Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme with a Spin
How Cybercriminals Behind VEC Attacks Operate
A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies.
A new cybercriminal group, identified as Silent Starling by researchers at Agari, ran these malicious email campaigns. The fraudsters hacked the email accounts of employees working in the target’s finance department and gathered as much information as they could from their inboxes. In the end, the scammers sent them perfectly timed payment requests accompanied by fake invoices.
Since late 2018, over 700 employee accounts from more than 500 companies in the United States and over a dozen other countries have been compromised. Consequently, more than 20,000 sensitive emails have been harvested.
Vendor Email Compromise, a new milestone in the evolution of BEC attacks
Traditionally, a BEC attack is based upon what is commonly referred to as CEO fraud or the impersonation of an upper or middle-management employee. In this case, fraudsters contact their “colleagues” from the financial department, requesting an urgent payment and providing all the necessary details for the money to be transferred. Since the email comes from a superior and the message is transmitted with a sense of urgency, employees are likely to fall for this scam, being completely unaware the money will end up in a cybercriminal’s account.
And now, through this social engineering tactic, impostors are targeting a new niche: vendors.
More precisely, scammers are preying on employees working in a vendor’s finance department, with the ultimate goal of gathering intelligence on customers they interact with.
Who are the attackers behind Silent Starling?
The criminal group originates from West Africa and has been involved in fraudulent practices since 2015. First, they engaged in romance scams and check fraud and transitioned to BEC attacks in mid-2016, Agari writes. In their first two years of BEC, they focused on wire transfer requests and gift card attacks, only at the end of 2018 shifting their focus to VEC scams.
Three main malicious actors belonging to the cyber-gang have been identified, but at least eight other group members may have been involved. Each of these individuals was in charge of certain tasks, such as collecting leads to be targeted, finding mule accounts or hijacking and scanning compromised email accounts in search of relevant information.
How do Vendor Email Compromise attacks work?
Similarly, as I’ve briefly mentioned above, both BEC and VEC scams are based on social engineering. But what sets them apart is that VEC attacks are targeting a supplier’s customers, who receive what looks like realistic payment requests for an actual service they are expecting to pay for.
But how do VEC scams actually work?
Since they are highly elaborate schemes, they are conducted through multiple stages. Below you can see the main phases of Vendor Email Compromise attacks:
Attack Phases Description
Phase 1 The first phishing wave / Target: Vendors
Phase 2 Account takeover
Phase 3 Inbox monitoring
Phase 4 The second phishing wave / Target: The vendors’ customers
Phase #1. Credential stealing through phishing campaigns
The phishing emails coming from the Silent Starling group are posing as popular business applications, a practice commonly employed by cybercriminals. For instance, merely a few days ago, we’ve discovered yet another Microsoft phishing campaign targeting Office365 users.
Going back to Silent Starling’s malicious emails, the website they were using is Microsoft OneDrive or DocuSign login pages and voicemail and fax notifications.
The attackers have reportedly used over 70 phishing websites to harvest the users’ credentials. They managed to intercept the login details for more than 700 employees at over 500 companies in 14 countries. The main countries where the attacks were conducted were the United States, Canada, and the United Kingdom.
But who falls for these email scams in the first place, you may be wondering? Well, the ones who have not received a basic cybersecurity training may click malicious links and enter their login credentials without checking if the sender and landing page are legitimate. What’s more, they are not using the proper tools to protect their business from phishing attacks.
Apparently, at a single US-based company, the accounts of 39 employees have been compromised. The phishing campaign ran between September 2018 and March 2019, as reported by Agari. The credentials of people in various business functions, such as billing, sales, HR, and senior executives were stolen in these campaigns.
In one of the phishing emails that targeted the above-mentioned company, 13 email accounts were compromised within thirty minutes from the time they were sent. Furthermore, at least six employees also had their personal email account credentials compromised. Most likely, this happened due to employees making the common password mistake of reusing the exact same passwords (or slight variations) for both their corporate and personal accounts and this way, attackers we able to practice credential stuffing.
Phase #2. Taking over the compromised accounts
During this stage, first of all, the attackers would access the employees’ hacked accounts and look for significant vendors who could be impersonated.
Secondly, they would set up email rules to forward and even redirect copies of all incoming emails from the respective vendors to the scammers’ inboxes. After these rules are created, victims are most likely not noticing any signs of someone spying on their email accounts. Thus, cybercriminals can continue their activity for a long time and evade detection.
For instance, the Silent Starling attackers had access for over four months to employees’ email accounts from a US-based real estate company. During this period, they received more than 2,800 confidential emails containing “income statements, invoices, customer agreements, rental injury process, and other policy paperwork”, Agari notes.
Phase #3. The waiting game begins
VEC attacks are based on lengthy processes, during which cybercriminals harvest as much sensitive information as they need to in order to be able to masquerade as real vendor representatives. This is one of the main differences between VEC and BEC since the latter usually takes advantage of an individual’s innate tendency to respond to urgency.
During this phase, fraudsters are trying to figure out information such as:
- Vendor’s customers
- Invoice look and feel
- Customer payments due dates
- Due amounts
- Customer contacts responsible for payments
A high volume of emails floods their inbox, so these scammers are most probably using automatic tools to identify keywords related to payments and invoices rather than manually looking at each email.
Phase #4. Spear phishing emails are sent to the vendor’s customers
After cybercriminals have gathered enough information from the compromised accounts, they will start the next phase of the VEC attack: crafting authentic-looking spear-phishing emails and sending them to the vendor’s customers. Just like in a standard BEC attack, the goal is to trick the victim into transferring money to the fraudster’s account.
According to Agari, there are three primary aspects that need to be correctly identified by VEC attackers in order for the scams to be successfully conducted:
- Vendor identity – Here, employees responsible for customer billing coming from the vendor’s side need to be correctly identified. Then, they can be impersonated in three ways:
- The fraudster logs into the compromised account directly.
- The victim’s email address is spoofed.
- The attacker registers a domain that looks very similar to the vendor’s official domain.
- Emails’ content – VEC scammers always do their best to mimic the way a vendor representative writes an email to appear more genuine and may even copy their email signature.
- Timing – Attackers need to send payment requests at the exact date that other past invoices were due at, in order not to arouse suspicion.
A comparison between VEC and BEC
How is Vendor Email Compromise different from Business Email Compromise and how are they similar?
Below you can find a quick comparison between VEC and BEC:
|Business Email Compromise (BEC)||Vendor Email Compromise (VEC)|
|In both cases, attackers need access to a business email account or use spoofed email addresses to trick their targets into transferring money to their bank accounts.|
|A traditional BEC attack takes place inside the targeted organization. |
Example: The fraudster impersonating the CEO asks someone from the organization to make a payment.
|Attackers break into the vendor’s email accounts and target their customers. Ironically, the initial target (the vendor) will not be affected financially at all.
Example: The fraudster impersonating an employee who works in the vendor’s financial department sends a fake invoice to the customer.
|Usually, attackers collect information about their targets from social media and other places publicly available online.||Based on multiple stages, during which the attacker gathers relevant information about the target so they can perfectly imitate them (i.e. the way the targeted employees formulate emails, email endings, email signature, etc.)|
|Scammers use a sense of urgency in their communication with the targeted customer.||VEC attacks require extreme patience. Attackers do an extensive amount of research to find out as much valuable information as they can about their targets.|
How to protect your business from VEC/BEC attacks
Naturally, it will be quite difficult for anyone to identify VEC attacks, regardless if you’re a vendor or customer employee. These attacks could go on for months and months without being detected. And since traditional cybersecurity solutions are not able to pick up these types of advanced threats, a mix between human vigilance and the right security tools is what it takes to prevent and stop them before they damage your organization.
So, how can Business/Vendor Email Compromise be avoided?
1. Train your employees
First, your staff should be able to identify the tell-tale signs of phishing (suspicious sender email address/URL, the sender is asking them to “update” their credentials or “verify” their identity, etc.).
This basic knowledge can be accumulated through regular cybersecurity training, so make sure all your employees are on the same page when it comes to identifying phishing and other types of cyberattacks.
Secondly, your organization should use a next-gen proactive antimalware solution, that blocks malicious links if your employees accidentally click them.
2. Implement multi-factor authentication methods
Let’s suppose your employees could not tell they were a victim of a phishing attack and that you were not using the right cybersecurity solution that could have prevented the attack.
After obtaining your employees’ credentials, attackers will now try to log in to their email accounts. So, a good method to prevent unauthorized access is multi-factor authentication. I’ve extensively written about password security best practices here, so feel free to check out this guide as well.
3. Constantly review your cybersecurity policy
Accompanied by your mandatory training should be your cybersecurity policy, so make sure you have one in place and update it whenever necessary. Don’t just keep an antiquated one that becomes obsolete as cyber threats develop.
Your company’s cybersecurity policy should cover best practices that everyone must follow, as well as actionable steps your employees must take at the first signs of compromise.
What’s more, don’t forget about your remote employees. Your cybersecurity policy should have a section specially dedicated to remote workers, who may sometimes be at higher risk than your on-site staff. I encourage you to also take a look at the guide in which I explain what are the cybersecurity issues with remote work and how to address them.
4. Use a next-generation email fraud protection solution
There are certain advanced threats that can’t be detected and blocked by traditional spam filters. A standard email security solution will not be able to identify business email compromise: fake money-transfer requests, CEO impersonation/impostor emails, malicious content in historical emails, spoofed emails, etc.
This is why we’ve developed MailSentry, an email security solution specifically designed to quickly detect fraud, fake invoices and that will help you save time and skip manual background checks.
MailSentry works as an add-on to existing spam filter solutions.
It scans email content and attachments for fraudulent account numbers, invoice modifications, and signs of imposters. It’s based on Artificial Intelligence that detects the signs of the most advanced cyber threats. Furthermore, it uses more than 125 vectors of analysis and is fully coupled with live threat intelligence to find and stop Business Email compromise, CEO Fraud, phishing, and complex malware. Not only that, but it’s also backed up by a live 24/7 anti-fraud specialist team.
MailSentry is the only next-gen email security solution in the world connected to bank systems, being capable to cross-check IBAN and Account numbers against money mule accounts.
Business Email Compromise is one of the fastest-growing threats of today’s threatscape. As cybercriminals continue to improve their attack techniques to better evade detection, it becomes increasingly harder for you to keep your confidential data and money safe.
If you are a vendor, train your employees to be extra cautious when establishing any kind of contact with both your customers and internal stakeholders. If you are a company engaged in business relationships with vendors, the same rules apply. Without a doubt, you can never be too careful, as you never know where malicious actors and advanced cyber threats may be hiding. Yet, the good news is that your business can and will remain protected and competitive if you take into account all the necessary preventive measures.