Cosmic Lynx the First Russian Gang to Enter the BEC Game
The average amount stolen in a business email compromise (BEC) scam increased 48% during the second quarter 2020, even though the number of attack incidents decreased during that period, according to a report by the Anti-Phishing Working Group (APWG).
The APWG report states that in the second quarter of 2020 the average amount siphoned from enterprises through wire transfers resulting from a BEC incident rose to $80,183, up from $54,000 in the first quarter of 2019. At the same time, the number of phishing sites associated with these scams detected in the second quarter dipped to 146,994, compared to 165,772 during the previous quarter.
“It’s no surprise that BEC is on the rise. At a time when employees are working remotely, it is more difficult than ever to verify with a colleague whether the request is legitimate. When it appears to be urgent, most people will fall for such scams,” says Joseph Carson, chief security scientist and advisory CISO at the security firm Thycotic.
The FBI reported 24,000 BEC scams in 2019 with enterprises losing $1.7 billion for an average loss of $72,000, according to a report issued in February (see: FBI: BEC Losses Totaled $1.7 Billion in 2019).
Russia Enters the BEC Game
The security firm Agari, an APWG member, in the report identified the first operational Russia-based BEC gang. which it named Cosmic Lynx. This cyber gang uses a combination of social engineering techniques and well-crafted email messages that target a firm’s executive management with the pretext that the target organization is preparing to close an acquisition with an Asian company as part of a planned corporate expansion, APWG notes.
“Agari has observed more than 200 BEC campaigns linked to Cosmic Lynx since July 2019, which have targeted individuals in 46 countries. Cosmic Lynx attacks large multinational organizations, many of which are Fortune 500 and Global 2000 companies,” the report notes.
Cosmic Lynx has stolen as much as $1.27 million in single BEC attack, APWG report states.
“We were expecting that Russian cybercriminals would move into the world of BEC because the return on investment for basic social engineering attacks is much higher than launching more sophisticated (and more expensive) malware-based attacks,” says Crane Hassold, senior director of threat research at Agari.
Second Quarter BEC Trends
APWG member, OpSec Security, has noted that Software-as-a-Service (SaaS) and webmail remained the most affected sectors by the phishing attacks in the second quarter of 2020 with their users being on the receiving end of 35% of all the attacks in the second quarter, up 20 percent from the previous quarter, says Stefanie Wood Ellis, anti-fraud product and marketing manager at OpSec Online.
APWG reports that free webmail service providers are used most frequently by cybercriminals to carry out BEC scams with 72% of all such attacks in the second quarter originating from such a service. This is up from 61% in the first quarter of 2020. Gmail was the favorite with half of all attacks using this product.
The enterprise mobile phishing encounter rates surged 37% between the last quarter of 2019 and the first quarter of 2020, according to the report published by security firm Lookout.
“It’s harder to spot a spear-phishing attack on mobile than it is on a desktop. Since mobile devices have smaller screens and a simplified user experience, which means you can’t preview link destinations or verify the sender’s identity. A lot of the red flags we’re trained to spot on desktops are nearly impossible to see on mobile,” says Hank Schless, Senior Manager, Security Solutions at Lookout.
The Money Traill
Gift cards were the favorite payment method requested by BEC scammers with 66% using these as a payment method. About 18% demanded a direct bank transfer and 16% of the money requested was through payroll diversions, according to the APWG report.
Even though the average amount of money involved in gift cards in the second quarter fell to $1,213 from $1,453 in the first quarter of 2020, researchers say, “attempts around this dollar amount may have a decent chance of success because they can be approved by multiple people in a medium-to-large company, and the amount is small enough to slip by some companies’ financial controls”
“Organizations operating in all industry sectors are potentially exposed to BEC attacks. Criminals do not discriminate against industry or country with significant BEC-related activity worldwide, including in Singapore, Australia, Canada and Nigeria. While BEC-related losses typically range between $50,000 and $100,000, signs are that this will increase,” says Mark Chaplin, Principal at the Information Security Forum.
Chaplin recommends businesses:
- Engage with business leaders to determine the risk tolerance relating to BEC and similar types of threat, but also manage in the context of all information risk.
- Focus advice and guidance on high-risk targets in the organization, such as executive, finance and procurements teams.
- Provide clear educational information about threats, such as methods of executive impersonation, indicators of fraudulent payments, interception of business relationship or transactions, and difficulty in detecting attacks.
- Inform employees of red flags to look for, such as requests for advanced payment, sudden changes to wire transfer instructions, reluctance to communicate verbally and short-notice requests from employees to change salary deposit information.
- Introduce methods for verifying requests to changes of contact information, email addresses used in communications and internet links included in messages.