Vendor email compromise is a new form of advanced email attack that uses compromised email accounts to target the global supply chain. With the cybercriminal group we’ve named Silent Starling, we see how devastating these attacks can be.

Download the threat actor dossier to:

  • How Silent Starling uses phishing email lures to target their victims
  • Why compromised email accounts make email attacks easy to execute
  • Which regions are most impacted by this form of attack
  • Why vendor email compromise will be the largest cyber threat in the next 12-18 months

Want to learn more about Silent Starling? Check out the webinar here.

Silent Starling
Scamming The Supply Chain

The investigation by the Agari Cyber Intelligence Division (ACID) into cybercriminal group Silent Starling offers visibility into a new attack vector we’ve named vendor email compromise. From our research, we have discovered that cybercriminals are infiltrating email accounts and using them in new ways to trick customers into paying fake invoices.

This attack on the supply chain represents a dangerous new phase in the evolution of business email compromise. Unlike traditional BEC attacks targeting a single company, VEC scammers use legitimate accounts to target a company’s supply chain ecosystem—often scamming dozens of customers at once.

According to the US Treasury Department, businesses lose as much as $300 million per month to BEC scams overall. Payment invoice scams accounted for nearly half of those fraudulent transactions in 2018, to the tune of more than $1.5 billion in business losses. That number is likely to be even higher when cybercriminals gain access to legitimate email accounts and use them to run their scams.

Silent Starling is the first case in which Agari has documented a cybergang using VEC as its primary method for scamming businesses. Unfortunately, we do not expect it to be the last, as vendor email compromise becomes the most dangerous cyberthreat faced by businesses and their supply chains in the next year.

Angling For Prey
Silent Starling Takes the Stage

Every single day, researchers in the Agari Cyber Intelligence Division engage with dozens of BEC scammers who have tried (and failed) to target our customers. In doing so, we collect rich intelligence that allows us to better understand cybercriminal group operations, discover and track the evolution of their methods over time, unravel the financial infrastructure they use to launder stolen proceeds, and uncover the identities of those involved in the criminal schemes.

In July 2019, one of these active defense engagements led us to a cybercriminal organization we’ve dubbed Silent Starling—named after an invasive species of bird native to West Africa. The messages below detail our initial interaction with the group.

Silent Starling attempted to attack an Agari customer by impersonating the CEO in an email directed toward the CFO with a basic subject line of “Request.” Like most BEC attacks, the initial email message was brief and was meant to elicit a response from the target. In this case, the attacker wanted to know if a wire transfer could be sent before the end of the day.

We took action and re-crafted a new email conversation with the scammer from a separate persona account, creating new identities for a fake CEO and CFO and simply recycling the original email subject and body. This switch was done to protect the identities of those in the target email.

Under this new persona, we responded to the scammer, generously offering to help him take care of the necessary transfer.

Fourteen minutes later, our fake CEO provided us with the first of many mule accounts where he wanted the $17,290 “transfer” to be sent.

When he never received confirmation that the funds had been transferred, the fake CEO contacted our persona CFO and inquired about the status of the payment. Unfortunately for the scammer, the bank found an “issue” with the account and the payment was rejected.

However, because our persona CFO is so helpful, they offer to reprocess the payment to another account if the “vendor” has one. Predictably, the scammer obliges and offers another mule account for us to try.

The scammer quickly replied with new banking details.

This cycle of the Silent Starling actor sending us mule accounts and our fake CFO running into “problems” continued for more than a month. By the time the engagement finally ended, we had collected 13 different mule accounts used by the group to launder money from BEC attacks, which we passed to financial partners and law enforcement.

In addition to actively engaging with the Silent Starling scammer, we used various tools and tactics that allowed us to gain significant insight into the group’s background, methods, and primary actors. What follows is an overview of what we discovered during our investigation into Silent Starling.

Close button
Mail Letter

Would you like the confidence to trust your inbox?