Cybercriminals Switching from Business Email Compromise to Vendor Email Compromise Attacks

The number of ransomware attacks in the United States has increased sharply in 2019, but business email compromise (BEC) attacks have similarly increased. Symantec found an average of 6,029 businesses were targeted by BEC emails in the past 12 months and figures from the FBI indicate attacked entities lost $1,297,803,489 to the scams in 2018.

BEC attacks involve gaining access to business email accounts and using them for further attacks on the organization. Some BEC attacks are concerned with obtaining sensitive data such as W-2 forms for use in tax fraud, although mostly the attackers attempt to use the accounts to arrange fraudulent wire transfers. Access is gained to the CEO or other executives’ email accounts and messages are sent to the payroll department to reroute payments or to request wire transfers to attacker-controlled accounts.

This week, Agari has published details of new research that reveals a new BEC attack trend: Vendor email compromise attacks.  As with other types of BEC attacks, they involve highly realistic emails requesting payment of invoices, but the victim of the attack is not the company whose email accounts have been compromised. Those accounts are used to attack the company’s customers.

The vendor email compromise attacks start with a spear phishing email targeting the CEO or CFO. Once credentials have been obtained, the account is accessed, and mail forwarding rules are added. A copy of every received and sent email is then forwarded to the attacker, unbeknown to the account holder.

Over a period of weeks or months, the emails are studied and the attackers learn about customer billing cycles and typical invoice amounts. The attackers study the format of the emails, obtain the relevant logos, and use this information to create highly realistic fake invoices for the right amount at the right time.

The invoice requests are sent just a few days before payment would usually be made. The only thing that distinguishes a genuine and fraudulent request is a change to the usual bank account.

The attacks are often conducted on small to medium sized businesses such as those that provide materials or services to larger companies.  Each compromised email account could be used to send fraudulent invoices to many of the company’s customers, increasing the potential payout. The incredibly realistic requests are also less likely to arouse suspicion. “The context, the timing, the communication from the supposed vendor, the invoice itself – all look completely legitimate… that’s why this type of attack is extremely effective,” explained Agari.

These attacks are difficult for employees to identify as all the typical signs of fraudulent emails are lacking. There are no spelling mistakes, the grammar is perfect, and the emails are sent from genuine – not spoofed – email accounts.

Agari has been tracking the activity of one cybercriminal gang that is using this new tactic. The group, which Agari calls Silent Starling, has conducted more than 500 known attacks since the start of 2018 which have involved around 700 compromised employee email accounts. Many other cybercriminal gangs are using the same tactics.

“We expect VEC to be the largest threat for organizations worldwide over the course of the next 12-18 months,” warned Agari. “As cybercriminals evolve this attack modality, these scams will proliferate.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.