The 4 Most Damaging Types of Financial Supply Chain Compromise

Financial supply chain compromise is on the rise. Starting in January 2022 (and continuing every month since), threat actors have impersonated third parties more than internal employees in business email compromise (BEC) attacks.

Understanding the ways cybercriminals execute these sophisticated BEC attacks is key to preventing your organization from falling victim to one.

In a previous post, we discussed the basic elements of financial supply chain compromise. In this post, we’ll explore the four subsets of financial supply chain compromise: vendor email compromise, aging report theft, third-party reconnaissance attacks, and blind third-party impersonation attacks.

The most impactful form of financial supply chain compromise is vendor email compromise or VEC. VEC attacks generally occur in two phases. First, the attacker compromises the mailbox of a high-value target at a vendor or supplier company—generally accounts payable specialists or other employees that handle customer payments.

This initial compromise is often the result of a credential phishing attack. The threat actor will send a phishing email impersonating an enterprise application, such as Microsoft OneDrive, SharePoint, Adobe, or DocuSign, and then ask the recipient to “validate” their identity by providing their login credentials.

Once a vendor employee’s mailbox has been compromised, the attacker begins collecting information that will help them in the next phase of the attack. In many cases, the threat actor will create a forwarding or redirect rule that sends copies of all incoming mail containing certain keywords to his own inbox. An attacker may sit on a compromised mailbox for days, weeks, and sometimes even months to gain in-depth visibility into vendor-customer communication patterns, payment dates and amounts, and primary customer contacts.

When the opportunity arises, the threat actor initiates the second phase of the attack, in which they impersonate the vendor and send a fake invoice along with “updated” bank account information to one of the vendor’s customers. While an attacker may leverage their access to a vendor employee’s mailbox to send emails directly from that account, most threat actors will set up separate accounts and use those to communicate with the victim. Usually, this will involve an attacker registering a lookalike domain that resembles the vendor’s legitimate domain.

To make the email appear as legitimate as possible, threat actors will often include the content of previous vendor-customer communications in the message—a tactic known as thread hijacking. The attacker may also use a duplicate of the vendor’s actual invoice or other financial documents that have been stolen from the compromised mailbox and just change the bank account details.

Because the threat actor has taken the time to craft a remarkably realistic-looking message, the vendor’s customer is none-the-wiser, pays the invoice, and sends money directly to the attacker’s account.

Aging report theft is a subset of financial supply chain compromise that has become increasingly common over the last few years. While these attacks are similar to vendor email compromise in that they use insider information to craft contextually accurate attacks, they don’t necessarily rely on the compromise of an email account to gather information.

Instead, threat actors steal a copy of a single document—an internal aging report—to collect the intelligence needed to facilitate their attacks.

Also known as a schedule of accounts receivable, an aging report lists all unpaid customer invoices and unused credit memos. It acts as a quick reference guide, summarizing all outstanding payments owed to an organization and details about who to contact to inquire about those payments. These reports contain all the information a cybercriminal needs: who to target, when to target them, and how much to ask for.

Much like other types of traditional BEC attacks, the attacker first sends an email impersonating the CEO or CFO. Rather than asking an employee to make a financial transaction, however, the threat actor simply requests a copy of a current aging report. Most of these initial emails are careful to specify that the reports also need to contain all customer contact information in addition to outstanding balances—an important step to knowing who to contact.

With the report in hand, the attacker begins contacting that company’s customers, requesting they pay the outstanding balances, while also notifying them that the payments should be redirected to a new account. In many cases, a threat actor will register a lookalike domain that looks similar to the vendor’s actual domain and will impersonate the same individual who was targeted in the first stage of the attack.

The attackers behind aging report theft don’t have access to the same type of in-depth intelligence gleaned from a compromised mailbox used in a VEC attack. That said, the information available in an aging report, combined with sophisticated impersonation tactics, increases the overall effectiveness of these attacks—making it one of the more impactful financial supply chain compromise attacks seen today.

Third-party reconnaissance occurs when a threat actor knows there is a relationship between two organizations but has limited or no knowledge about actual outstanding payments. The attacker in these cases has the necessary context to impersonate a vendor but not enough information to be specific in their payment request. These attacks typically depend on open source research in lieu of using information gained from an account compromise or document theft.

Many organizations are unaware of just how much information is available on the internet about vendor-customer relationships. For example, many state and local governments offer detailed information about existing and previous contracts on their websites. These records provide key insights into the services a vendor has provided, contact information for both the vendor and customer, and the total contract amounts.

Additionally, court records can provide a trove of information about business activities, names of key stakeholders and executives, or financial details from legal proceedings. This information is often accessible online through various public records sources for free or for a small fee.

As with every financial supply chain compromise attack, the threat actor begins by impersonating the vendor and emailing a customer, inquiring about a potential outstanding payment. However, because the attacker doesn’t have specific knowledge about an actual overdue invoice, these initial emails tend to be more generic. Instead of referencing actual amounts, a threat actor may ask if there are any payments in process, request a copy of the invoice, and mention that their payment account details have recently changed.

Attackers may also choose to play the long game. Rather than inquiring about current amounts due, they may send an email informing the vendor’s customer that the bank account information has been changed. This tactic is less likely to raise any red flags, and, as a result, the employee will update the bank account details, ensuring any future payments will be redirected to the threat actor’s account.

While these attacks are not quite as effective as those that utilize real information, they can still result in payments being made to the new bank—often for months before the error is discovered.

In each of the three previous categories, an attacker has at least basic knowledge about the relationship between a vendor and a customer. In a blind third-party impersonation attack, the final subset of financial supply chain compromise, however, the threat actor has no knowledge of whether there is a relationship between two companies or whether a payment is actually outstanding.

Instead, attackers behind blind impersonation attacks are relying on the hope that a target isn’t paying close attention to the email and just complies with the request.

Interestingly, we’ve noticed that many blind attacks impersonate some of the same third parties over and over again, sometimes for years. One of the organizations whose brand has been used in these attacks for at least the last two years is EUROCONTROL, an international organization that supports aviation across Europe.

Like other blind impersonation attacks, there’s no clear relationship between EUROCONTROL and the target organizations. In fact, in many cases, the target companies aren’t located in Europe or even part of the aviation industry, and the emails don’t reference specific payments. These attacks simply mention that a number of monthly invoices are past due.

In addition to directly impersonating third parties to request payments, we’ve also observed an increasing trend of threat actors impersonating intermediaries to request payments on behalf of third parties. The most common pretext used in these attacks is the impersonation of an attorney or debt collection officer requesting to settle an outstanding invoice.

Interestingly, in most of these attacks, the attacker impersonates a real person that works at an actual law firm. That said, if an employee ran a quick Google search on the supposed sender’s identity, they would find actual results to add legitimacy to the attack.

Like traditional BEC attacks impersonating company executives or other internal employees, blind third-party impersonation attacks rely on the effectiveness of pure social engineering to be successful. Even though they don’t use the breadth of intelligence we see in other types of financial supply chain compromise attacks, the fact that we continue to see them consistently increase in volume indicates that the ROI for blind impersonation attacks is worth it.

Due to their success, these attacks from our “vendors” are only going to increase, unless we stop them at their source. To stop aging report theft and other forms of financial supply chain compromise, organizations need an email security solution that understands identity, context, and content to block attacks before they reach inboxes. And preventing vendor email compromise requires a solution that can evaluate a vendor’s risk to determine if and when a vendor account may be compromised.

With the rapid increase in business email compromise and this shift to vendor-focused cybercrime, now is the time to secure your environment—before the next financial supply chain compromise attack targets your organization.

For additional insight into financial supply chain compromise and how to protect your organization from attacks, download our latest threat report.