Third-party risk series: Vendor Email Compromise
Last year we saw a lot of focus on Third-Party Risk and how companies could work towards mitigating that threat. Our Security Practice Director, Saaim Khan, produced this executive summary – Navigating Third Party Information Security Risks, which looked at the risk from a Governance, Risk and Compliance perspective. But in this blog series, we’ll be taking a look at some of the specific ways attackers are exploiting third party risk and breaking down the attack vector, identifying how organisations can protect themselves against the threat.
In our first post, we’ll be looking at the breakout term of 2019, Vendor Email Compromise (VEC), and InfoTrust’s Senior Security Engineer, John Aziz explains more below.
What is Vendor Email Compromise (VEC)?
Vendor Email Compromise is a term that has been coined in 2019. As you’ve probably guessed it’s closely aligned to Business Email Compromise (BEC), where an attacker usually spoofs a senior level individual within a business and sends an email to one of their coworkers asking for an urgent request such as a payment or sharing sensitive information. The classic example of this being the CEO to CFO attack, cybercriminal pretends to be CEO requesting an urgent payment from CFO to a supplier. CFO obliges as they want to do a good job and later finds out that it wasn’t in fact the CEO and they’ve transferred money to a cyberattacker’s bank account.
VEC is the same technique but the attacker focuses on known suppliers or third parties that the victim organisation uses or partners with. This requires a large amount of time and resources to undertake research and get the level of detail required to enact the attack successfully. This reconnaissance will typically take place after the initial intrusion attack, which could be a phishing email that an employee has unknowingly fallen victim to and given the attacker access to their email.
Once the attacker is inside a staff member’s account they are then able to create forwarding rules and gather further intel into their email behaviour with the third party; dates payments are due, typical requests and billing practices. After enough information has been gathered the attacker will then insert themselves into the correspondence, sending a fake invoice but at the correct time with the right information, other than the fact the bank details have changed.
Silent Starling and Ancient Tortoise
The reason this new attack type is so terrifying is that it’s working, and very well. Cybercriminals are able to become super detailed with their invoices and timing, which makes it very difficult for the end-user to detect there’s an issue. Our partner, Agari’s Cyber Intelligence Division (ACID) released a report last year which looked at a cybercriminal gang in Nigeria that had been undertaking these attacks with great success. From their research they identified that the Silent Starling gang had between 8 – 10 people working for them, operating at least since 2018 and targeting about 500 businesses in the space of a year.
To read the full Silent Starling report from ACID click here.
In another example found by ACID at the start of 2020, a group named Ancient Tortoise was observed to be impersonating CFOs requesting a copy of an updated aging report, as well as the contact information for each of customer’s accounts payable contacts. Once the Ancient Tortoise gang had obtained this intel, the attackers would then leverage the information to contact the customer’s accounts payable departments given in the aging report requesting payment for the invoices referenced within the report.
Find out more about the Ancient Tortoise gang here.
Protecting against VEC
Many vendors are now touting VEC as the biggest security challenge for 2020 and beyond. The key vulnerability these types of attacks exploit are your organisation’s end-users, relying on the fact that your employees are wanting to work effectively and efficiently.
Therefore, security awareness training should be a key component for all businesses’ security strategy. Ensuring that new employees are trained to spot a potentially malicious email and consistently updating your training resources to highlight new emerging threats is imperative.
Furthermore, making sure there are stringent processes in place for employees to follow when carrying out payments or sensitive information requests, and they are being followed is key.
Employing next-generation impersonation controls is also advised. Most Secure Email Gateways will offer this functionality within their solutions and these controls can go some way to help mitigate the threat of fraudulent emails making their way to your employees’ inboxes.
InfoTrust would also advise looking at specialised technologies that have been created to deal with these types of sophisticated attacks specifically. Agari’s Phishing Defense solution is built to help organisations trust their inbox, by working to stop identity deception attacks. By utilising data science, trust analytics and machine-learning the Phishing Defense solution is able to model what is “trusted” behaviour within the business.
Watch out for the next post in the Third-Party Risk series coming next week!
see our
Related resources
In today’s digital age, we all use a vast amount of information to conduct our business activities, sharing, and interacting with data across multiple devices and networks. As such confidentiality, integrity and availability are key. You only have to look at recent news headlines to realise that even organisations with comprehensive security strategies are still vulnerable to cybersecurity breaches. Vulnerabilities can lie within the technology being used, the cyber-awareness of its employees, and the sophistication of attacks.
There are images of extensive, verbose documents, complex definitions, and eye-watering Excel sheets when the term GRC is mentioned. For the past two decades, GRC has been central to core business processes across many organisations at both ends of the enterprise spectrum, as well as in the small-to-medium business space in recent times.
But the world has moved on; organisations are forced to embrace digital disruption and agility if they haven’t done so whole-heartedly. And this very disruption is positioning GRC to become less-than-ideal to solve the challenges that said disruption brings with it.
Phishing attacks have increased dramatically over the last few years, with the global pandemic escalating the situation further. Cybercriminals take advantage of insecurities and fear and play on human nature to trick and deceive. In fact, according to the OAIC, phishing attacks that involved compromised credentials accounted for 30% of all cyber incidents in the first half of 2021. And human error formed a major source of these breaches. Unfortunately, due to the clever social engineering tactics used by cybercriminals, technical filters alone aren’t sufficient to protect against phishing.
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Last month CrowdStrike released its 2020 Global Threat Report, reflecting on the past year’s cybercrime and the types of attacks and techniques criminals have been utilising. In this blog post, we take a look at the key trends from the report and what they mean to Australian businesses.
We're Here To Help