VEC campaign targets critical infrastructure firms with invoice fraud attack

New research from email security vendor Abnormal Security has revealed how a single threat actor was able to compromise five different vendor email accounts. Through those accounts, they delivered invoice fraud email attacks to 15 individuals across five customer organizations, all in the critical infrastructure space. These included two healthcare companies, two logistics companies, and one manufacturing company.

Nearly all the email messages sent by the compromised accounts used the same language and formatting. Although they featured grammatical errors, they also featured several characteristics that made them appear legitimate, enabling the emails to bypass traditional security defenses, according to Abnormal.

The campaign is an example of vendor email compromise (VEC). Much like business email compromise (BEC), VEC is a sophisticated and dangerous email threat that is continuing to grow. Whereas BEC attacks typically impersonate trusted individuals within a victim's own organization (like the CEO), VEC attacks impersonate an individual at a trusted vendor organization. Whether through a spoofed or compromised account, they use social engineering tactics to convince their victim to take an action, usually finance related. In this case, Abnormal blocked the fraud emails for its customers, but it’s possible the compromised accounts could have been used successfully against other organizations.

VEC attacks are often highly targeted, spoofing and hijacking a specific vendor in pursuit of a massive payday. However, some attacks can repeat a certain scheme across multiple vendors, creating a snowball effect across a broad web of victims, which was the case in this campaign, Abnormal wrote.

VEC attacks used known domain, believable content and language

The attacker compromised vendor email accounts belonging to individuals in accounting and operations roles at firms, sending emails attempting to redirect outstanding and future invoices to a new bank account, the firm said. "Each email included a PDF attachment that outlined the (fake) new payment policy and provided the updated bank account details."

The most effective disguise tactic was the attacker's use of a known domain, a key characteristic of VEC attacks, Abnormal wrote. As the emails were sent from compromised vendor accounts, the sender's email address and domain appeared as normal to the recipients. The attacker also used content and language that the victims might expect from conversations with their vendors. "These two factors together would make it seem like nothing was out of the ordinary, increasing the likelihood that the targets could unknowingly engage with the threat actor."

Despite the legitimate seeming accuracies, some anomalies might have signaled a potential attack, Abnormal noted. For example, a natural language process (NLP) analysis highlighted multiple instances of language related to financial requests and billing account updates, and especially related to diverting payments, which is commonly associated with invoice fraud, the firm said. "Another indicator of anomalous user behavior was the absence of any previous correspondence between the senders and the recipients." However, these signals of attack would likely circumvent a distracted human eye, and even traditional email security solutions.

VEC attacks are trickier to carry out, harder to spot

VEC attacks are tricker for threat actors to carry out, typically involving a deeper attack process and requiring a threat actor with more resources (and patience), Rik Turner, senior principal analyst at Omdia, tells CSO. "It also involves research into the supplier's customer base using sources of open-source intelligence (OSINT) such as social media. That said, it clearly has considerable potential for the right attacker, with the resources to carry such an exploit out," he says.

VEC is harder to spot (or at least harder to foil) than a regular BEC attack involving a spoofed identity within the same organization, Turner adds. This is for two reasons. First, an employee who receives the email in a BEC attack might potentially check with someone else in the company whether the CFO is indeed on holiday, and whether it seems likely that they might ask for an urgent transfer of funds because a deal has closed suddenly [for example], Turner says. Second, there is less likelihood that the recipient will notice something untoward, such as "the boss never uses that word" if the email is ostensibly from someone in the accounts department at the supplier, particularly if they haven't dealt with that person before.

Addressing VEC attack threats is a two-fold process, says Fernando Montenegro, senior principal analyst at Omdia. "At the technology level, your email security controls should be aware of this threat variation and keep tabs on tell-tale signs - just as email security uses ML/AI to discern executive communications, it must also do this for vendor communications." Broadly, the organization also needs strong business processes for changing payment information on suppliers, he adds. "This is beyond the scope of traditional cybersecurity but to me is the most critical aspect of this."