Third-party risk series: Vendor Email Compromise
Last year we saw a lot of focus on Third-Party Risk and how companies could work towards mitigating that threat. Our Security Practice Director, Saaim Khan, produced this executive summary – Navigating Third Party Information Security Risks, which looked at the risk from a Governance, Risk and Compliance perspective. But in this blog series, we’ll be taking a look at some of the specific ways attackers are exploiting third party risk and breaking down the attack vector, identifying how organisations can protect themselves against the threat.
In our first post, we’ll be looking at the breakout term of 2019, Vendor Email Compromise (VEC), and InfoTrust’s Senior Security Engineer, John Aziz explains more below.
What is Vendor Email Compromise (VEC)?
Vendor Email Compromise is a term that has been coined in 2019. As you’ve probably guessed it’s closely aligned to Business Email Compromise (BEC), where an attacker usually spoofs a senior level individual within a business and sends an email to one of their coworkers asking for an urgent request such as a payment or sharing sensitive information. The classic example of this being the CEO to CFO attack, cybercriminal pretends to be CEO requesting an urgent payment from CFO to a supplier. CFO obliges as they want to do a good job and later finds out that it wasn’t in fact the CEO and they’ve transferred money to a cyberattacker’s bank account.
VEC is the same technique but the attacker focuses on known suppliers or third parties that the victim organisation uses or partners with. This requires a large amount of time and resources to undertake research and get the level of detail required to enact the attack successfully. This reconnaissance will typically take place after the initial intrusion attack, which could be a phishing email that an employee has unknowingly fallen victim to and given the attacker access to their email.
Once the attacker is inside a staff member’s account they are then able to create forwarding rules and gather further intel into their email behaviour with the third party; dates payments are due, typical requests and billing practices. After enough information has been gathered the attacker will then insert themselves into the correspondence, sending a fake invoice but at the correct time with the right information, other than the fact the bank details have changed.
Silent Starling and Ancient Tortoise
The reason this new attack type is so terrifying is that it’s working, and very well. Cybercriminals are able to become super detailed with their invoices and timing, which makes it very difficult for the end-user to detect there’s an issue. Our partner, Agari’s Cyber Intelligence Division (ACID) released a report last year which looked at a cybercriminal gang in Nigeria that had been undertaking these attacks with great success. From their research they identified that the Silent Starling gang had between 8 – 10 people working for them, operating at least since 2018 and targeting about 500 businesses in the space of a year.
To read the full Silent Starling report from ACID click here.
In another example found by ACID at the start of 2020, a group named Ancient Tortoise was observed to be impersonating CFOs requesting a copy of an updated aging report, as well as the contact information for each of customer’s accounts payable contacts. Once the Ancient Tortoise gang had obtained this intel, the attackers would then leverage the information to contact the customer’s accounts payable departments given in the aging report requesting payment for the invoices referenced within the report.
Find out more about the Ancient Tortoise gang here.
Protecting against VEC
Many vendors are now touting VEC as the biggest security challenge for 2020 and beyond. The key vulnerability these types of attacks exploit are your organisation’s end-users, relying on the fact that your employees are wanting to work effectively and efficiently.
Therefore, security awareness training should be a key component for all businesses’ security strategy. Ensuring that new employees are trained to spot a potentially malicious email and consistently updating your training resources to highlight new emerging threats is imperative.
Furthermore, making sure there are stringent processes in place for employees to follow when carrying out payments or sensitive information requests, and they are being followed is key.
Employing next-generation impersonation controls is also advised. Most Secure Email Gateways will offer this functionality within their solutions and these controls can go some way to help mitigate the threat of fraudulent emails making their way to your employees’ inboxes.
InfoTrust would also advise looking at specialised technologies that have been created to deal with these types of sophisticated attacks specifically. Agari’s Phishing Defense solution is built to help organisations trust their inbox, by working to stop identity deception attacks. By utilising data science, trust analytics and machine-learning the Phishing Defense solution is able to model what is “trusted” behaviour within the business.
Watch out for the next post in the Third-Party Risk series coming next week!
see our
Related resources
Mimecast recently released its State of Email Security Report for 2021. The fifth edition of its annual report used interviews with over twelve hundred of information technology and cybersecurity professionals across the globe to gather vital cybersecurity insights. The report offers an insight into the latest email threats along with advice on how to build cyber resilience and mitigate the risks of email-borne attacks.
Cyber attacks and data breaches have been commonplace in the news headlines for some time now. Although a warning from the media is certainly helpful, there is so much more that can be done when it comes to threat intelligence sharing. Threat intelligence sharing is an important part of the global cybersecurity community effort to tackle cybercrime and should form a part of every organisation’s cybersecurity strategy. Sharing cyber threat intelligence enables organisations to make informed decisions about their cybersecurity, building more effective and robust cyber defences.
One of my favourite annual reports to read is the Verizon Data Breach Investigations Report. It’s packed full of insights about the threat landscape and security leaders, in my opinion, should read this report to get a pulse on what’s happening in cyber-scape.
After all, as cyber leaders, we are here to stop breaches – so the insights gained from real cyber incidents and breaches is gold in learning how to tighten up our defences.
All businesses, large and small, are under increasing pressure to demonstrate that they are managing the risk of cyberattacks. This means having the right processes and controls in place to identify risks and vulnerabilities, protect information, as well as detect, respond, and recover in the event of cybersecurity incidents. As such, many businesses are turning to certification authorities and security frameworks to demonstrate privacy and security best practice and achieve compliance with regulatory bodies. System and Organisation Controls (SOC 2) is one such compliance framework that can help organisations to create a structured approach to cybersecurity.
Frost & Sullivan has recently released its 2021 Frost Radar: Email Security report, where its findings provide a benchmarking framework to help businesses protect their email from cyber threats.
As we operate in an increasingly digital world, every business collect, store, and share more and more data. And, amongst that data is personal information. With the OAIC marking this year’s Privacy Awareness Week (PAW) from Monday 3 May to Sunday 9 May 2021, it’s time for us all to review how we protect our customers’ personal information.
We're Here To Help