New research from email security vendor Abnormal Security has revealed how a single threat actor was able to compromise five different vendor email accounts. Through those accounts, they delivered invoice fraud email attacks to 15 individuals across five customer organizations, all in the critical infrastructure space. These included two healthcare companies, two logistics companies, and one manufacturing company.
Nearly all the email messages sent by the compromised accounts used the same language and formatting. Although they featured grammatical errors, they also featured several characteristics that made them appear legitimate, enabling the emails to bypass traditional security defenses, according to Abnormal.
The campaign is an example of vendor email compromise (VEC). Much like business email compromise (BEC), VEC is a sophisticated and dangerous email threat that is continuing to grow. Whereas BEC attacks typically impersonate trusted individuals within a victim’s own organization (like the CEO), VEC attacks impersonate an individual at a trusted vendor organization. Whether through a spoofed or compromised account, they use social engineering tactics to convince their victim to take an action, usually finance related. In this case, Abnormal blocked the fraud emails for its customers, but it’s possible the compromised accounts could have been used successfully against other organizations.
VEC attacks are often highly targeted, spoofing and hijacking a specific vendor in pursuit of a massive payday. However, some attacks can repeat a certain scheme across multiple vendors, creating a snowball effect across a broad web of victims, which was the case in this campaign, Abnormal wrote.
VEC attacks used known domain, believable content and language
The attacker compromised vendor email accounts belonging to individuals in accounting and operations roles at firms, sending emails attempting to redirect outstanding and future invoices to a new bank account, the firm said. “Each email included a PDF attachment that outlined the (fake) new payment policy and provided the updated bank account details.”
The most effective disguise tactic was the attacker’s use of a known domain, a key characteristic of VEC attacks, Abnormal wrote. As the emails were sent from compromised vendor accounts, the sender’s email address and domain appeared as normal to the recipients. The attacker also used content and language that the victims might expect from conversations with their vendors. “These two factors together would make it seem like nothing was out of the ordinary, increasing the likelihood that the targets could unknowingly engage with the threat actor.”