Vendor Email Compromise (VEC): The Classic Business Email Compromise (BEC) Scheme wit

[harlan4096]

How Cybercriminals Behind VEC Attacks Operate

A new email fraud scheme has taken Business Email Compromise (BEC) to a whole new level of sophistication. The recently discovered type of email scam has been dubbed Vendor Email Compromise (VEC) and as its name suggests, the attackers prey on employees working at vendor companies.

A new cybercriminal group, identified as Silent Starling by researchers at Agari, ran these malicious email campaigns. The fraudsters hacked the email accounts of employees working in the target’s finance department and gathered as much information as they could from their inboxes. In the end, the scammers sent them perfectly timed payment requests accompanied by fake invoices.

Since late 2018, over 700 employee accounts from more than 500 companies in the United States and over a dozen other countries have been compromised. Consequently, more than 20,000 sensitive emails have been harvested.

Vendor Email Compromise, a new milestone in the evolution of BEC attacks

Traditionally, a BEC attack is based upon what is commonly referred to as CEO fraud or the impersonation of an upper or middle-management employee. In this case, fraudsters contact their “colleagues” from the financial department, requesting an urgent payment and providing all the necessary details for the money to be transferred. Since the email comes from a superior and the message is transmitted with a sense of urgency, employees are likely to fall for this scam, being completely unaware the money will end up in a cybercriminal’s account.

And now, through this social engineering tactic, impostors are targeting a new niche: vendors.

More precisely, scammers are preying on employees working in a vendor’s finance department, with the ultimate goal of gathering intelligence on customers they interact with.

Who are the attackers behind Silent Starling?

The criminal group originates from West Africa and has been involved in fraudulent practices since 2015. First, they engaged in romance scams and check fraud and transitioned to BEC attacks in mid-2016, Agari writes. In their first two years of BEC, they focused on wire transfer requests and gift card attacks, only at the end of 2018 shifting their focus to VEC scams.

Three main malicious actors belonging to the cyber-gang have been identified, but at least eight other group members may have been involved. Each of these individuals was in charge of certain tasks, such as collecting leads to be targeted, finding mule accounts or hijacking and scanning compromised email accounts in search of relevant information.

How do Vendor Email Compromise attacks work?

Similarly, as I’ve briefly mentioned above, both BEC and VEC scams are based on social engineering. But what sets them apart is that VEC attacks are targeting a supplier’s customers, who receive what looks like realistic payment requests for an actual service they are expecting to pay for.

But how do VEC scams actually work?

Since they are highly elaborate schemes, they are conducted through multiple stages. Below you can see the main phases of Vendor Email Compromise attacks:

Attack Phases / Description

Phase 1 The first phishing wave / Target: Vendors
Phase 2 Account takeover
Phase 3 Inbox monitoring
Phase 4 The second phishing wave / Target: The vendors’ customers

...

Continue Reading