'Vendor Email Compromise': A New Attack TwistAgari Researchers Describe a New Flavor of Business Email Compromise Scams
A newly discovered cybercriminal gang is putting a twist on business email compromise scams by initially targeting vendors or suppliers with phishing emails and then sending realistic-looking invoices to their customers in order to steal money, according to the security firm Agari. The researchers label this new approach "vendor email compromise."
The group, which Agari researchers call "Silent Starling," has been operating since at least 2018. It has targeted about 500 businesses throughout the world, compromising about 700 employees' email accounts along the way, the researchers estimate.
Crane Hassold, the senior director of threat research at Agari, predicts this new flavor of business email compromise attacks will proliferate because scammers have developed the ability to create authentic-looking invoices that can potentially produce a much greater windfall.
"We were able to get really good visibility into the overall attack chain with how these attacks occur,” Hassold tells Information Security Media Group. “We know these types of attacks have been going on for a while now and have been increasing in frequency over the last year or so. The very ironic part about these attacks is that the original victim is not the ultimate victim that actually losses all the money."
Agari says most of the targets of Silent Starling are in the U.S., Canada, the U.K. and Western Europe.
Agari published its research about the Silent Starling gang on Wednesday, but Hassold says the company had already been in touch with law enforcement with details about these vendor email compromise schemes.
Other criminal gangs are taking similar approaches, Hassold notes. In August, the FBI charged a Nigerian man with helping to compromise the email account of the CFO of Unatrac Holding Limited - a U.K. affiliate of U.S. heavy equipment manufacturer Caterpillar. In this case, the suspect used compromised email accounts to send out phony wire transfers and invoices using the CFO's name, title, company logos and other information (see: FBI Arrests Nigerian Suspect in $11 Million BEC Scheme).
Brian Honan, president of Dublin-based cybersecurity consultancy BH Consulting, tells ISMG that for over a year he's been working with clients who have experienced similar scams, including companies receiving invoices where the banking account number has changed.
"In all situations the victims of the attacks were using cloud based email solutions and the criminals either phished the password from someone within the accounts department, or the person in the accounts department reused a password for their work email that had been compromised in another breach," Honan says, adding that he's advised client to turn on multi-factor authentication or block IP address from certain countries to curtail some of this activity.
It All Starts With a Phish
As with the longstanding standard business email compromise approaches, the Silent Starling group starts out with phishing messages that target company employees. But they focus their efforts on suppliers, the Agari research shows.
Most of the targeted vendors are small-scale operations that provide materials or services to larger companies, Hassold says.
These types of phishing emails are typically disguised as voicemail or fax notifications, urgent requests to check documents or notifications that credentials need to be reset following suspicious activity, the report notes.
If the targeted vendor employee clicks on a link in that phishing email, they are directed to a spoofed website designed to look like either a Microsoft One Drive or DocuSign page. The employee is then asked to input their credentials, and that data is then emailed back to the gang, the research finds.
Once the gang has the credentials, they then create a forwarding rule within the email platform, and copies of all messages that the targeted employee receives or sends are then sent back to the Silent Starling gang.
The group then spends weeks or months studying the emails and billing patterns to help craft realistic-looking invoices with proper logos, spelling and grammar that are sent to the vendor’s customers. If those invoices are paid, the money is sent to bank accounts that gang members control, according to the Agari report.
"The [fake] invoices are for payments that are actually about to happen," Hassold says. "The timing is right and the payment is due. The only difference is that the bank account number has been updated, but everything else - the context, the timing, the communication from the supposed vendor, the invoice itself - all looks completely legitimate. And that's why this type of attack is extremely effective."
Agari identified three members of the Silent Starling gang that have connections to Nigeria, Hassold says. That’s why the Agari researchers named the gang after a bird - the starling - common to West Africa; the “silent” refers to the group's stealth.
Hassold estimates that there are at least eight to 10 other people working for the group.
Other security researchers have also noted an increase in business email scams apparently originating in Nigeria, with some gangs even incorporating malware into their schemes (see: Nigerian BEC Scammers Use Malware to Up the Ante).
Recently, the U.S. Justice Department unsealed a far-ranging indictment that charged 80 people with participating in business email compromise and other online fraud schemes, many of whom are Nigerian nationals (see: 80 Indicted for Scams, Including Business Email Compromises).
Increase in BEC
Over the last several years, business email compromise scams have surged, with the U.S. Treasury Department estimating that these schemes are costing U.S. firms about $300 million a month.
In addition, law enforcement has found that BEC schemes have targeted businesses of all sizes in many industries, including healthcare (see: Business Email Compromise Targets Mental Health Provider).
And while business email compromise remains a growing problem for businesses, vendor email compromise could bring these schemes to a new level of sophistication, Hassold says.
"All of the red flags that we teach employees to look out for, like the grammar, where the email is coming from, the spelling - all of those do not exist in vendor email compromise," he says.