Vendor email compromise is a new form of advanced email attack that uses compromised email accounts to target the global supply chain. With the cybercriminal group we’ve named Silent Starling, we see how devastating these attacks can be.

Download the threat actor dossier to:

  • How Silent Starling uses phishing email lures to target their victims
  • Why compromised email accounts make email attacks easy to execute
  • Which regions are most impacted by this form of attack
  • Why vendor email compromise will be the largest cyber threat in the next 12-18 months

Want to learn more about Silent Starling? Check out the webinar here.

Spy Craft
Moving the Attack Forward

Once Silent Starling has collected a cache of compromised business email accounts, it is time for them to put them to use. The goal of this next phase of the VEC attack chain is to access the contents of these compromised accounts, identify accounts belonging to employees that are involved in the payment process, and set up an inbox rule that sends copies of all incoming emails to the scammer.

The purpose of this step is to identify high-value vendor/supplier accounts and collect intelligence from these accounts so they can be used at a later date to craft a devastatingly realistic invoice in the next phase of the attack, which targets the vendor’s customers.

Inbox Rules: A Scammer’s Cloak of Invisibility

Silent Starling’s preferred method for collecting intelligence on compromised mailboxes is to set up a forwarding rule on the compromised email account simply delivers a copy of each incoming email message to a separate email account which controlled by the group. Another common tactic used in VEC attackers is to redirect messages, rather than forward them. The effect of these rules is the same—the scammers obtain duplicates of all incoming communication to the victim. The only difference is how the diverted emails appear in the scammer’s inbox.

Because these rules do not modify or remove messages from a mailbox, a victim likely will not see any overt signs that scammers are spying on the communication flowing through his/her mailbox until it is too late. Unless a victim is alerted to potential suspicious activity, such as a customer complaining that they received a questionable invoice, a cybercriminal can sit on a compromised email account and collect intelligence for months without ever being detected.

In one example, Silent Starling had access to an employee’s mailbox at a US-based real estate advisory firm for more than four months. During this time, Silent Starling received copies of more than 2,800 emails containing sensitive documents and communications, including income statements, invoices, customer agreements, rental injury reports, and other policy paperwork.

Forwarded Emails from Compromised Accounts Received by Silent Starling 

The Early Bird Waits for the Worm

Patience is a virtue in the VEC attack chain. Now that the attacker has a stream of information about a vendor’s inner-workings, the attacker just needs to sit back and mine this email feed for artifacts that can be used to create a new phishing email that looks and feels completely legitimate.

To do so, the attacker looks for answers to a few specific questions:

A VEC scammer can receive hundreds or thousands of emails from compromised mailboxes, depending on the number of accounts feeding their pipeline. Since late 2018, Silent Starling has received copies of more than 20,000 emails from infiltrated inboxes.

Silent Starling associates review incoming messages and bookmark ones that contain useful information. Based on emails that group members have flagged, it is likely that they search for emails containing the specific keywords related to payments, invoices, and payroll, rather than reviewing each message individually. This strategy makes the process more efficient and likely identifies most of the content the group needs for the final stage in the VEC attack chain.



Close button
Mail Letter

Would you like the confidence to trust your inbox?