Managing Breaches
Vendor Email Compromise Attacks
December 26, 2019 | 2 min read
BlueVoyant

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.
Phishing still remains the biggest threat to enterprise security. It attacks the path of least resistance, which is most often the end user. Most of the recorded phishing activity deals with soliciting an action from the user that will grant the bad guy access to the victim’s system. But then came Business Email Compromise (BEC) scams. BEC is a form of targeted social engineering attacks against institutions. They typically include spoofing an email from a C-level corporate officer, “baiting” staff members to do the attacker’s bidding. These targets are usually in the finance, payroll, or human resource departments. They have access to the organization’s monetary accounts or the power to make financial decisions. The spoofed email preys on feelings of loyalty or other emotions to induce staff members to execute a last-minute payment before the organization is subject to some kind of business hardship. Attackers often try to take over legitimate email accounts, but all of this can happen without ever touching a legitimate email account. In the event of an account takeover, attackers can use the access to spy on communications, gain knowledge of business operations, and send attacks on behalf of that employee, in which case the damage can be much worse. It appears that a new cybercriminal gang, known as Silent Starling, has put a twist on BEC scams - Vendor Email Compromise (VEC). They are targeting vendors/suppliers with phishing emails in an initial attack and then send realistic-looking invoices to their customers in order to steal money. This new VEC tactic is significant in that the original victim is not the ultimate target. Instead, VEC scammers look to leverage the legitimacy and trust of supply chains to attack multiple connected organizations. It's typical for large brands to have a large number of suppliers, partners, etc. Why scam one company when you can get a foothold in that company and scam many more? The following diagram shows how a typical VEC scam would work by first gaining access to a legitimate corporate email account. The attacker then patiently collects information about employee behavior, standard invoice design, and other financial information. Finally, the attacker will ask the target for payment on an invoice. And because the email looks exactly like one which they are expecting, only with updated banking details, the customer is likely to fall for the scam.
Related Reading
Thought Leadership
Enterprise Security Health Check: Getting the Most out of Your Splunk Subscription
June 16, 2022 | 4 min read
Partnerships
SOAR Workshop: Helping Optimize Your Security Tools Using Splunk's Platform
June 14, 2022 | 3 min read