How Vendor Email Compromise Works
Felix Jiang, on Jan 13 2020
Several weeks ago, the FBI raised their estimate of money lost from Business Email Compromise (BEC) attacks to $26B over the past three years. BEC is now the biggest cybercrime threat to organizations, costing an order of magnitude more than ransomware or data breaches.
At Armorblox, our algorithms are already flagging BECs, but we’re also picking up an even more refined attack method that organizations should be aware of called Vendor Email Compromise (VEC). In this blog post, we’ll discuss how these attacks differ from the standard BEC attack.
With BEC attacks, we have seen socially engineered messages that only require a few steps:
- The attacker researches a newly onboarded employee, usually in accounting or any other finance-related department.
- The attacker searches for high ranking executives in the organization on social networking sites (e.g. - LinkedIn) to identify someone who might regularly request an invoice payment, bank transfer, or change in banking details.
- The attacker registers a fake domain that looks similar to the target organization and creates an email address under the domain with the exact same display name as the executive.
Having attempted this scheme several times, the attacker understands the wording that will give just enough detail and urgency to push a naive employee to actually proceed with a financial transaction.
These types of BEC attacks have a few drawbacks for the attacker:
- First, the attacker is the one that must initiate the first email which elicits suspicion among the recipients.
- Second, a fresh employee may feel the need to verify with a coworker or direct manager on the proper protocol for corporate financial changes and transactions. This introduces a second or third pair of eyes on the ask, and can defuse the situation as a hoax.
- Lastly, the executive herself may be in the very office of the victim. In the event that the victim has some face-to-face communication with the VIP, the attack can implode.
For these reasons, when it comes to attack effectiveness, BECs can sometimes be easier to defuse.
With VEC attacks, an attacker first steals the credentials of one or more employees, and then learns about the organization by reading inbound and outbound emails. Thus, VECs have dormant and active phases.
In the dormant phase, the attacker quietly steals credentials and then logs in from an innocuous location or IP address to set up mail forwarding rules. This phase is difficult to detect since there isn’t much anomalous activity yet.
The attacker steals the credentials of an employee in the accounts receivable department at Company A through a phishing link, jane.doe@companyA.com.
The attacker signs into Jane’s email address and deletes any evidence of the phishing email that compromised her. He then sets up a mail-forwarding rule in Jane’s account that auto-forwards all emails to a mailbox that he setup earlier.
Day 1 - 14:
The attacker reads all emails in Jane’s inbox to understand the organization’s email workflows and to identify high value targets for compromise.
A legitimate vendor transaction comes into play, and Jane does her job as usual.
Now the compromise enters its active phase.
The attacker is aware of this active invoice payment request and registers the domain “Acompany.com”.
Note that such a domain (spoofing as a separate internal domain of company A) may be more successful for fraudsters as compared to other domain look-alike attempts of yesteryear. For example, if the attacker were to register a domain like “cornpanyA.com” with the “r” and “n” closely mirroring an “m,” and the recipient were to catch this inconsistency, the gig would be up. On the other hand, a domain spoof of a believable internal domain is easier to justify in some cases.
The attacker sends an email from jane.doe@Acompany.com, with the original thread below the message.
The attacker sends another email from susan.b.anthony@Acompany.com, with the original thread below the message to inspire additional credibility.
The added danger in these types of VECs attacks is clear. Unlike the three weaknesses highlighted in the BECs section, VECs have an answer for each drawback:
- An attacker no longer needs to initiate an attack, as he can merely insert himself (and his bank credentials) into a legitimate business transaction.
- An attacker has an edge because he gains additional knowledge of organizational best practices, standard operating procedures, writing styles, common apps and file types, social networks, and a timeline of when VIPs may be out of office. As a result, the victims of these attacks (in this case vendorB.com) usually don’t suspect anything nefarious because messages sent by the attacker so closely mirror what a normal employee would do or say.
Lastly, because these VECs usually occur with third party vendors, the chances of a victim bumping into them in the office are infinitesimally low.
Traditional cybersecurity solutions fail to catch these new VEC attacks because:
- Metadata anomalies by themselves are noisy. Detecting a suspicious login attempt or IP address are small signals by themselves that usually don’t warrant standalone enforcement policies.
- The detection of look-alike domains inside a protected organization is easy, whereas the detection of look-alike domains outside of the organization is much more difficult.
- Finally, reading and analyzing the content and context of a real or fake email exchange is incredibly manual. Only an NLU platform trained on a large, accurately-labeled dataset that retrains constantly and easily classifies what’s important can automate this process. This latter requirement is no easy feat.
To learn more about how Armorblox’s NLU platform can catch these new attack vectors, schedule a demo today.