A newly-uncovered business email compromise (BEC) cybergang, dubbed Silent Starling, has found success using a tricky technique to swindle funds from more than 500 organizations worldwide.
The West African cybergang has been using a method that researchers with Agari – who discovered them in late 2018 – call vendor email compromise (VEC) to swindle funds from targets. The researchers told Threatpost they expect VEC to be the largest threat for organizations worldwide over the course of the next 12 to 18 months.
During an attack, Silent Starling will first compromise accounts belonging to employees of suppliers (typically using phishing attacks that purport to be Microsoft OneDrive sign in pages to steal victim’s email credentials). From there, they will spy on all the victims’ correspondences with customers, and get a sense of customers’ names, top executives, payment amounts and payment dates. Then they target the vendors’ customers using social engineering; They do so by purporting to be the owner of the compromised account and asking clients to transfer money to the “supplier” – which is actually a mule account.
“Unlike typical BEC scams designed to defraud a single organization, this type of attack
targets entire supply chains, using legitimate employee email accounts to swindle a business’s customers into paying fraudulent invoices,” researchers with Agari said on Wednesday. “Due to its covert nature, the chances companies can effectively protect themselves from [vendor email compromise] scams becomes much more difficult.”
It’s not the first time researchers have seen “vendor email compromise” being used in attacks – but Agari researchers fear that Silent Starling will popularize the tactic for the BEC landscape. Threatpost talked to Agari researchers Crane Hassold and Ronnie Tokazowski about why Silent Starling’s techniques can take the BEC crime market to the next level when it comes to the scope and scale of attacks.
For direct download of the podcast, click here.
Below find a lightly-edited transcript of the interview.
Lindsey O’Donnell: Hi, everyone, welcome back to the Threatpost podcast. You’ve got Lindsey O’Donnell here with Threatpost and I’m here today with Crane Hassold and Ronnie Tokazowski with Agari. Ronnie and Crane, thank you both for joining me today.
Crane Hassold: Thanks for having us on.
Ronnie Tokazowski: Yep. Thank you.
LO: Great. So today, we’re going to start by talking about a new West African cyber criminal gang, that you guys just actually wrote a deep-dive analysis about today. And that is called Silent Starling. So just to start, can you guys tell me, why the name Silent Starling? Does that reflect the cybergang’s characteristics or something?
CH: Actually, it does. So we came up with the name Silent Starling, primarily based on the types of attacks that we’ve sort of identified this group being associated with. So this “Starling” part comes from, it’s named after a bird that’s indigenous to West Africa, that is known for being a very invasive species. And as we talk about the types of attack that they’re involved with, you’ll sort of understand why we sort of chose that as part of the name. And the “silent” part of it also goes with part of the attack where, a lot of what they’re doing is very covert and silent and can be very hidden within a victim ecosystem.
LO: Right. Really interesting. So before we talk about kind of the specific attack technique and the attack vector, can you just shed some color onto the cyber organization itself? In terms of the timeline, how long has this organization been on the scene and when and how did Agari first come across it?
CH: Yeah, so Silent Starling, based on the information that we’ve discovered on the group, we can trace them back to about 2015. At that time, they were involved, like so many other Nigerian cybercrime organizations in things like romance scams and check fraud. And as time came on, they sort of evolved into this more elaborate business email compromise gang, around late 2018. We identified the group in in July of this past year, as we identified as a general generic BEC attack that had targeted one of our customers. And we sort of intercepted that attack and then started engaging with them to sort of collect information about the tactics they’re using and the mule accounts that they’re trying to send money to. And as we sort of went on with this engagement – that went on for about a month – we were able to get really good visibility into their operations and infrastructure to learn more about them.
LO: Yeah, I mean, in the analysis, you guys talked a little bit about that initial discovery of them and how you then engaged with them. I thought that was kind of interesting that you were essentially pretending to be the victim, right? And then would from there kind of collect that information about their different tactics, their techniques, who they’re looking to target there. Is that fairly common when you’re tracing certain BEC gangs?
CH: Absolutely. So we do a lot of active engagements with these groups as a way to collect intelligence about them. I can tell you, for the past four to five months, we’ve done about 3,000 to 3,500 different engagements with these types of groups at scale. And we’ve been able to collect a lot of good information, not only about the group themselves, but the overall trend in the BEC threat landscape.
LO: Well, so the most interesting thing to me about Silent Starling was just looking at the report that you guys wrote, it was using this rapidly emerging form of BEC, which you guys called VEC standing for “vendor email compromise.” So it sounds like they’re looking to attack the global supply chain. And then from there trick the suppliers’ customers, that’s really interesting, is this the first time you’ve seen this type of attack?
CH: It’s not the first time we’ve seen the attack. But it’s certainly the first time we’ve been able to get really into understanding how these groups operate. So vendor email compromise has been around for a while now. And it has been increasing in frequency frequency very, very rapidly, primarily because of the return that these groups can get on these types of attacks. So it’s certainly not a new attack type but it is one that we have gotten much more understanding about how they work based on our research into Silent Starling.
LO: Great. So talk a little bit about this attack. Can you walk us through how do they first attack the vendor from the get-go? Are there any targeted departments? What is the initial attack vector?
CH: So what’s interesting about vendor email compromise is it’s a hybrid of the two most common forms of social engineering email attacks that we see today: credential phishing, and basic BEC attacks. And what they’re doing is they are sending a credential phishing email, Silent Starling specifically prefers OneDrive and DocuSign credential phishing pages to use. So they will compromise employee email accounts, using these credential phishing sites. It looks like at this point in the scam of the attack chain, they’re really going a little bit more broadly and trying to just compromise as many employee accounts as possible. And then what happens is, once they’ve compromised these accounts, they go into the accounts and set up forwarding and redirect rules that pass copies of every incoming email into that employee’s inbox to another account that’s controlled by them. So they’re able to sit and watch everything that comes into those accounts, really without the compromised employee even knowing about it. And as they started watching these accounts, they collect intelligence to help them better understand who they’re looking at, what role they have in the company. And they start parsing out certain accounts looking for accounts receivable, employees, other employees on a financial team, office managers, even the heads of some companies. And they sort of try to identify those accounts to really start weeding through and collecting information about what day-to-day transactions look like at that company. So they’ll collect who customers are for that, for that company, what invoices look like, what regular communication patterns look like, when payments are coming up to be do. And then they use all that intelligence that they’ve collected on those transactions, to insert themselves into a legitimate transaction that’s coming up for a customer and target that customer with an extremely realistic-looking phishing email that then requests a payment that is an actual payment that is supposed to be paid, to another account that is controlled by the scammers.
So what’s really interesting about these attacks, and scary, quite frankly, is that those emails are contextually accurate. The timeline looks right, the invoice looks exactly the same. The only difference is that in the invoice, there is a different bank account, that redirects to a mule account controlled by the actors. And so when you look at everything that we tell people about how to look for a phishing email – look for poor grammar or spelling – none of that is present in these types of attacks.
LO: Right, that sounds really sophisticated and really hard to detect. Literally is the mule account, is that the only way to try to detect these if you are a supplier? I mean, what can suppliers do in this case?
CH: Yeah, so what’s really difficult here is, you know, the vendors and suppliers that are initially compromised and sort of their emails are being weaponized to their customers; the customers actually don’t have any control over the initial compromise. They’re just the ultimate victims. That’s the ironic part about these attacks, is the initial victims are not the victims who lose a lot of money. Those are the customers of the vendors and suppliers. So you’re right, you know, when you look at what can be done to prevent these types of attacks, because they are so realistic looking, one of the best ways to to prevent financial loss from these attacks is to out of band, make sure that you are confirming a transaction before it takes place with a call or email separately to a person who it’s supposed to be going to. What do you think Ronnie?
RT: I would say another thing that can be used in order to help detect that, is enabling two-factor authentication because a lot of what happens is you’ve got an instance where the password is leaked, or the user will enter their credentials into a phishing kit. If they can’t log into the account and need some extra authentication, then that’s a nice and simple way to kind of help get ahead of this. The other thing worth pointing out is that with a lot of the phishing emails that are coming in for the vendor email compromise side, there’s no malware related to it. So even your typical AV engines that are responsible for looking at different malware samples, there is no malware on this one. So even from that angle it becomes extremely difficult to detect and identify a lot of these attacks. And just going back to the basics on a lot of security postures of just enabling two-factor in such, enabling DMARC would help with this.
LO: Right. I’m curious to about the scale of this cyber group’s attacks. Do you have any numbers on how many have actually been targeted and do those account for both the suppliers and their customers? Are you able to track that even?
CH: So for Silent Starling, we’ve been able to identify 700 employees in companies that have been compromised via the credential phishing attacks, those come from 500 different companies in 14 countries. Most of them are from the U.S., Canada and the UK. Once we look at what happened after that, we’ve certainly observed some victims, some ultimate victims that are actually being mined for intelligence to be used in the next stage of those attacks. But certainly, I don’t think that we’re seeing the entire scope of what this group specifically has been involved in. We’ve certainly seen a number of different victims that, you know, in some cases, 39 different employees at at a U.S. based company, were all compromised by Silent Starling. And then about half of those were then sent and intelligence was collected from those accounts. So we’ve certainly seen some of the scope of the impact of their attacks. But I certainly don’t think that we have a full grasp on exactly how massive of damage this group specifically has done.
LO: BEC is always so interesting for me, because it’s less of a sexy topic, and it doesn’t get as much coverage from some of the other attacks that ironically, can be highly more complex to launch. Yet businesses overall are losing millions a month to BEC scams. So I feel like it’s it’s more of a larger and wide-scale threat to security. It’s really interesting.
CH: Absolutely. The amount of damage that’s been caused by BEC over the past few years has been just absolutely massive. And it absolutely dwarfs the amount of impact that is caused by more technical, more sexy types of attacks. And I know Ronnie specifically has lot of opinions about this.
RT: Oh, man, you’re going to get on my soapbox now, Crane. But yeah, that’s a lot of the problem that we have right now, is you nailed it Lindsey, BEC is something where it’s not sexy, it’s not an APT trying to hack into a government agency, it’s not North Korea trying to figure out how to send ransomware to people, it’s simply people being asked over email for money. And when you actually look at the numbers, statistically, $26 billion dollars is causing the most problems right now. I remember seeing a report that came out I think about two weeks ago that talked about cyber insurance. And it was saying that BEC officially bypassed ransomware for cyber insurance fraud. So even that alone that says, “hey, BEC is a big problem.” And to put that into perspective, and you look at the $26 billion in losses since July of 2013, that equates to $376 million lost per month, every month since 2013. It’s a problem. And a lot of people are ignoring it right now, because it’s not sexy. And it’s the big problem that we have to start addressing. Because if we don’t, it’s just going to sit here and keep getting worse.
LO: Well, what I’m curious about too, is because you know, you guys have also identified a bunch of other BEC cyber gangs, like I know, we talked a little bit about Scattered Canary a while ago and some some of the other ones. Are you seeing any new techniques or tactics that are being used for social engineering or for credential gathering or whatnot, when it comes to BEC? Is there anything new that’s really kind of hitting the market at this point? Or is our attackers still relying on kind of the same old tactics, but unfortunately, they’re just still working at this point.
CH:I think when you look at general BEC attacks, those traditional CEO imposter attacks, those have remained relatively steady over the past couple of years. The only difference is the evolution in the cash-out methods. Things like gift cards are becoming much more prevalent than the traditional wire transfer attacks. But really this vendor email compromise tactic is the emerging trend in the BEC threat landscape. And when we talk about $26 billion of damage that’s been caused by BEC, that is taking into account that VEC has not taken off into the problem that it will likely be over the next 12 to 18 months. When you look at vendor email compromise attacks, the amount of damage and the amount of loss associated with those is about three times more than a, you know, traditional CEO impersonation, wire transfer BEC attack. And so as these become more prevalent, because they are so successful, and because the return on investment is so much higher than other types of BEC attacks. This is this is the new next evolution in BEC.
LO: Well, yeah, I was going to ask because, when we look at some of the other BEC groups like London Blue, like Scarlet Widow, like Scattered Canary, a lot of them have gone through that evolution that you guys have highlighted in the past, where they start out as kind of the smaller organizations that are relying on romance scams and less sophisticated means, and now they’re going on to bigger operations like BEC, and now we’re seeing VEC. So I was going to ask if VEC is going to become the new BEC, if that makes sense.
CH: When you look at it, I think the only thing that’s constant in terms of the criminal threat landscape is change. These groups will always evolve over time, they’ll always move on to something else when the return on investment starts to dwindle. So at some point, the VEC attacks will come up with an impact that will sort of make them adapt and move on to something else. What that something else is I don’t think we know at this point, but there won’t be a point when they’re going to say, “Okay, you got me, we’re done.” Because all of this revolves around making money. And that financial motivation will continue to drive them to continue making money, because for a lot of these scammers, this is their career, this is what drives their lifestyle. And so they’re not just going to stop, they’re just going to try to find a new way to make things more efficient and effective for them. And it’s also the same reason even though this will evolve into something else, the sort of classic scams will still be there. It’s the same reason that the Nigerian prince scams from 25 years ago, you still see today. And we also know from the research we’ve done in other groups like Scattered Canary is that while we may see groups like Silent Starling does vendor email compromise attacks, they’re also doing traditional BEC attack at the exact same time. And at exactly the same time, we know that they’re also running sort of more complex romance scams. So this is all one big ecosystem that will continually change. But it’s not going to go away anytime soon. What do you think, Ronnie?
RT: Yeah, I completely agree. Another way to think about it. And this is kind of the analogy that I’ve been using to help kind of explain how this BEC works – because it’s completely different than most other threat actors – is let’s say, I need to go and do some plumbing work in my house. So I will need a plumber’s wrench, I may need some glue and I’ll need pipes. Likewise, if I need to go ahead and make something for my kids, if they won’t play with the pipes, I’ll go ahead and I’ll use the same thing, I may use a saw, I may use the pipes, a couple of things in order to have them use that stuff to play with, will allow that comes down to is in order for me to do that work. In order for me to do those things around the house, I need a certain set of tools. So I’m going to reach into my toolbox and grab that wrench, and grab that screwdriver, whatever it is that I need. A lot of the way BEC works and a lot of the way that the stuff has grown out of that 419 scams, is a lot of these people still retain that knowledge in order to do the romance scams or do the check fraud. And what they can do is as time goes on, and as time progresses, very much with what Craig was saying was if one of those “jobs” isn’t making them the most money, they can pull a different tool out in order to help facilitate that fraud. And that was where you saw the progression from engaging with just romance victims in to the progression of BEC where romance victims were now used as part of that scheme. So they’re able to use that “box of tools,” if you will, that they can grab and do other things. So now that we know that we can start figuring out where they may be going next and use that knowledge as well.
LO: Well, that’s a good point. I mean, and on that note, even just this past month, there was a huge crackdown against BEC, I think it was called Operation ReWired. And then last year, we had Operation WireWire, do you think that there’s going to be more crackdown on BEC? I mean, how hard is it for law enforcement to kind of pinpoint these groups and really crack down on them?
CH: You know, I think that one of the great things about the law enforcement angle with BEC attacks is that the law enforcement in Nigeria, has become much more aggressive in actioning these types of cases. So they’ve been much more cooperative in recent years, which is why you’ve seen a lot of the bigger arrests and indictments that you’ve seen. That being said, there are so many of these actors out there that are doing these types of attacks, that it’s going to be very difficult to put a massive dent in the ecosystem, because there’s just so many actors out there. One of the things that I really like about Operation ReWired is that law enforcement, at least here in the States, one of the big targets of those arrests, were the money mules that were located in the States. And what’s great about that is, you know, we may not be able to arrest all of the scammers in West Africa. But if we can choke off the money supply that sort of essentially makes this whole engine go, then that may be something that is more impactful than simply arresting everyone.
LO: Yeah, that’s a really good point. It should be interesting to see kind of how the crackdowns on BEC continue even as BEC groups themselves evolve and create new tactics and techniques. So Ronnie and Crane, thank you so much for joining me today to talk about Silent Starling as well as BEC trends that we’re seeing in the market right now.
CH: No problem. Thanks for having us on.
RT: Yep, thank you much.
LO: Great. And once again, this is Lindsey O’Donnell here with Crane Hassold and Ronnie Tokazowski with Agari. Thanks for joining us today and catch us next week on the Threatpost podcast.
