attacks can result in lost business, lawsuits and reputational damage?
Part of the reason is that while attaching a DMARC record to a domain is a relatively simple proposition, implementing DMARC across an enterprise’s total universe of domains—which can span hundreds or even several thousand domains—can be cumbersome and complicated.
But according to a study from Forrester Research, DMARC deployments using automated implementation tools have been shown to drive phishing-based brand impersonations to near zero almost instantly.
Of course, there may be another less obvious reason to implement DMARC, post haste. Given Cosmic Lynx’s analytical acumen, it’s possible that a lack of DMARC protections signal that an organization is also lax about employing the kind of identity-based phishing defenses required to block BEC attacks spoofing its own or other companies’ legitimate domains.
Just the fact that an Eastern European cybercriminal organization is now engaging in BEC scams, until now the prevue of less-sophisticated email fraud rings in West Africa, is cause enough for concern. The fact that this organization is actively modulating its BEC attacks based on the status of an organization’s DMARC regime?
That should be setting off alarms the world over.
To learn more about how Cosmic Lynx exploits DMARC in its phishing attacks, download our new threat actor dossier, Cosmic Lynx: The Rise of Russian BEC.