[BreachExchange] Vendor Email Compromise is Latest Identity Deception Attack

Destry Winant destry at riskbasedsecurity.com
Wed Nov 6 09:31:49 EST 2019


https://www.securityweek.com/vendor-email-compromise-latest-identity-deception-attack

Identity deception attacks continue to grow, but the type of attack
seems to be changing. During Q3, 2019, phishing campaigns
impersonating brands dropped by 6% over the previous quarter. Attacks
impersonating individuals, however, increased by 10%. The drop in
brand impersonation may be partly related to increased industry
adoption of DMARC, which is up 49% over the last year.

However, although DMARC is increasingly being implemented, it is not
yet being effectively used. Only the "p=reject" enforcement option
will protect against email-based brand impersonation scams. Germany
and the U.S. are the two countries with the highest use of DMARC.
Germany has a higher number of implementations than the U.S., but a
lower percentage of DMARC records set to the p=reject enforcement
level. This could improve over the next few years since the
recommended DMARC implementation plan is to start with p=none, and
work up to p=reject -- for many companies, DMARC implementation may
still be in its early stages.

In the meantime, however, the latest Agari Email Fraud & Identity
Deception Trends report (PDF) notes that more than 80% of Fortune 500
companies have no DMARC protection. Although only 38% have no DMARC at
all (down from 59% in the same quarter last year), 44% of those with
DMARC have yet to set an enforcement level. "Currently," says Agari,
"only 13% of the Fortune 500 has a DMARC record set to the p=reject
enforcement policy."

DMARC is a bit like vaccination. Just because ten people have been
vaccinated, that doesn't prevent you from being infected by an
eleventh unvaccinated person. A 95% vaccination rate is required
before health officials will consider a country safe from a particular
disease. The same principle applies to phishing -- while the DMARC
vaccination will protect vaccinated brands being used in phishing
attacks, not until a large percentage of all brands are protected by
DMARC will the end user be protected from phishing in general.

While full adoption of DMARC is proceeding somewhat slowly, there
appears to be a much faster uptake of Brand Indicators for Message
Identification (BIMI). BIMI is a standardized way for brands to
publish their brand logos online with built-in protections that
safeguard against spoofing. According to Agari's statistics,
approximately 130 BIMI logos were in use in March 2019. This has now
jumped to 949 in an increase of more than 700%.

Wire transfer schemes, often cumulatively known as business email
compromise (BEC), are also changing. Gift cards were requested in 56%
of all BEC attacks, but that is down 10% since March 2019. Payroll
diversion (up 5% in the last three months to 25% of all BEC attacks)
and wire transfer scams (a similar growth to 25% of all BEC attacks)
both grew. Gift card attacks simply result in smaller payouts (an
average of $1,571) compared to wire transfer attacks (an average of
$52,325).

But Agari's latest report warns there is a new identity deception
threat, which it calls vendor email compromise, or VEC. Agari
describes it as "a troubling new BEC trend that we call vendor email
compromise (VEC), in which fraudsters use hijacked employee email
accounts to target not just one company, but entire supply chain
ecosystems." As the incidence of VEC increases, Agari believes it will
lead to a slight decline in BEC scams.

What isn't yet known is how and to what extent the emergence of
deepfake technology will affect either of the categories. Agari
believes that both audio and video deepfake could be used to enhance
BEC attacks, and that deepfake audio could also be used to enhance VEC
attacks.

The Agari Cyber Intelligence Division (ACID) group analyzed VEC while
investigating a Nigerian crime group it calls Silent Starling. It
discovered Silent Starling infiltrating email accounts and using them
to trick buying companies into paying fake supplier invoices. While
this type of attack is not limited to Silent Starling, this was the
first time Agari had seen it as an attack group's primary scam method.

"One of the most significant emerging threats in the cyber threat
landscape," says Agari, "is vendor email compromise. The key to these
attacks is gaining access, through standard phishing, to email
accounts belonging to key individuals within a company's accounts
receivable or finance department." The process is slower and demands
greater patience from the attacker than typical BEC attacks, but can
generate greater reward.

By first compromising one email account the attacker can slowly
compromise others. The data found within the emails allows the
attacker to learn how the company operates, and when things happen. In
particular, the attackers are looking for invoice and payment patterns
with an important customer. The attacker gains an understanding of a
vendor's invoicing times, processes, and customers. This intelligence
enables him to create emails that are so realistic that they are
virtually undetectable -- and, since he has already compromised the
email account, he can deliver his attack from a genuine rather than a
spoofed email account.

At the right time -- perhaps a week before the customer expects an
invoice -- the attacker sends a fake invoice for the correct amount,
but with different bank details routing the payment to his own
account. "Generally," Armen Najarian, Agari's chief identity officer
told SecurityWeek, "these sophisticated attackers are looking for deep
pocket, big contract scenarios -- think of the supply of a major part
of a component for an aircraft manufacturing process that is
potentially hundreds of thousands of dollars."

In theory, if the compromised company sends out multiple invoices to
multiple customers at the same time, the scam could be perpetrated on
multiple customers -- but the big one is the primary target.

"Think of this as a type of supply chain attack," Najarian continued.
"The vendor/customer relationship is the point of vulnerability from
which to extract funds from the deeper pocketed customers. We are
seeing a notable shift in the focus from threat actor groups into this
type of attack, primarily because the payout is much bigger. On
average, a BEC CEO fraud attack will generally pay out in the $50,000
to $55,000 range, but a successfully executed VEC attack will pay more
than double at around $125,000 on average."

The size of the Silent Starling campaign is notable. Agari found more
than 70 phishing sites, from which the group collected more than 700
employee email accounts belonging to more than 500 companies in 14
countries. Ninety-seven percent of the victims, however, are located
in just the U.S., Canada, and the UK. Agari believes that VEC is
likely to overtake BEC as the single biggest potential financial fraud
during the course of 2020.


More information about the BreachExchange mailing list