Silent Starling Group Targets Vendors’ Customers in New Vendor Email Compromise (VEC) Scam

• Silent Starling group has targeted over 700 employee email accounts from around 500 companies since 2018.
• Most of the victims were located in the United States, Canada, and the United Kingdom, followed by Central America, East Asia, and Europe.

Context

Researchers from Agari have spotted a new Vendor Email Compromise (VEC) scam carried out by a cybercriminal group dubbed ‘Silent Starling’. This scam campaign targets the customers of vendors and contractors.

About the group

Silent Starling group constitutes of three main threat actors. Silent Starling moved to the VEC scam as a major attack type in 2018. Since then, the group has targeted over 700 employee email accounts from around 500 companies. These compromised email accounts have provided over 20,000 sensitive emails.

Most of the victims were located in the United States, Canada, and the United Kingdom, followed by Central America, East Asia, and Europe.

How does VEC scam work?

• Silent Starling group sends phishing emails to vendors that include a malicious link.
• Once the vendors click on the link, they’re redirected to a phishing login page where vendors are asked to log in using their credentials.
• Once the vendors enter their credentials, the attacker uses those credentials to set a forwarding rule to forward all emails received by the vendors to the attacker’s email.
• The attacker then monitors his inbox for any emails regarding invoices or payments.
• If he receives any such invoice email, the attacker immediately sends the invoice to the vendor’s customer along with new banking details.
• The vendor’s customer makes payment to the attacker’s bank account thinking that the email is from the vendor.

“The entity that is most impacted by a VEC attack is not the original victim of the initial attack where the account was compromised. Rather, is a completely separate organization—the compromised vendor’s customer. In a rather cruel twist, these customers have no control over the security of the system where the attack began and thus have no real way to defend against it,” researchers explained.