Silent Starling: Pioneering Vendor Email Compromise, 2020’s “Biggest Financial Threat”
Enterprises have lost $26bn to business email compromise scams in the past three years. Silent Starling, a Nigerian cybercriminal group, has found a way to make the scam even more lucrative. Luke Christou finds out more from Agari about vendor email compromise and what businesses can do to protect themselves
While the typical scam email may be littered with tell-tell signs of illegitimacy such as unusual language, inaccurate branding and incorrect domains, Silent Starling isn’t your typical cybercriminal group.
Named after the Starling bird, an invasive species which has infiltrated habitats across the globe, Silent Starling has already found its way, uninvited, into hundreds of businesses.
Once in, the group lies in wait for months, waiting for the perfect opportunity to strike.
With Silent Starling’s discreet method of attack proving lucrative, cybercriminals are likely to spread their wings in the coming years in search of similar rewards.
VEC attacks: The biggest financial threat to businesses in 2020?
Business email compromise (BEC) attacks are plaguing the enterprise. These attacks see a fake email sent to employees in financial roles claiming to be from somebody higher up in the organisation, such as the CEO.
These emails typically request that a payment is sent urgently to a specific bank account. Eager to comply with the orders of their superior, the employee transfers the money into what is a mule account under the control of a cybercriminal.
According to the FBI, businesses have lost $26bn to BEC in the past three years alone.
Silent Starling has found a way to make such attacks even more profitable through an attack method that Agari has dubbed vendor email compromise (VEC).
Rather than targeting the business that is first compromised, VEC scams attempt to steal money off of the organisation’s clients and customers by sending mock invoices encouraging them to pay money owed into an account controlled by the cybercriminal group.
VEC attacks begin as most attacks do, with phishing emails blasted out to thousands of professionals that have wound up on the various contact lists floating around the internet.
Somebody clicks a link or downloads a file, and their email account is hijacked.
“As a fraudster, with traditional BEC you’re able to score a $52,000 win on average. With VEC, it’s about $125,000.”
However, once they compromise their target, the group doesn’t attempt to steal funds immediately. Instead, the group sets up forwarding rules that sees any emails received forwarded on to the cybercriminals’ inbox.
This allows the group to gather information such as what the vendor’s invoices look like, who their customers are, and how much certain customers owe, while they wait for the perfect moment to strike.
In many cases, the cybercriminals can lie in wait for months in order to avoid raising suspicions. When the client is expecting an invoice, Silent Starling will jump into action, sending one over and informing the customer that the vendor’s banking details have changed.
Currently businesses are twice as likely to suffer a BEC attack than they are a VEC attack. However, Agari predicts that by the end of 2020, both threats will be on par. While growth in the number of BEC attacks launched has stalled, the company has seen “dramatic” growth in VEC attacks in each quarter of 2019.
“It’s driven by the economics. The fraudsters are going to follow the money,” Armen Najarian, Agari’s chief identity officer, says. “As a fraudster, with traditional BEC you’re able to score a $52,000 win on average. With VEC, it’s about $125,000.
“We believe vendor email compromise is going to be the single biggest financial threat to the enterprise in 2020.”
Tracking down Silent Starling
Agari’s ACID team, led by former FBI veteran Crane Hassold, is tasked with playing cybercriminals at their own game.
First alerted to Silent Starling in July 2019 by a failed attempt to target an Agari customer, the team created a persona email of their own and requested an alternative bank account from the group, claiming the initial payment had bounced. The cybercriminals obliged, handing over details of 13 different mule accounts.
From there, the ACID team uses various tools and techniques to gather insight into the threat, with the end goal being to gain access to the group’s communications.
“We have techniques that we’ve vetted with law enforcement that effectively give us visibility into the actual email communications, the master series of communications, for an entire threat group.”
“We have techniques that we’ve vetted with law enforcement that effectively give us visibility into the actual email communications, the master series of communications, for an entire threat group,” Najarian, who the ACID team reports to, explains. “That’s the ultimate goal.”
Using these methods, ACID can begin to piece together information on the group’s motives, who they are targeting, the magnitude of the threat, and how successful it is proving to be. Agari can also gain insight into who is behind the threat, where they are based, and even personal details on fraudsters, such as where they have travelled to.
The ACID team was able to trace Silent Starling back to three main culprits, all based in Nigeria. One had previously travelled to Kenya, South Africa and the United Arab Emirates, while another was considering applying for universities in Europe, North America and Russia.
Through its investigation, Agari was able to determine that the group had previously been focused on launching romance scams, before turning their attention to BEC in 2016. In late 2018, the group began to experiment with VEC, primarily targeting those in the United States, Canada and the United Kingdom, where 97% of their victims are located.
How to avoid falling victim to VEC scams
Despite the best efforts of law enforcement and cybersecurity firms like Agari to curb these threats, businesses that fail to act run the risk of falling victim to groups like Silent Starling.
VEC raises plenty of difficult questions that similar scams do not. Who exactly is the victim, for example? The compromised vendor, or the deceived customer? Who will be liable for the losses incurred? The vendor that doesn’t receive their money, or the customer that sends it to the wrong bank account?
Those arguments are likely to play out in the coming years as VEC attacks become more common. Acting now will help businesses to ensure they aren’t the ones having to fight costly legal battles, regardless of which side they are on.
What can vendors do?
While Silent Starling has pioneered a new way to scam businesses out of money, the method it uses to compromise businesses is nothing out of the ordinary. The group primary uses malicious links disguised as Microsoft OneDrive and DocuSign login pages to steal credentials from their victims.
Such phishing campaigns are common. You would think that everybody in the business world has been targeted enough to spot them by now. However, according to Proofpoint’s State of the Phish 2019 report, 83% of organisations said they had experienced a phishing attack in 2018, up from 76% in 2017.
“People’s jobs are very sophisticated and busy, they’ve got to get stuff done,” Najarian explains. “It’s inefficient to have to slow down and question ‘Is this message I’ve received authentic or not?’ Who wants to think about that… you just want to do your job.”
“Don’t allow employees to go in and auto-forward every message.”
Rather than relying on employees not to click on a suspicious link or download a malicious file, businesses need to ensure they have the right protections in place to stop these messages from getting to employees in the first place. Email security solutions, such as those offered by Agari, can stop these phishing emails from landing in employees’ inboxes. Multi-factor authentication, such as push notifications sent to a secondary device, can also help to keep bad actors out.
However, if a breach does occur, Najarian suggests a simple fix that vendors can implement to stop groups like Silent Starling from carrying out a VEC scam.
“Don’t allow employees to go in and auto-forward every message,” Najarian suggests. “It sounds very basic, but not many companies, especially smaller vendors, think about this.”
What can businesses do?
Vendors must first fall victim to a phishing campaign for a VEC attack to be launched, but customers can also do their part to ensure such attacks aren’t successful even in the case of a breach.
After Silent Starling has gathered enough data to launch its attack, the threat actor commonly sends its doctored invoice from a fake account, either by spoofing an email address or registering a domain that looks similar to the vendor’s. This is to avoid logging back in to the compromised account and leaving traces that could alert the vendor to the breach.
Najarian suggests placing tighter controls on out-of-band requests to reroute payments as a possible solution. With the right protections in place, emails coming from spoofed or impersonating accounts could be blocked from ever reaching their target.
“Have some good checks and balances, so a single person can’t just say ‘Okay, I’m going to change the accounts payable account number to X’ and move on.”
Silent Starling has been unmasked, but VEC isn’t going anywhere
After completing its research into groups like Silent Starling, Agari works with law enforcement to take them down. However, it will likely be some time before Silent Starling is eradicated.
“There’s a lag effect between when Agari goes to the press with an unmasking to when the first arrest is made,” Najarian explains. “At least six months, if not longer, and if ever. Sometimes there might not be any arrests.”
Even then, the threat won’t go away. Other groups will have noticed the lucrative amounts being stolen by VEC’s pioneering group, and, according to Agari, some have already started to experiment with how they can launch similar campaigns.
“This is the next great way to make money, frankly. It’s gonna be monkey see, monkey do, right?”
“This is the next great way to make money, frankly,” Najarian says. “It’s gonna be monkey see, monkey do, right?”
Not only will VEC attacks become more frequent, but it is also likely that they will grow in sophistication too as cybercriminals compete to snare bigger, more lucrative targets.
“The Russians are going to take notice of this, the Eastern Europeans, and other regions where there are concentrations of cybercriminals,” Najarian says. “BEC has largely been a West African-based invention. They’ve commercialised it, and maybe that will flow to some more computer science-savvy parts of the world where they can scale it.
“This will make our jobs harder, which will force us to innovate faster as well. It’s a bit of an arms race.”