In a variation of the classic business email compromise (BEC) scam, a cyber gang managed to compromise email accounts of more than 700 employees from over 500 companies in 14 countries.
In a typical BEC scam, cybercriminals use emails impersonating an upper or middle-management employee with payment instructions for an account operated by the hackers to people in the same company from the financial department.
Believing the message comes from a superior, the recipient of the message makes the transfer, unbeknownst to them that the money reaches the attackers' account.
The twistA new group, identified as Silent Starling by researchers at email security firm Agari, runs a more lucrative game by targeting employees at vendors. For this, the company dubs this new form of attack vendor email compromise (VEC).
The group has at least three members, all from Nigeria. Two of them live in Lagos and a third is in Ikeja. Information about the trio indicates that there at least eight other individuals offering assistance with collecting target leads, getting mule accounts, or monitoring the compromised emails for relevant information.
According to Agari, after hijacking an email account the Silent Starling gang spends time spying on the communication with customers, "gathering intelligence, data, and critical context."
The targets are employees in a vendor's finance department, responsible for operations related to procurements or accounts receivables.
Monitoring the communicationAccess to the victim's email communication is obtained through phishing attacks aiming to steal email credentials. The lures vary from alerts of suspicious login activity into Microsoft OneDrive and DocuSign, to voicemail, and fax notifications.
Agari identified over 70 phishing websites used by Silent Starling to capture login credentials. Most of the victims (97%) are from the U.S., the U.K., and Canada, and just a few of the although compromised accounts came from Central America, East Asia, and Europe.
Once in, the attackers create a forward rule to send copies of the messages to their inbox. the entire process is explained in the infographic below:
After collecting sufficient information, the attackers use the identity of the hacked employee to create emails that fit perfectly in the communication timeline, asking for an invoice to be paid.
One Agari customer hit by Silent Starling had the inbox of one employee monitored for more than four months and over 2,800 conversations had been forwarded to the attacker. The messages included sensitive information like documents, income statements, invoices, customer agreements, or rental injury reports.
Armed with all this information, the threat actor can create messages that look as if they're from the real vendor. The customer has small chances to doubt the legitimacy of the communication and spot the fraud, so they follow the instructions, which include the hackers' bank account instead of the vendor's.
"This type of attack is particularly hard to spot, as it mimics the look and feels of legitimate communication. The only difference is that the invoice sent to a vendor’s customer contains details for the scammer’s bank account instead of the vendor." - Agari
Big money gameAgari says that Silent Starling used this method to steal millions from the global supply chain.
The group is active since at least 2018 and starting the end of last year they stole more than 20,000 emails. One US-based company alone had accounts of 39 of its employees compromised.
Compared to BEC scams, the VEC approach is far more profitable. A recent report from the US Financial Crimes Enforcement Network (FinCEN) reveals that VEC scams cause average losses of $125,000 for each victim, compared to $50,000 on average recorded from BEC attacks.
source
