Security Experts:

Vendor Email Compromise is Latest Identity Deception Attack

Identity deception attacks continue to grow, but the type of attack seems to be changing. During Q3, 2019, phishing campaigns impersonating brands dropped by 6% over the previous quarter. Attacks impersonating individuals, however, increased by 10%. The drop in brand impersonation may be partly related to increased industry adoption of DMARC, which is up 49% over the last year.

However, although DMARC is increasingly being implemented, it is not yet being effectively used. Only the "p=reject" enforcement option will protect against email-based brand impersonation scams. Germany and the U.S. are the two countries with the highest use of DMARC. Germany has a higher number of implementations than the U.S., but a lower percentage of DMARC records set to the p=reject enforcement level. This could improve over the next few years since the recommended DMARC implementation plan is to start with p=none, and work up to p=reject -- for many companies, DMARC implementation may still be in its early stages.

In the meantime, however, the latest Agari Email Fraud & Identity Deception Trends report (PDF) notes that more than 80% of Fortune 500 companies have no DMARC protection. Although only 38% have no DMARC at all (down from 59% in the same quarter last year), 44% of those with DMARC have yet to set an enforcement level. "Currently," says Agari, "only 13% of the Fortune 500 has a DMARC record set to the p=reject enforcement policy."

DMARC is a bit like vaccination. Just because ten people have been vaccinated, that doesn't prevent you from being infected by an eleventh unvaccinated person. A 95% vaccination rate is required before health officials will consider a country safe from a particular disease. The same principle applies to phishing -- while the DMARC vaccination will protect vaccinated brands being used in phishing attacks, not until a large percentage of all brands are protected by DMARC will the end user be protected from phishing in general.

While full adoption of DMARC is proceeding somewhat slowly, there appears to be a much faster uptake of Brand Indicators for Message Identification (BIMI). BIMI is a standardized way for brands to publish their brand logos online with built-in protections that safeguard against spoofing. According to Agari's statistics, approximately 130 BIMI logos were in use in March 2019. This has now jumped to 949 in an increase of more than 700%.

Wire transfer schemes, often cumulatively known as business email compromise (BEC), are also changing. Gift cards were requested in 56% of all BEC attacks, but that is down 10% since March 2019. Payroll diversion (up 5% in the last three months to 25% of all BEC attacks) and wire transfer scams (a similar growth to 25% of all BEC attacks) both grew. Gift card attacks simply result in smaller payouts (an average of $1,571) compared to wire transfer attacks (an average of $52,325).

But Agari's latest report warns there is a new identity deception threat, which it calls vendor email compromise, or VEC. Agari describes it as "a troubling new BEC trend that we call vendor email compromise (VEC), in which fraudsters use hijacked employee email accounts to target not just one company, but entire supply chain ecosystems." As the incidence of VEC increases, Agari believes it will lead to a slight decline in BEC scams. 

What isn't yet known is how and to what extent the emergence of deepfake technology will affect either of the categories. Agari believes that both audio and video deepfake could be used to enhance BEC attacks, and that deepfake audio could also be used to enhance VEC attacks.

The Agari Cyber Intelligence Division (ACID) group analyzed VEC while investigating a Nigerian crime group it calls Silent Starling. It discovered Silent Starling infiltrating email accounts and using them to trick buying companies into paying fake supplier invoices. While this type of attack is not limited to Silent Starling, this was the first time Agari had seen it as an attack group's primary scam method.

"One of the most significant emerging threats in the cyber threat landscape," says Agari, "is vendor email compromise. The key to these attacks is gaining access, through standard phishing, to email accounts belonging to key individuals within a company's accounts receivable or finance department." The process is slower and demands greater patience from the attacker than typical BEC attacks, but can generate greater reward.

By first compromising one email account the attacker can slowly compromise others. The data found within the emails allows the attacker to learn how the company operates, and when things happen. In particular, the attackers are looking for invoice and payment patterns with an important customer. The attacker gains an understanding of a vendor's invoicing times, processes, and customers. This intelligence enables him to create emails that are so realistic that they are virtually undetectable -- and, since he has already compromised the email account, he can deliver his attack from a genuine rather than a spoofed email account.

At the right time -- perhaps a week before the customer expects an invoice -- the attacker sends a fake invoice for the correct amount, but with different bank details routing the payment to his own account. "Generally," Armen Najarian, Agari's chief identity officer told SecurityWeek, "these sophisticated attackers are looking for deep pocket, big contract scenarios -- think of the supply of a major part of a component for an aircraft manufacturing process that is potentially hundreds of thousands of dollars."

In theory, if the compromised company sends out multiple invoices to multiple customers at the same time, the scam could be perpetrated on multiple customers -- but the big one is the primary target.

"Think of this as a type of supply chain attack," Najarian continued. "The vendor/customer relationship is the point of vulnerability from which to extract funds from the deeper pocketed customers. We are seeing a notable shift in the focus from threat actor groups into this type of attack, primarily because the payout is much bigger. On average, a BEC CEO fraud attack will generally pay out in the $50,000 to $55,000 range, but a successfully executed VEC attack will pay more than double at around $125,000 on average."

The size of the Silent Starling campaign is notable. Agari found more than 70 phishing sites, from which the group collected more than 700 employee email accounts belonging to more than 500 companies in 14 countries. Ninety-seven percent of the victims, however, are located in just the U.S., Canada, and the UK. Agari believes that VEC is likely to overtake BEC as the single biggest potential financial fraud during the course of 2020. 

Related: DMARC Use is Growing, But Difficult to Configure Correctly and Completely 

Related: Agari Employs Active Defense to Probe Nigerian Email Scammers 

Related: Loss to BEC Fraud Now Claimed to be $26 Billion

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.