One of the defining characteristics of Cosmic Lynx’s campaigns is that they are far more sophisticated
            than generic phishing scams. This is a well-researched operation, run by experienced hackers who have
            clearly done their homework. The hackers investigated companies that were completing an acquisition,
            identified a senior executive target, and impersonated the CEO of the target company in order to deceive
            their victim into wiring money to a fraudulent account.

            To add another layer of perceived legitimacy, the hackers also impersonated an external lawyer at a well-
            regarded law firm to “facilitate the payment”, making it very difficult for the target to think that they are
            being scammed. Finally, the hackers ensured a high level of quality and diligence in their campaigns,
            paying particular attention to brands’ details, and making sure grammar and spelling were without error.

            Social engineering campaigns like this can be devastating to businesses, and anyone in an organisation
            can fall for the scams. As hackers up their game, businesses need to ensure all employees are aware of
            the threats in their inboxes and consider whether they have the security measures in place to detect the
            deception before it's too late.

            My company has DMARC so I should be protected against email impersonation, right?


            Implementing  Domain-based  Message  Authentication,  Reporting  &  Conformance  (DMARC)  is  a
            necessary  first  step  for businesses to  prevent hackers  spoofing  your  company’s domain  in  its email
            attacks. Without it, an attacker can directly impersonate your company’s domain and users will think they
            are receiving an email from a legitimate (and trusted) source.

            In the particular case of Cosmic Lynx, researchers found that the group has a strong understanding of
            DMARC and analyses the public DMARC records to select its targets and methods of attack. The problem
            is that, as DMARC records are publicly available, it's very easy for hackers to identify companies that do
            not  have email authentication  protocols  in place,  allowing  them to  directly  impersonate  a  company's
            domain and pose as the CEO.

            But even if your company does have a DMARC policy in place, attackers can also assess how strictly
            you've configured it. If your company has a strict email policy in place, the attacker can still carry out an
            advanced spear phishing attack by registering a look-a-like domain, banking on the fact that a busy
            employee may miss the slight deviation from the original domain. This highlights why companies cannot
            rely on the email authentication protocol as a silver bullet to prevent email impersonation scams.

            The other problem is that while your organisation might have DMARC in place, your external contacts
            may not. This means that while your organisation's domain is protected against direct impersonation,
            your employees may be vulnerable to impersonation of external contacts like partners, customers or
            lawyers. Again, this knowledge has worked to Cosmic Lynx's advantage; they impersonated external
            lawyers from real UK law firms to add another layer of legitimacy to their scams.












            Cyber Defense eMagazine – August 2020 Edition                                                                                                                                                                                                                        89
            Copyright © 2020, Cyber Defense Magazine.  All rights reserved worldwide.