Vendor email compromise is a new form of advanced email attack that uses compromised email accounts to target the global supply chain. With the cybercriminal group we’ve named Silent Starling, we see how devastating these attacks can be.

Download the threat actor dossier to:

  • How Silent Starling uses phishing email lures to target their victims
  • Why compromised email accounts make email attacks easy to execute
  • Which regions are most impacted by this form of attack
  • Why vendor email compromise will be the largest cyber threat in the next 12-18 months

Want to learn more about Silent Starling? Check out the webinar here.

From Credentials to Cash-Out
How Silent Starling Snares Their Victims

The first step in the VEC attack chain is to compromise business email accounts that can be used to collect intelligence to exploit later in the attack process. The primary method VEC actors use to collect account credentials is credential phishing.

Using Legitimate Services for Illegitimate Activities

Like most credential phishing attacks targeting enterprise email accounts, Silent Starling’s credential phishing emails posed as commonly-used business applications. While the group has used a number of different phishing lure templates since the beginning of 2018, the phishing sites these lures link to usually mimic Microsoft OneDrive or DocuSign login pages, as well as voicemail and fax notifications.

Example Phishing Lures Used by Silent Starling

OneDrive Phishing Site Used by Silent Starling

Our research identified more than 70 phishing sites used by Silent Starling to collect compromised email credentials. From these phishing sites, Silent Starling collected credentials for more than 700 employee email accounts at over 500 companies in 14 countries. While a few compromised accounts came from users in Central America, East Asia, and Europe, nearly all (97%) of the victims of Silent Starling’s credential phishing attacks were located in three countries: the United States, Canada, and the United Kingdom.

Map of Silent Starling Credential Phishing Victim Locations

 

As their credential phishing attacks yielded successful results, Silent Starling actors regularly reviewed the incoming credentials, weeding out results that were likely fake or useless and extracting compromised accounts that they considered valuable. Members of the group starred incoming emails with notable account data and made notes to “check later” batches of compromised accounts, especially when a large number of accounts were collected from a single company.

Most scammers test the functionality of a phishing site to be used in an attack by submitting dummy credentials to the site prior to sending out phishing campaigns. Ironically, this approach can lead to attribution leakage during the intelligence collection process because most phishing kits are designed to collect additional information about a victim, such as IP address, location, and user agent string data. Our analysis of Silent Starling attacks uncovered multiple test submissions that backed up our assessment that these actors resided in Nigeria.

Attribution Leakage from a Silent Starling Phishing Test Submission

Finding Success in Phishing 

So how effective can these credential phishing campaigns be? In one case, Silent Starling compromised the email accounts of 39 employees at a single US-based company over the course of five distinct OneDrive phishing campaigns between September 2018 and March 2019. The credentials of billing specialists, branch managers, sales account executives, human resources employees, business consultants, and a senior executive were compromised in these campaigns.

In one February 2019 campaign targeting this company, 13 email accounts were compromised within thirty minutes from the time the campaign was initiated, highlighting how fast these attacks can produce devastating results. At least six employees also had their personal email account credentials compromised as a direct result of Silent Starling’s phishing tactics. And once a company has been successfully compromised, it only gets worse, likely due to the fact that those employees are considered ripe for exploitation.

 

 

Close button
Mail Letter

Would you like the confidence to trust your inbox?