Page 89 - Cyber Defense Magazine for August 2020
P. 89
One of the defining characteristics of Cosmic Lynx’s campaigns is that they are far more sophisticated
than generic phishing scams. This is a well-researched operation, run by experienced hackers who have
clearly done their homework. The hackers investigated companies that were completing an acquisition,
identified a senior executive target, and impersonated the CEO of the target company in order to deceive
their victim into wiring money to a fraudulent account.
To add another layer of perceived legitimacy, the hackers also impersonated an external lawyer at a well-
regarded law firm to “facilitate the payment”, making it very difficult for the target to think that they are
being scammed. Finally, the hackers ensured a high level of quality and diligence in their campaigns,
paying particular attention to brands’ details, and making sure grammar and spelling were without error.
Social engineering campaigns like this can be devastating to businesses, and anyone in an organisation
can fall for the scams. As hackers up their game, businesses need to ensure all employees are aware of
the threats in their inboxes and consider whether they have the security measures in place to detect the
deception before it's too late.
My company has DMARC so I should be protected against email impersonation, right?
Implementing Domain-based Message Authentication, Reporting & Conformance (DMARC) is a
necessary first step for businesses to prevent hackers spoofing your company’s domain in its email
attacks. Without it, an attacker can directly impersonate your company’s domain and users will think they
are receiving an email from a legitimate (and trusted) source.
In the particular case of Cosmic Lynx, researchers found that the group has a strong understanding of
DMARC and analyses the public DMARC records to select its targets and methods of attack. The problem
is that, as DMARC records are publicly available, it's very easy for hackers to identify companies that do
not have email authentication protocols in place, allowing them to directly impersonate a company's
domain and pose as the CEO.
But even if your company does have a DMARC policy in place, attackers can also assess how strictly
you've configured it. If your company has a strict email policy in place, the attacker can still carry out an
advanced spear phishing attack by registering a look-a-like domain, banking on the fact that a busy
employee may miss the slight deviation from the original domain. This highlights why companies cannot
rely on the email authentication protocol as a silver bullet to prevent email impersonation scams.
The other problem is that while your organisation might have DMARC in place, your external contacts
may not. This means that while your organisation's domain is protected against direct impersonation,
your employees may be vulnerable to impersonation of external contacts like partners, customers or
lawyers. Again, this knowledge has worked to Cosmic Lynx's advantage; they impersonated external
lawyers from real UK law firms to add another layer of legitimacy to their scams.
Cyber Defense eMagazine – August 2020 Edition 89
Copyright © 2020, Cyber Defense Magazine. All rights reserved worldwide.