Silent Starling is a cybercriminal organization with members that reside in and around Lagos, Nigeria. The group has been involved in criminal activity since 2015, starting with romance scams and check fraud before turning to BEC in mid-2016. For two years, Silent Starling scaled their BEC operations, focusing on wire transfer requests and gift card attacks, before evolving their methods to commit VEC scams in late 2018.
While we believe Silent Starling is larger than what our visibility covers, our research has identified three primary members responsible for day-to-day operations.
In addition to these three group members, we have identified information linking at least eight other individuals who have assisted the core group of actors in various ways. Similar to what we have observed with other groups, Silent Starling has a loose structure with central players and tangential actors who are responsible for specific tasks, such as collecting targeting leads, obtaining mule accounts, and monitoring compromised email accounts for relevant information.
The ultimate targets of these attacks are a vendor’s or supplier’s customers, who are sent realistic-looking phishing emails requesting payment for an actual service. Because the emails closely mimic the look and feel of legitimate correspondence from the compromised vendor, the success rate and financial loss caused by VEC attacks can be significantly higher than other types of email-based attacks.
VEC scams are technically a form of business email compromise, yet they are distinctive in their required level of sophistication, sourced intelligence, and savvy customization—as well as in their superior payout potential.
BEC fraud relies on economies of scale to convert leads into financial rewards. In a typical BEC scheme, fraudsters gather information on possible targets by researching job roles and contact email addresses, as well as the name of the CEO or other high-profile executives. The fraudster then uses that intelligence to spoof the email address of a trusted executive, sending emails to lower-level employees requesting wire transfers or gift cards. A certain number of recipients will be hoodwinked into making a payment. But as the percentage of people who can be tricked into completing requests drops off, the less successful the campaign becomes.
By contrast, VEC is something far more insidious. The front-end of these attacks can be as broad as BEC campaigns, but once an email account is compromised within a target organization, threat actors must exercise extreme patience. Lurking in the background, they find opportunities to compromise additional email accounts, typically targeting those in the finance department. These are the most important accounts, as they have the appropriate authority to issue invoices to the organization’s customers or authorize payments on invoices coming from suppliers.
To effectively run their scam, the ebb and flow of an organization’s entire workflow needs to be observed and understood. For example, if a supplier is on payment terms of 60 days, and a scammer makes a follow-up request after only 30 days, they risk drawing unwanted attention. To prevent these errors, the fraudsters lay low, surveilling email messages to prepare and launch exquisitely personalized attacks on the business’s employees, customers, or partners.
A differentiating element of VEC, as compared to a typical vendor invoice scam—is that the bad actor infiltrates an email account and then lies in wait so that he can observe transactions, conversations, and exchanges taking place within that email account. As a result, that actor gains valuable context around a vendor’s invoicing cadence, processes, and customers. This intelligence enables him to create emails that are realistic to the point that they are virtually undetectable. Making matters worse, they are launched from legitimate accounts of real employees. It’s no surprise that VEC is working.