Once an attacker has collected enough intelligence from a compromised account, he is ready to launch the next stage of the VEC attack chain, which involves using this wealth of information to send ultra-realistic phishing emails to the vendor’s customers. Like a typical BEC attack, the purpose of these spear-phishing emails is to trick the recipient into sending money to the scammer’s bank account.
Usually when a company is breached by a cyber attack, they bear the brunt of the financial impact. Ironically, the entity that is impacted the most by VEC attacks is not the original victim of the initial attack—the vendor or supplier. Rather, it is a completely separate organization that is targeted—the compromised vendor’s customer. In a rather cruel twist, these customers have no control over the security of the system where the attack began.
This final stage of a VEC attack takes advantage of three primary aspects of vendor/customer communication by identifying the appropriate contact, creating the right content, and ensuring that timing is consistent with previous correspondence.
The primary targets for impersonation in VEC attacks are employees that handle customer billing, rather than the company executives we see as targets in most BEC attacks. Most of Silent Starling’s marks have been accounts receivable employees or office managers of very small businesses.
VEC scammers impersonate vendor identities in three primary ways:
The latter two strategies require no additional access to the vendor’s email account. This means that once the initial compromise has occurred and an inbox rule has been set on the account, a scammer does not need to interact with the account again throughout the duration of the VEC attack chain, which highlights the stealth nature of these attacks.
Based on our observations of Silent Starling’s VEC attacks, attackers have used a combination of the first and third strategies described above. It seems their initial preference is to email secondary targets using a vendor’s compromised account. When they have lost the ability to log into a compromised account—likely because the account password has been changed— Silent Starling then pivots to using look-alike domains of impersonated vendors to continue their attacks.
It should be noted that even if the password is changed on an account that is forwarding emails to a VEC scammer, it does not mitigate the attack. This only prevents an attacker from regaining direct access to the account, but the flow of intelligence being sent as a result of the forwarding rule is not impacted.
As actors review emails being passed from compromised vendor email accounts, they are able to quickly recognize normal patterns in communication used by the employee linked to the account, as well as every other person that communicates regularly with that employee. These communication patterns play an integral role in the success of the final VEC attacks.
VEC scammers are careful to mirror the way an impersonated vendor typically constructs an email. How do they address a recipient? Are their emails generally brief or verbose? How do they usually close an email? All of this is essential to appear believable during an attack.
One of the more notable aspects of Silent Starling phishing emails that impersonate a vendor is how the group takes care to copy the signature of an impersonated vendor, no matter how intricate it may be. Including a vendor’s actual signature in an email is a sophisticated touch because, a person’s signature can often be a more recognizable identity association than a person’s email address.
The third variable a scammer uses to craft contextually realistic VEC attacks is timing. While a payment due date may seem innocuous, having access to previous invoices gives Silent Starling actors the framework they need to help them understand when to strike. For example, if they send an email to an unsuspecting customer too early, it could draw unwanted attention if the payee contacts the vendor asking why someone is reaching out to them well before the due date. Alternatively, if they wait too long, the invoice will have already been paid to the legitimate company and Silent Starling has missed its opportunity. However, if a scammer times their attack correctly, they can apply the perfect amount of pressure to persuade the customer to send a payment quickly.
During our research into Silent Starling, we observed multiple instances where the group used information they collected about a customer’s payment due date to their advantage. In one case, the group intercepted a message from the accounts receivable coordinator at a US-based marketing agency, intended for a franchise owner that was past due on a $168,000 payment. Within 24 hours of the email being sent, Silent Starling actors registered a look-alike domain, which they then used to impersonate the accounts receivable coordinator. Using this domain, they sent a follow-up email to the original recipient letting them know that the banking information for the payment had changed.
Email Containing Legitimate Payment Reminder Intercepted by Silent Starling
Silent Starling VEC Impersonation Email
While we cannot conclusively say whether this customer sent the money to Silent Starling, the chances this attack was successful are significant given the realistic nature of the email.
Another powerful artifact that VEC scammers may use to advantageously time their attacks is an aging report. An aging report, or schedule of accounts receivable, lists unpaid customer invoices and unused credit memos. It is an essential tool for both accounts and management to maintain an overview of their credit and collection processes, and breaks down outstanding debts into thirty day increments, culminating with payments that are more than ninety days overdue.
Armed with intelligence from these reports—customer names, their outstanding balances, and contact information—scammers can then assume the identity of an employee on the finance team, contact customers with outstanding debts, and request that they pay the balance referenced on the report. Scammers could also offer incentives to these customers for them to resolve their debts more quickly, such as reducing the amount they owe if they settle their outstanding balance immediately.
In one case, Silent Starling received multiple copies of aging reports that included details about delinquent payments of a company’s customers. This company works with thousands of small and mid-sized businesses across the United States for advertising services, so the aging reports passed on to Silent Starling were sometimes quite detailed. In early 2019, one consolidated aging report forwarded to a Silent Starling account included details of more than 3,500 customers with past due payments totaling more than $6.5 million. While we do not have any direct evidence that the group used this report for subsequent attacks, the value of the data and opportunity for abuse is significant.