The first step in the VEC attack chain is to compromise business email accounts that can be used to collect intelligence to exploit later in the attack process. The primary method VEC actors use to collect account credentials is credential phishing.
Like most credential phishing attacks targeting enterprise email accounts, Silent Starling’s credential phishing emails posed as commonly-used business applications. While the group has used a number of different phishing lure templates since the beginning of 2018, the phishing sites these lures link to usually mimic Microsoft OneDrive or DocuSign login pages, as well as voicemail and fax notifications.
Example Phishing Lures Used by Silent Starling
OneDrive Phishing Site Used by Silent Starling
Our research identified more than 70 phishing sites used by Silent Starling to collect compromised email credentials. From these phishing sites, Silent Starling collected credentials for more than 700 employee email accounts at over 500 companies in 14 countries. While a few compromised accounts came from users in Central America, East Asia, and Europe, nearly all (97%) of the victims of Silent Starling’s credential phishing attacks were located in three countries: the United States, Canada, and the United Kingdom.
Map of Silent Starling Credential Phishing Victim Locations
As their credential phishing attacks yielded successful results, Silent Starling actors regularly reviewed the incoming credentials, weeding out results that were likely fake or useless and extracting compromised accounts that they considered valuable. Members of the group starred incoming emails with notable account data and made notes to “check later” batches of compromised accounts, especially when a large number of accounts were collected from a single company.
Most scammers test the functionality of a phishing site to be used in an attack by submitting dummy credentials to the site prior to sending out phishing campaigns. Ironically, this approach can lead to attribution leakage during the intelligence collection process because most phishing kits are designed to collect additional information about a victim, such as IP address, location, and user agent string data. Our analysis of Silent Starling attacks uncovered multiple test submissions that backed up our assessment that these actors resided in Nigeria.
Attribution Leakage from a Silent Starling Phishing Test Submission
So how effective can these credential phishing campaigns be? In one case, Silent Starling compromised the email accounts of 39 employees at a single US-based company over the course of five distinct OneDrive phishing campaigns between September 2018 and March 2019. The credentials of billing specialists, branch managers, sales account executives, human resources employees, business consultants, and a senior executive were compromised in these campaigns.
In one February 2019 campaign targeting this company, 13 email accounts were compromised within thirty minutes from the time the campaign was initiated, highlighting how fast these attacks can produce devastating results. At least six employees also had their personal email account credentials compromised as a direct result of Silent Starling’s phishing tactics. And once a company has been successfully compromised, it only gets worse, likely due to the fact that those employees are considered ripe for exploitation.