Business email compromise has grown into a billion dollar industry as cybercriminals use look-alike domains and display name deception to trick employees into revealing sensitive information or depositing money into criminally-owned bank accounts. When they can compromise a legitimate account and use it to send malicious messages, the success rate becomes even greater. And cybercriminals are taking advantage, to the tune of $3.6 billion per year and counting.
The Agari Cyber Intelligence Division (ACID) has identified a West African cybergang, dubbed Silent Starling, that uses compromised email accounts to perpetrate a troubling new form of business email compromise that our researchers call vendor email compromise, or VEC. Our visibility into Silent Starling’s operations offers a direct and in-depth look into how the VEC attack chain unfolds.
Unlike typical BEC scams designed to defraud a single organization, this type of attack targets entire supply chains, using legitimate employee email accounts to swindle a business’s customers into paying fraudulent invoices. Due to its covert nature, the ability for companies to effectively protect themselves from VEC scams becomes much more difficult.
Operatives of Silent Starling initiate these attacks by hijacking email accounts belonging to employees within a targeted company’s finance department. The fraudsters then lay
low, methodically gathering information, data, and critical context from email archives and all the communications passing through these captured mailboxes. Armed with this intel, operatives can then send perfectly timed messages to multiple targets, requesting payment on fraudulent invoices or changes to vendor payment details.
Most common security controls are unable to recognize this kind of socially-engineered email message, especially when it is nearly indistinguishable from those typically sent by the impersonated vendor or supplier. Only the bank account details are different.
In the course of our research, Agari was able to document Silent Starling’s successful infiltration of more than 700 employee email accounts, spanning more than 500 companies in the United States and over a dozen other countries, collecting more than 20,000 internal and sensitive emails since late 2018.
As Silent Starling and other fraud groups continue to evolve this attack modality, VEC scams will proliferate, and the financial impact will be harrowing, causing disruption throughout the global supply chain.