In case you missed it, last week, Abnormal Security participated in the Information Security Media Group (ISMG) Webinar called “The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era.” You can access the full script below.
Abnormal Security’s Sr. Product Marketing Manager Roman Tobe reports on the advancement of BEC and VEC attacks and covers why and how VEC attacks continue to rise while bypassing traditional email security gateways. These attacks are similar to the techniques used in the SolarWinds breach, which shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks.
Additionally, Tobe highlights key findings from Abnormal’s latest VEC report such as:
Next, listeners will hear the steps involved in a VEC attack and as well as a breakdown of a high-profile VEC attack caught in the wild attempting to steal close to $1M.
To close, Tobe discussed Abnormal’s launch of VendorBase, a global, federated database of vendor and customer behaviors to stop supply chain compromise. VendorBase automates the process of identifying known risks in your supply chain and removes the manual burden of remediating and investigating VEC attacks from compromised vendors, improving the detection accuracy of advanced social engineering attacks.
You can read the full webinar transcript of the webinar below:
Thank you for joining us today. We are going to talk about The Rising Threat of Vendor Email Compromise today. If that term is new to you or you haven’t heard of it before, by the end of this session you’ll be an expert on what it is because Abnormal Security is the industry leader in prevention and research on this topic.
SLIDE 0: BEC
Before we dive into Vendor Email Compromise, I want to spend a minute or two talking about BEC, which you may have heard of but I want to make sure it’s well understood before we move on. BEC stands for business email compromise, and it is a type of email scam but I would also call it a superset of Vendor Email Compromise crime.
You’ll find similar characteristics in BEC that you will in VEC. A common trait of BEC is it does not contain malware or malicious URLs, and due to that technique, it is able to bypass conventional email security measures like SEGs. BEC relies on implicit authenticity of business emails – meaning there’s some measure of impersonation or compromise going on. And because of that, it takes advantage of the victims trust of the impersonated identity.
The losses from BEC are massive. $1.7B in 2019 alone.
SLIDE 1: Vendor Email Compromise Definition
In short, VEC is a type of cyber attack where a criminal gains access to an email account with the intent to disrupt the supply chain by stealing money.
The reason why VEC is such a big problem is because this type of attack has a much greater probability of success than other attacks. Because the criminal gains access to a vendor’s email account, the communications are trusted. Conversely, these attacks are some of the more difficult to spot, as less than 1 in ten million emails represents an advanced email attack.
SLIDE 1a: Why is a VEC is so dangerous?
When a vendor email account is compromised, the attacker creates socially engineered attacks from trusted domains that have already been emailing into your organization without any issues. Typically, the attackers, when they do have access to an account, do not raise any flags when they start communicating with the target. Their initial emails do not contain a payload, there’s no malware or malicious URLs, nor do the attacks themselves originate from bad domains that are on threat intelligence lists or domains to reject at the gateway. This is all intended to bypass any red flags that could be spotted by a secure email gateway.
SLIDE 1b: Solarwinds: Started as a VEC Attack
Many of us on the call are familiar with SolarWinds or have some understanding of the attack. The historic attack on SolarWinds shook the cybersecurity industry in a profound way and opened the world’s eyes to supply chain attacks. Nearly two months after public disclosure, we now know that it was a high-profile example of a Vendor Email Compromise attack (VEC).
SolarWinds stated that an “email account was compromised and used to programmatically access accounts of targeted SolarWinds personnel in business and technical roles.” The attack went undetected by its email security defenses for at least nine months, according to the Wall Street Journal.
SLIDE 2: Vendor Email Compromise Names
If the name does not look familiar, it may be because you’re calling it by a different name. VEC can go by Vendor Email Compromise, supply chain fraud, invoice fraud, payment fraud, invoice origination fraud, fake vendors, and others.
SLIDE 2a: Rising Threat of Vendor Email Compromise
Recently, Abnormal Security put a spotlight on trends in VEC in our Q1 2021 Threat Research Report “The Rising Threat of Vendor Email Compromise in a Post-SolarWinds Era”. In the report, Abnormal went in-depth into the world of Vendor Email Compromise (VEC) and outlined the rate of acceleration as well as the financial threat these attacks pose to businesses without proper controls in place. Some of the key takeaways:
SLIDE 3: Five Steps of VEC
There are 5 steps in a VEC attack:
The first step is reconnaissance. Here, the attacker picks their target intentionally. They perform online research and even send out recon emails to test which email address is valid.
Step 2, Compromise. Potentially done through buying credentials on the darknet, through sending credential phishing emails or finding which vendor accounts have MFA vulnerabilities, However it happens, a VEC attack is not possible without compromising the account and gaining access.
Step 3 is to wait. This step is optional. Once the attacker is in the account, they may wait for a conversation related to payments to naturally occur. In less patient situations, the attacker might skip this step and force the issue by initiating a banking change.
Step 4 is the Strike. The attack is underway in earnest when the criminal engages with the accounts payable team, asks for banking changes to existing or new invoice(s). In order for the heist to succeed, the attacker must redirect existing banking information from the real vendor to their accounts. This is a hallmark of the VEC attack. Depending on the situation, criminals may not increase commonly found invoice amounts.
Step 5 is a redirect (Optional). This is also an optional step. When a conversation is underway, it’s common for the attacker to fork the conversation to a lookalike vendor domain to keep the conversation further away from the real vendor and their SOC team. This happens via a mail rule change, where the Reply-To address changes to the lookalike domain. A redirect is not a hard and fast rule but does happen.
SLIDE 4: A real world example
The following example begins at Step 4 and takes place over the span of a few hours on a Monday morning.
SLIDE 5: Email #1
In the initial email, the attacker explains the vendor’s bank is being audited and as a result all payments need to go to an alternate account via ACH.
SLIDE 6: Email #1 Response
There is initial success as the company responds back. However, instead of processing the request, the employee points out there are thousands of invoices and asks for specifics.
SLIDE 7: Email #2
Going for the maximum score, the attacker asks for all outstanding invoices. By asking for all invoices, the attacker has potentially triggered suspicion from the company’s AP department.
SLIDE 8: Email #2 Response
Little did the attacker know, but the compromised vendor has thousands of invoices with the company, and now the employee asks the attacker for copies of which invoices are open.
SLIDE 9: Email #3
The attacker responds back with 8 real invoice numbers totaling $921,000. Since the attacker has access to the vendors files, and possibly cloud collaboration accounts as well, they are able to reply back with real information.
SLIDE 10: Email #3 Response
The company does not immediately reply to this email.
SLIDE 11: Email #4
Sensing something may be wrong, the attacker follows up just an hour later to their own email. They started a new email thread with the same subject line and invoice information. It’s common for a VEC attacker to show high urgency and aggressiveness when committing fraud. Their intention is to get away with the heist as soon as possible to avoid getting caught.
SLIDE 12: Email #4 Response
Not quite convinced, the company employee asks for the actual invoice attachments.
SLIDE 13: Email #5
As mentioned earlier, by having access to the victims account, the attacker is able to send over real invoice attachments.
SLIDE 14: How Abnormal Stops
Despite the short timeframe in which these emails transpired, and the fact that no malware or phishing links were in the emails, Abnormal detected the attack and prevented the invoice fraud from taking place. There were several signals that indicated this was a Vendor Email Compromise attack.
SLIDE 15: Portal Walkthrough
Abnormal Security uses a combination of Identity, Behavior, and Content analysis models in order to flag attacks:
SLIDE 15a: Deep understanding of your organization
We baseline your organization across, and as mentioned, we use a combination of Identity, Behavior, and Content analysis / and AI / to understand your organization and learn the normal, good and legitimate communications that happen between you and your partners and vendors.
SLIDE 16: 17 Days Later
Now, just because the attackers takeover of the vendor’s email account was stopped by Abnormal, that doesn’t deter the criminal from pursuing the organization.
SLIDE 17: The Follow-up Incident
17 days later, our system detected the same attacker sending an email from a domain that was registered less than one month ago, targeting the same group of employees asking for a payment to be made via a wire transfer.
SLIDE 18: The Follow-up Incident – Attachment
The attacker sent real invoices from the vendor. This follow-up attack was also flagged and stopped by Abnormal.
SLIDE 19: VendorBase Intro
In an effort to stop Vendor Email Compromise fraud, Abnormal launched VendorBase, a global, federated database of vendor and customer behaviors to stop supply chain compromise.
SLIDE 19: VendorBase
For enterprises with thousands of vendors in their supply chain, it’s a monumental challenge to have real-time insights into which ones are known risks to your organization. VendorBase automates this process and removes the manual burden of remediating and investigating VEC attacks from compromised vendors. VendorBase tracks the reputations of an organization’s vendors and customers, and improves detection accuracy of advanced social engineering attacks. Benefits include:
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.