Today we have a fascinating tale of a business email compromise (BEC) group steering clear of targeting executives, in favour of fouling up supply chains instead. The attack, which may sound overly complicated, is a fairly streamlined attack with the intention of making a lot of money.
BEC follows a few different patterns, but primarily revolves around an approach by a criminal who has compromised or spoofed an executive-level email account.
The criminal sends one or more “urgent” emails to a more junior employee about moving money from inside the business to somewhere else entirely. Some attackers perform reconnaissance in advance so they can target people in HR, finance, or accounts.
The criminal is likely to insist the money is moved quickly, and that nobody else is involved.
This technique has been around for a number of years, and some folks are getting wise to it. As a result, attackers are trying to broaden how these scams operate to give them the best chance of flying under the radar.
What we're looking at below is Vendor Email Compromise (VEC). Instead of going after a company directly, attackers figure out a network of vendors, clients, customers, suppliers…you name it, they'll try and map it all out. From there, it's a case of figuring out the weak links in the chain and then pursuing them as best they can.
A splash of fraudulent domain management and social engineering may be all that it takes to get the job done.
The group at the heart of this particular campaign, the bizarrely monikered "Firebrick Ostrich", has been flagged as having its hand in no fewer than 350 campaigns dating back several years. 151 organisations were spoofed across 200 or so different URLs. The attacks are said to have been US-centric, with a particular focus on US business.
According to Abnormal Intelligence, the group behind the research, Firebrick Ostrich was at its peak in August 2022, numbers wise, and the majority of URLs used in the various campaigns were less than a day old when they were used.
The steps to success for the VEC group are listed as follows:
If the email antics are successful, a follow-up mail from the fake vendor includes tweaked payment information for the victim to wire funds. Abnormal Security notes that in some cases, PDF documents are attached to the mails containing the payment details. It's possible that this is done to try and bypass any email flags looking out for suspicious content (such as payment details in the body of the mails).
With all of the imitation details in place, from fake emails and imitation URLs to including real employee names in some of the communications in case someone perhaps jumps onto Google or LinkedIn, this attack could very well cause big problems for an organisation.
Given that this particular group does not appear to target one industry sector specifically, running the range of manufacturing and retail to energy and education, it could affect any business, and if it’s successful, it will be imitated.
The best defence against these kind of attacks is to ensure that staff are aware that they exist and how they work. Many scams rely on isolating and hurrying employees, so they are less diligent, so it also helps to have processes that ensure more than one employee is involved in significant transactions.
Stay safe out there!
We don't just report on threats–we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.