New Silent Starling Attack Group Puts Spin on BEC
Security researchers with Agari warn that scammers are targeting companies with a new technique, which is a variation of business email compromise (BEC). The new attack, dubbed “vendor email compromise,” has been used by the Silent Starling group that is operating from West Africa. The scammers have so far taken control of more than 700 employee email accounts at over 500 firms across at least 14 countries.
A VEC campaign starts with the compromise of an employee email account. According to Crane Hassold of Agari, the targeted accounts usually belong to “employees in accounts receivable, CFOs, [and] office managers involved with day-to-day financial transactions.” Compromise is achieved through a phishing attack. Once an account has been taken over, attackers set up email forwarding rules to another address they control. The threat actors then spend a long time monitoring the email traffic in order to learn how employees communicate and what the invoicing process of a vendor involves. Eventually they will send an email to a client of the targeted vendor in which they perfectly impersonate that vendor and inform the client of a change in their banking details. If the client pays the invoice, the money goes to a bank account controlled by the scammers.