Last week, Abnormal Security participated in the Information Security Media Group (ISMG) webinar titled The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era. You can access the full script below.
The Vendor Email Compromise Rundown
Roman Tobe of Abnormal Security reports on the advancement of business email compromise (VEC) and vendor email compromise (VEC) attacks and covers why they continue to bypass traditional email security gateways. These attacks are similar to the techniques used in the SolarWinds breach, which shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks.
Throughout the webinar, Abnormal highlights key findings from the latest vendor email compromise research, including:
- Companies have a 50% chance of getting hit with a VEC attack at least once in Q4 2020, up from 40.2% in Q3 2020
- The average cost of vendor email compromise attack is $183,000, depending on the goal of the attack
- The maximum observed cost stopped by Abnormal Security is $1.6 million.
Viewers of the webinar heard the steps involved in a VEC attack, as well as a breakdown of a high-profile VEC attack caught in the wild.
To close, Abnormal discussed the launch of VendorBase—a global, federated database of vendor and customer behaviors designed to stop supply chain compromise. VendorBase automates the process of identifying known risks in your supply chain and removes the manual burden of remediating and investigating VEC attacks from compromised vendors—improving the detection accuracy of advanced social engineering attacks.
You can read the full webinar transcript of the webinar below.
Thank you for joining us. We are going to talk about the rising rhreat of vendor email compromise today. If that term is new to you or you haven’t heard of it before, by the end of this session you’ll be an expert on what it is because Abnormal Security is the industry leader in prevention and research on this topic.
SLIDE 0: BEC
Before we dive into vendor email compromise, I want to spend a minute or two talking about BEC, which you may have heard of but I want to make sure it’s well understood before we move on. BEC stands for business email compromise, and it is a type of email scam but I would also call it a superset of vendor email compromise crime.
You’ll find similar characteristics in BEC that you will in VEC. A common trait of BEC is it does not contain malware or malicious URLs, and due to that technique, it is able to bypass conventional email security measures like SEGs. BEC relies on implicit authenticity of business emails—meaning there’s some measure of impersonation or compromise going on. And because of that, it takes advantage of the victims' trust of the impersonated identity.
The losses from BEC are massive. $1.7B in 2019 alone.
SLIDE 1: Vendor Email Compromise Definition
In short, VEC is a type of cyber attack where a criminal gains access to an email account with the intent to disrupt the supply chain by stealing money.
The reason why VEC is such a big problem is because this type of attack has a much greater probability of success than other attacks. Because the criminal gains access to a vendor’s email account, the communications are trusted. Conversely, these attacks are some of the more difficult to spot, as less than one in ten million emails represents an advanced email attack.
SLIDE 1a: Why Is VEC So Dangerous?
When a vendor email account is compromised, the attacker creates socially engineered attacks from trusted domains that have already been emailing into your organization without any issues. Typically, the attackers, when they do have access to an account, do not raise any flags when they start communicating with the target. Their initial emails do not contain a payload, there’s no malware or malicious URLs, nor do the attacks themselves originate from bad domains that are on threat intelligence lists or domains to reject at the gateway. This is all intended to bypass any red flags that could be spotted by a secure email gateway.
SLIDE 1b: Solarwinds: Started as a VEC Attack
Many of us on the call are familiar with SolarWinds or have some understanding of the attack. The historic attack on SolarWinds shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks. Nearly two months after public disclosure, we now know that it was a high-profile example of a vendor email compromise attack.
SolarWinds stated that an “email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.” The attack went undetected by its email security defenses for at least nine months, according to the Wall Street Journal.
SLIDE 2: Vendor Email Compromise Names
If the name does not look familiar, it may be because you’re calling it by a different name. VEC can go by vendor email compromise, supply chain fraud, invoice fraud, payment fraud, invoice origination fraud, fake vendors, and others.
SLIDE 2a: Rising Threat of Vendor Email Compromise
Recently, Abnormal Security put a spotlight on trends in VEC in our Q1 2021 Threat Research Report The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era. In the report, Abnormal went in-depth into the world of vendor email compromise (VEC) and outlined the rate of acceleration, as well as the financial threat these attacks pose to businesses without proper controls in place. Some of the key takeaways are mentioned above.
SLIDE 3: Five Steps of VEC
There are 5 steps in a VEC attack:
- The first step is reconnaissance. Here, the attacker picks their target intentionally. They perform online research and even send out recon emails to test which email address is valid.
- Step two is the compromise. Potentially done through buying credentials on the darknet, through sending credential phishing emails or finding which vendor accounts have MFA vulnerabilities, However it happens, a VEC attack is not possible without compromising the account and gaining access.
- Step three is to wait. This step is optional. Once the attacker is in the account, they may wait for a conversation related to payments to naturally occur. In less patient situations, the attacker might skip this step and force the issue by initiating a banking change.
- Step four is the strike. The attack is underway in earnest when the criminal engages with the accounts payable team and asks for banking changes to existing or new invoices. In order for the heist to succeed, the attacker must redirect existing banking information from the real vendor to their accounts. This is a hallmark of the VEC attack. Depending on the situation, criminals may not increase commonly found invoice amounts.
- Step five is a redirect. This is also an optional step. When a conversation is underway, it’s common for the attacker to fork the conversation to a lookalike vendor domain to keep the conversation further away from the real vendor and their SOC team. This happens via a mail rule change, where the reply-to address changes to the lookalike domain. A redirect is not a hard and fast rule but does happen.
SLIDE 4: A Real-World Example
The following example begins at step four and takes place over the span of a few hours on a Monday morning.
SLIDE 5: Email #1
In the initial email, the attacker explains the vendor’s bank is being audited and as a result, all payments need to go to an alternate account via ACH.
SLIDE 6: Email #1 Response
There is initial success as the company responds back. However, instead of processing the request, the employee points out there are thousands of invoices and asks for specifics.
SLIDE 7: Email #2
Going for the maximum score, the attacker asks for all outstanding invoices. By asking for all invoices, the attacker has potentially triggered suspicion from the company’s AP department.
SLIDE 8: Email #2 Response
Little did the attacker know, but the compromised vendor has thousands of invoices with the company, and now the employee asks the attacker for copies of which invoices are open.
SLIDE 9: Email #3
The attacker responds back with 8 real invoice numbers totaling $921,000. Since the attacker has access to the vendor's files, and possibly cloud collaboration accounts as well, they are able to reply back with real information.
SLIDE 10: Email #3 Response
The company does not immediately reply to this email.
SLIDE 11: Email #4
Sensing something may be wrong, the attacker follows up just an hour later to their own email. They started a new email thread with the same subject line and invoice information. It’s common for a VEC attacker to show high urgency and aggressiveness when committing fraud. Their intention is to get away with the heist as soon as possible to avoid getting caught.
SLIDE 12: Email #4 Response
Not quite convinced, the company employee asks for the actual invoice attachments.
SLIDE 13: Email #5
As mentioned earlier, by having access to the victims account, the attacker is able to send over real invoice attachments.
SLIDE 14: How Abnormal Stops VEC
Despite the short timeframe in which these emails transpired and the fact that no malware or phishing links were in the emails, Abnormal detected the attack and prevented the invoice fraud from taking place. There were several signals that indicated this was a vendor email compromise attack.
SLIDE 15: Portal Walkthrough
Abnormal Security uses a combination of Identity, Behavior, and Content analysis models in order to flag attacks:
- First, Identity Signals: The attack was flagged by our system for having an Unusual Sender.
- Abnormal automatically learns the commonly used email addresses for all vendor and invoice-related communications.
- This was flagged because we have never seen this particular email address having a relationship or talking with anyone in the targeted organization
- Next, Behavioral Signals: Our models learn the vendor relationships.
- It flagged the email due to never-before-seen communication from this IP or location.
- The email IP address indicates the vendor email was sent from Nigeria, but the organization has never received an email from the vendor or this email address originating from Nigeria.
- Next, Text Classification Signals: Our models are trained and run on all messages processed by Abnormal. This is a core pillar used to detect the intent of the message.
- Our content detector is used to flag financial content and invoice-related conversations.
- Our model flagged the attack for having suspicious financial content verbiage.
Also, our attachment processing capability extracts attributes, key phrases, and dollar amounts for models to process. In this case, Abnormal processes the attachments of the given emails and concludes the attachments have high monetary value of, in this case, $921,000.
SLIDE 15a: Deep Understanding of Your Organization
We baseline your organization across, and as mentioned, we use a combination of Identity, Behavior, and Content analysis and AI to understand your organization and learn the normal, good, and legitimate communications that happen between you and your partners and vendors.
SLIDE 16: 17 Days Later
Now, just because the attacker's takeover of the vendor's email account was stopped by Abnormal, that doesn’t deter the criminal from pursuing the organization.
SLIDE 17: The Follow-up Incident
Seventeen days later, our system detected the same attacker sending an email from a domain that was registered less than one month ago, targeting the same group of employees asking for a payment to be made via a wire transfer.
SLIDE 18: The Follow-Up Incident - Attachment
The attacker sent real invoices from the vendor. This follow-up attack was also flagged and stopped by Abnormal.
SLIDE 19: VendorBase Intro
In an effort to stop Vendor Email Compromise fraud, Abnormal recently launched VendorBase, a global, federated database of vendor and customer behaviors to stop supply chain compromise.
SLIDE 19: VendorBase
For enterprises with thousands of vendors in their supply chain, it’s a monumental challenge to have real-time insights into which ones are known risks to your organization. VendorBase automates this process and removes the manual burden of remediating and investigating VEC attacks from compromised vendors. VendorBase tracks the reputations of an organization’s vendors and customers, and improves detection and accuracy of advanced social engineering attacks. Benefits include:
- No Configuration or Setup Required: Automatically classifies vendors and customers based on your email communication.
- Continuous Reputation and Risk Scoring: Automatically computed vendor/customer risk score based on domains being impersonated or spoofed, accounts being compromised, or suspicious and/or illegitimate businesses.
- Stop Attacks, Enable Remediation: Provides detailed views of all vendors, stops supply chain attacks from impersonated, spoofed, or compromised vendors
To learn more about how Abnormal uses VendorBase, request a demo today.