A vendor email compromise (VEC) attack that sought to change bank account information on a third-party insurance company’s escrow account and pay a dummy title insurance company a $36 million invoice was recently discovered, pointing out the need for constant vigilance and increased training.
In a blog post on Wednesday, Abnormal Security said while they are still unsure if the third-party insurance company paid the $36 million invoice, they did succeed in thwarting future attacks on its customer, a well-known real estate company that was cc’d on an email string compromised by the attacker.
“If this attack was successful, the threat actor could have continued on with attacks on our client and many other companies,” said Mike Britton, Abnormal Security’s CISO.
Britton explained that the attacker started by executing a credential phish, gaining access to the “sent” email box of a trusted real estate company the third-party insurance company often does business with. Once they had access, the attacker set up a lookalike site and cut-and-pasted the conversation about the $36 million invoice with just one slight change: they sent an updated quote via a “.cam” domain with instructions for how to change the bank account information.
Britton said Abnormal’s client was CC’d on the email to lend credibility to the communication. He also pointed out that it’s not unusual to have a $36 million transaction in the commercial real estate business, adding that the domain and bank account change should have set off alarm bells.
"People get caught by the social engineering and throw all processes and procedures out the window," said Britton. "In this case, everything was similar to the legitimate invoice with the exception of the bank account information. ”
According to the Abnormal Security blog, unlike traditional business email compromise (BEC) that impersonates an executive, a VEC attack occurs when a threat actor either gains control of a vendor email account or impersonates a trusted vendor in an attempt to execute an invoice scam or other financial fraud. These attacks are highly successful because they exploit the trust and existing relationships (like the one described in this story) between vendors and customers through personalization and social engineering.
Mika Aalto, co-founder and CEO at Hoxhunt, said the wire fraud attack is particularly sneaky and sophisticated, but it’s still basically just a page from the business email compromise playbook.
“From the public information available, there’s nothing new here, just a more effective variation of the type of highly targeted spearphish that robs more businesses of more money each year than any other," said Aalto. “I call it ‘textbook preventable’ because any person who, if compromised, can cause outsized damage should also receive outsized training to defend against such attacks.”
Aalto said companies should always scrutinize the sender’s domain from an out-of-the ordinary request to take an action, and always feel supported to call the executive supposedly making the request. Aalto said there’s a culture element involved, as there are certain global offices of a company that can be more vulnerable to BEC attack than others because of the reluctance to question high authority.
“Installing simple best practices and processes such as verifying financial and data requests via secure second channel can save companies a tremendous amount,” said Aalto. “These attacks are likely to become more sophisticated as attackers adopt AI technology, like ChatGPT. We conducted an experiment that showed human social engineers are still better at crafting phishing emails, but that gap is closing as hackers improve at prompt engineering to more effectively use ChatGPT to create convincing phishing emails.”
Chris Clymer, CISO at Inversion6, added that training employees and especially finance teams on proper controls and rigid process has become a huge part of defending against these attacks, but we can’t rely 100% on employees.
“AI-based tools like Abnormal have been proving much better at identifying and stopping these attacks than our current slate of last-gen email tools,” said Clymer. “We are likely to keep seeing these attacks increase until adoption of these tools becomes more commonplace.”