Koc
Moderator
- Joined
- Jun 28, 2020
- Messages
- 192
- Reaction score
- 5,210
- Points
- 93
Experts of The agari IB company revealed details about the activities of the Cosmic Lynx group, which specializes in attacks using compromising business correspondence (business email compromise, BEC). Over the past year, fraudsters have carried out more than 200 BEC attacks aimed at stealing money from large companies.
According to researchers, the group has been operating since at least July 2019 and during this time has managed to attack individuals in 46 countries, mainly top managers of companies from the Fortune 500 and Global 2000 lists.
According to Agari, the group's members are based in Russia. This offer is partly based on Cosmic Lynx's use of TrickBot and Emotet malware, as well as the fact that most attacks were carried out "during peak hours in Russian time zones". In addition, the researchers were able to track the IP address used in the fraudulent scheme, which led them to sites with fake documents that were previously "lit up" in other campaigns. These sites, which were aimed at residents of the Russian Federation and Ukraine, offered various fake documents in Russian, in particular, diplomas, birth and death certificates.
As a rule, participants in Cosmic Lynx disguise themselves as executives of a fictitious Asian firm that allegedly offers legal advice on acquisition and merger issues. In addition, attackers often exploit the topic of the COVID-19 pandemic in their messages, encouraging the victim to "look beyond the crisis" and acquire the assets of troubled companies.
If the criminals manage to extort money from the victim, the funds are sent to accounts in Hong Kong, Hungary, Portugal and Romania, where they are withdrawn from banks by so-called money mules. Experts did not provide data on how much money Cosmic Lynx managed to earn through fraudulent schemes.
A "money mule" is a person who receives funds to their Bank account from third parties, and then either transfers the money to another party, or withdraws cash and transfers it to someone else, often receiving a Commission for this.
According to researchers, the group has been operating since at least July 2019 and during this time has managed to attack individuals in 46 countries, mainly top managers of companies from the Fortune 500 and Global 2000 lists.
According to Agari, the group's members are based in Russia. This offer is partly based on Cosmic Lynx's use of TrickBot and Emotet malware, as well as the fact that most attacks were carried out "during peak hours in Russian time zones". In addition, the researchers were able to track the IP address used in the fraudulent scheme, which led them to sites with fake documents that were previously "lit up" in other campaigns. These sites, which were aimed at residents of the Russian Federation and Ukraine, offered various fake documents in Russian, in particular, diplomas, birth and death certificates.
As a rule, participants in Cosmic Lynx disguise themselves as executives of a fictitious Asian firm that allegedly offers legal advice on acquisition and merger issues. In addition, attackers often exploit the topic of the COVID-19 pandemic in their messages, encouraging the victim to "look beyond the crisis" and acquire the assets of troubled companies.
If the criminals manage to extort money from the victim, the funds are sent to accounts in Hong Kong, Hungary, Portugal and Romania, where they are withdrawn from banks by so-called money mules. Experts did not provide data on how much money Cosmic Lynx managed to earn through fraudulent schemes.
A "money mule" is a person who receives funds to their Bank account from third parties, and then either transfers the money to another party, or withdraws cash and transfers it to someone else, often receiving a Commission for this.