For understanding the concept of VEC attacks (Vendor Email Compromise), it is important to first understand Business Email Compromise (BEC) attacks. So let’s start off by getting a general idea about BEC attacks.
Business Email Compromise (BEC) Attacks
In a BEC attack, a cybercriminal impersonates an employee, colleague, or executive to send an email to another employee. This email usually contains a request for a fund transfer. The cybercriminal may also ask for personally identifiable information (PII) from employees. In this case, it can further lead to fraud or identity theft.
The emails used in BEC attacks typically carry instructions related to payment approvals or client data sharing. Employees can easily fall into this trap as the criminals usually impersonate a higher authority figure within an organization.
BEC attacks can lead to huge financial losses. A report by the FBI suggested that BEC attacks cost organizations $26 bn in total over 3 years from June 2016 to July 2019.
Join our weekly newsletter and get the latest cybersecurity updates delivered directly to your inbox
What Exactly is a Vendor Email Compromise (VEC) attack?
A Vendor Email Compromise (VEC) attack is slightly different from a BEC attack. In a VEC attack, a threat actor compromises and uses the email account of an organization’s legitimate vendor. Equipped with a legitimate email identity, the cybercriminal now becomes more powerful than ever.
Once the target is picked, the attacker designs an email template that suits the setting of the target organization. This makes the email more believable. They send these realistic-looking emails to the employees in charge of handling payments. They attach fake invoices and change the payment information from the vendor’s side to redirect the payment to an account controlled by the miscreant.
This example will give you a better understanding of the spread of a VEC attack-
“A” company has 20,000 suppliers. So practically, there are 20,000 vendor companies whose email domains can be compromised. VEC attacks on “A” company can be launched using these compromised email domains. Therefore, from the point of view of “A” company, a VEC attack can come from 20,000 different sources.
The damage potential of a VEC attack is huge. This is majorly due to the fact that the attacker gets hold of the legitimate vendor identity to launch it. A VEC attack leverages usual communication between vendors and organizations. This is one major difference between a BEC attack and a VEC attack.
Let’s Take a Look at Two Cases of VEC Attacks
In 2019, an article published by Security Intelligence revealed that the Silent Starling cybercriminal group was conducting VEC attacks. The group launched phishing emails to trick the employees of the vendor companies into giving up the credentials of their official email accounts.
They used these email accounts to watch the email flow pattern between the vendor companies and the client companies. The group waited and watched for a very long period before hitting the target client companies at an opportune time.
They used the compromised email accounts of the vendor companies to send a fake invoice to the client companies. The payment information included the banking details of a bank account controlled by the attacker.
In another event, SolarWinds, an American software company, suffered a huge VEC attack. Suspicious activity was observed in its Office365 environment, the company revealed.
Hackers used a compromised email account to gain access to the credentials of SolarWinds’ personnel in business and technical roles. This allowed the hackers to gain access to the SolarWinds Orion Development environment.
A Russian hacking group exploited the vulnerabilities in its software. Around 18,000 of its customers downloaded the compromised version of this software.
Wait, there’s more! As per an article by Business Wire, organizations face an 82% increase in the chances of being attacked through a SolarWinds-style VEC attack in a given week. This article also mentioned that the average potential loss from VEC attacks is 144% more than the loss caused by standard BEC attacks.
Protection Against VEC attacks
Protection against VEC attacks requires proactivity at every step i.e. before, during, and after an attack. Firstly, possession of knowledge about these attacks is a prerequisite for organizations to set up a strong defense against them.
Therefore, making sure that everyone on the staff knows what these attacks are and how they work is essential for organizations. Along with this, knowing the correct way of requesting and providing payment details, funds or sensitive information is also important for the employees.
Furthermore, the employees are less likely to fall for a VEC attack if they are aware of the regular flow of emails in the organization. Any irregularity in this email flow will be enough cause for creating suspicion.
Even if an email doesn’t raise any suspicion due to the pattern of its flow, there will always be something about the content that is odd. It might be the sender’s name, signature, or body of the email.
However, changes in payment information raise immediate red flags. Any email regarding a change in payment information must be immediately verified using methods like video calling the vendor or sending the vendor some codes to revert to.
In an event where the damage has already been done i.e. if the money has been transferred or the information has been stolen, mitigation measures should be put in place right away. In case of wrongful transfer of money, the insurer, the bank, and the authorities should be informed immediately.
If the sensitive information of the organization has been compromised, mitigation measures should be directed towards minimizing damage to the reputation of the company and preventing the misuse of that information.
Being Vigilant: Vendor’s Duty and Need
As mentioned above, attackers use phishing emails to trick employees of the vendor companies into giving up their email account credentials. Therefore, cyber security awareness using training using tools like TSAT. TSAT should be given to employees. It uses simulation through six different attack vectors to sensitize employees with respect to cyber attacks.
For vendor companies, the implementation of email domain security tools is very important. This minimizes the risk of misuse of their email domain to launch VEC attacks. An article by Threat Post reported that standard email authentication protection is nonexistent in 80% of company web domains! Isn’t that mind-boggling?
Email authentication tools are game-changers when it comes to preventing email domain misuse. TDMARC is counted among the best email authentication and anti-spoofing tools. It detects and defends email domain forgery.
This tool can identify all the sources that are abusing your email domain and prevent anyone from sending fraudulent emails on your behalf. Consequently, it also results in an increase in email deliverability rate and email engagement rate.
VEC attack is a threat on the rise and it is imperative for both the vendor companies and client companies to be on the lookout for them. Vigil and alertness can thwart VEC attacks right at their onset.
Learn more about email-based attacks and email domain security-