Business Email Compromise: New Shift in BEC Threat Landscape Puts CISOs on Notice

This article originally appeared on the Email Security Blog.

By Patrick R. Peterson, Founder and CEO, Agari

A seismic shift in the email threat landscape has CISOs bracing for sophisticated new forms of business email compromise (BEC) scams, as phishing’s center of gravity begins to tilt from West African email scammers toward Russian and Eastern European cybercrime lords.

As detailed in our new threat actor dossier on a threat group we call Cosmic Lynx, the Agari Cyber Intelligence Division (ACID) has uncovered the first-ever reported Russian cybercriminal organization to conduct BEC campaigns. To CISOs, it marks an unsettling change in the threat calculus that must be factored into risk modeling.

For more than 30 years, West Africa has been the epicenter of global email fraud. Roughly 90% of all BEC scams still originate from the region today. By comparison, Russian and Eastern European threat actors have long focused on malware heists and the technological infrastructure to support them.

But as email defenses have grown more effective at blunting these technologically-advanced attacks, the returns from the low-tech, socially-engineered BEC campaigns launched by West African groups have skyrocketed. According to the FBI, BEC accounts for over $26 billion in global business losses just since 2016. It was just a matter of time before Russians and others took notice. And they have.

BEC: West Africa Gets ‘Cosmic’ Competition

If Cosmic Lynx is any indication of the shockwave heading CISOs’ way, existing corporate playbooks for fighting advanced email threats are in for some serious jostling.

As successful as Nigerian email fraud gangs have been at conning corporate employees out of money and login credentials, they may pale in comparison to well-funded Eastern European cybercrime groups running highly orchestrated operations.

Cosmic Lynx, for instance, has already put a new spin on BEC phishing attacks. Through bogus merger-and-acquisition scenarios and dual impersonations, the group researches and targets specific individuals within large, multinational organizations — including Fortune 500 and Global 2000 companies.

First, there’s the email from the “CEO” asking a vice president or other senior executive to work as a confidential liaison with “external legal counsel” to coordinate closing payments on a purported acquisition. Next there’s the follow-up email impersonating a legitimate outside M&A attorney, prompting recipients to facilitate the transaction. And finally, pilfered funds move offshore to Hong Kong to make recovery all but impossible.

Millions lost in a single transaction — an event likely to be met with extreme prejudice by any board of directors, let alone cyber insurance carrier. The fact that our researchers have observed more than 200 Cosmic Lynx BEC attacks spanning 46 countries in just the last 12 months is unsettling enough.

But what if Cosmic Lynx is just small potatoes?

What if notoriously sophisticated Eastern European cybercrime operations such Cobalt Group, Sandworm, and Cozy Bear are also pivoting toward low-tech, socially-engineered BEC attacks?

CISOs and the Ever-Expanding Attack Surface

Pulling off an M&A scam like Cosmic Lynx has demonstrated requires weeks or months of savvy reconnaissance, methodical social engineering, and a robust support infrastructure. All easily justified by the potential for stratospheric payouts. And all easily achievable by Eastern European cybercrime organizations.

CISOs seeking to short-circuit attacks like these have plenty of ground to cover. With employees working from home amid the coronavirus pandemic, they’re more vulnerable to email attacks than ever before. Taking full advantage, gangs like Cosmic Lynx use clever social engineering tricks such as informing targeted executive the M&A transactions are highly confidential and require strictly hush-hush behaviors, thus minimizing the chance their ruse will be detected.

The vast sea of unauthenticated email domains presents another challenge. While most BEC scams involve spoofing corporate domains using free webmail services, Cosmic Lynx is part of the 4% of attacks to exploit organizations that do not employ Domain Messaging Authentication, Reporting and Conformance (DMARC).

This standard email authentication protocol is proven to help prevent scam artists from hijacking a company’s email domains for use in impersonation schemes. And boutique law firms aren’t the only ones falling victim to this. So are entire supply chain operations, as we’ve seen with the BEC ring we’ve dubbed Silent Starling.

Yet according to our latest email fraud trends report, 85% of the Fortune 500 remain vulnerable to this kind of domain pirating. If other email crime groups operating out of Russia or other Eastern European countries are anything like Cosmic Lynx, DMARC protection is about to become a larger front in the battle against BEC.

The Identity Imperative

Factor in the availability of harvested email login credentials and the potential for BEC schemes to be launched from compromised email accounts belonging to internal executives or outside partners and the risks grow exponentially.

While phishing awareness training is always a good idea, relying exclusively on a human firewall and manual remediation mean you’re always in reactive mode. The sheer volume and inventiveness of phishing attacks already account for 40% of all cybercrime losses according to the FBI as it is.

With the likes of Cosmic Lynx coming on the scene, it’s long past time CISOs started implementing identity-based phishing defenses capable of blocking even the most sophisticated, social engineering-based BEC attacks — especially those launched from compromised email accounts. And continuous detection and response technologies are needed to sniff out and automatically remove malicious emails that do manage to reach employee inboxes.

Given the caliber of cybercriminal syndicates that appear to be shifting toward BEC tactics first pioneered in West Africa, even these measures are no longer enough on their own.

As new attack modalities emerge, it’ll become increasingly important for organizations to leverage global threat intelligence to preemptively neutralize new scams, as well as active defense measures to understand the specific attacks targeting their business.

If Cosmic Lynx is indeed a sign of things to come, the battle against BEC has entered treacherous new territory. CISOs are ill-advised to navigate it alone.

To learn more, download our new threat actor dossier, Cosmic Lynx: The Rise of Russian BEC.