Vendor Email Compromise Attacks

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

Phishing still remains the biggest threat to enterprise security. It attacks the path of least resistance, which is most often the end user. Most of the recorded phishing activity deals with soliciting an action from the user that will grant the bad guy access to the victim’s system.

But then came Business Email Compromise (BEC) scams. BEC is a form of targeted social engineering attacks against institutions. They typically include spoofing an email from a C-level corporate officer, “baiting” staff members to do the attacker’s bidding. These targets are usually in the finance, payroll, or human resource departments. They have access to the organization’s monetary accounts or the power to make financial decisions. The spoofed email preys on feelings of loyalty or other emotions to induce staff members to execute a last-minute payment before the organization is subject to some kind of business hardship. 

Attackers often try to take over legitimate email accounts, but all of this can happen without ever touching a legitimate email account. In the event of an account takeover, attackers can use the access to spy on communications, gain knowledge of business operations, and send attacks on behalf of that employee, in which case the damage can be much worse.

It appears that a new cybercriminal gang, known as Silent Starling, has put a twist on BEC scams - Vendor Email Compromise (VEC). They are targeting vendors/suppliers with phishing emails in an initial attack and then send realistic-looking invoices to their customers in order to steal money. This new VEC tactic is significant in that the original victim is not the ultimate target. Instead, VEC scammers look to leverage the legitimacy and trust of supply chains to attack multiple connected organizations. It's typical for large brands to have a large number of suppliers, partners, etc. Why scam one company when you can get a foothold in that company and scam many more?

The following diagram shows how a typical VEC scam would work by first gaining access to a legitimate corporate email account. The attacker then patiently collects information about employee behavior, standard invoice design, and other financial information. Finally, the attacker will ask the target for payment on an invoice. And because the email looks exactly like one which they are expecting, only with updated banking details, the customer is likely to fall for the scam.

As evident from the graphic above, the entity that is most impacted by a VEC attack is not the original victim of the initial compromise. Rather, is a completely separate organization—the compromised vendor’s client base. In a cruel twist, these customers have no control over the security of the system where the attack began and thus have no real way to defend against it.

Two things can be done:

1) Always check email accounts for any unauthorized forwarding rules.

2) Double check any large or last-minute transactions with the solicitor via a second medium. 

In the event that fraud is discovered after the financial request is fulfilled, begin the recovery process right away. Call your financial institution and request that they communicate with the receiving financial institution. If your business is insured, call your insurers and company shareholders. Lastly, reach out to local law enforcement and the FBI.