This attack on the supply chain represents a dangerous new phase in the evolution of business email compromise. Unlike traditional BEC attacks targeting a single company, VEC scammers use legitimate accounts to target a company’s supply chain ecosystem—often scamming dozens of customers at once.
According to the US Treasury Department, businesses lose as much as $300 million per month to BEC scams overall. Payment invoice scams accounted for nearly half of those fraudulent transactions in 2018, to the tune of more than $1.5 billion in business losses. That number is likely to be even higher when cybercriminals gain access to legitimate email accounts and use them to run their scams.
Silent Starling is the first case in which Agari has documented a cybergang using VEC as its primary method for scamming businesses. Unfortunately, we do not expect it to be the last, as vendor email compromise becomes the most dangerous cyberthreat faced by businesses and their supply chains in the next year.
In July 2019, one of these active defense engagements led us to a cybercriminal organization we’ve dubbed Silent Starling—named after an invasive species of bird native to West Africa. The messages below detail our initial interaction with the group.
Silent Starling attempted to attack an Agari customer by impersonating the CEO in an email directed toward the CFO with a basic subject line of “Request.” Like most BEC attacks, the initial email message was brief and was meant to elicit a response from the target. In this case, the attacker wanted to know if a wire transfer could be sent before the end of the day.
We took action and re-crafted a new email conversation with the scammer from a separate persona account, creating new identities for a fake CEO and CFO and simply recycling the original email subject and body. This switch was done to protect the identities of those in the target email.
Under this new persona, we responded to the scammer, generously offering to help him take care of the necessary transfer.
Fourteen minutes later, our fake CEO provided us with the first of many mule accounts where he wanted the $17,290 “transfer” to be sent.
When he never received confirmation that the funds had been transferred, the fake CEO contacted our persona CFO and inquired about the status of the payment. Unfortunately for the scammer, the bank found an “issue” with the account and the payment was rejected.
However, because our persona CFO is so helpful, they offer to reprocess the payment to another account if the “vendor” has one. Predictably, the scammer obliges and offers another mule account for us to try.
The scammer quickly replied with new banking details.
This cycle of the Silent Starling actor sending us mule accounts and our fake CFO running into “problems” continued for more than a month. By the time the engagement finally ended, we had collected 13 different mule accounts used by the group to launder money from BEC attacks, which we passed to financial partners and law enforcement.
In addition to actively engaging with the Silent Starling scammer, we used various tools and tactics that allowed us to gain significant insight into the group’s background, methods, and primary actors. What follows is an overview of what we discovered during our investigation into Silent Starling.