The purpose of this step is to identify high-value vendor/supplier accounts and collect intelligence from these accounts so they can be used at a later date to craft a devastatingly realistic invoice in the next phase of the attack, which targets the vendor’s customers.
Silent Starling’s preferred method for collecting intelligence on compromised mailboxes is to set up a forwarding rule on the compromised email account simply delivers a copy of each incoming email message to a separate email account which controlled by the group. Another common tactic used in VEC attackers is to redirect messages, rather than forward them. The effect of these rules is the same—the scammers obtain duplicates of all incoming communication to the victim. The only difference is how the diverted emails appear in the scammer’s inbox.
Because these rules do not modify or remove messages from a mailbox, a victim likely will not see any overt signs that scammers are spying on the communication flowing through his/her mailbox until it is too late. Unless a victim is alerted to potential suspicious activity, such as a customer complaining that they received a questionable invoice, a cybercriminal can sit on a compromised email account and collect intelligence for months without ever being detected.
In one example, Silent Starling had access to an employee’s mailbox at a US-based real estate advisory firm for more than four months. During this time, Silent Starling received copies of more than 2,800 emails containing sensitive documents and communications, including income statements, invoices, customer agreements, rental injury reports, and other policy paperwork.
Forwarded Emails from Compromised Accounts Received by Silent Starling
Patience is a virtue in the VEC attack chain. Now that the attacker has a stream of information about a vendor’s inner-workings, the attacker just needs to sit back and mine this email feed for artifacts that can be used to create a new phishing email that looks and feels completely legitimate.
To do so, the attacker looks for answers to a few specific questions:
A VEC scammer can receive hundreds or thousands of emails from compromised mailboxes, depending on the number of accounts feeding their pipeline. Since late 2018, Silent Starling has received copies of more than 20,000 emails from infiltrated inboxes.
Silent Starling associates review incoming messages and bookmark ones that contain useful information. Based on emails that group members have flagged, it is likely that they search for emails containing the specific keywords related to payments, invoices, and payroll, rather than reviewing each message individually. This strategy makes the process more efficient and likely identifies most of the content the group needs for the final stage in the VEC attack chain.