The Silent Starling cybercriminal group is conducting vendor email compromise attacks to target unsuspecting customers.

In its analysis of the group and its three main threat actors, Agari observed Silent Starling conducting vendor email compromise attacks by sending phishing messages to vendors and suppliers. The group used those emails to trick recipients into divulging passwords that would enable the attackers to access the targeted email account. Once in control, Silent Starling set up a forwarding rule so that it would receive copies of all emails sent to that account.

Agari noted that Silent Starling set itself apart from other business email compromise (BEC) groups by waiting, sometimes as long as months, to observe emails exchanged on the compromised account, gather information and formulate a strategy. When they were ready, the criminals used the compromised account to send an invoice to one of the victim vendor’s customers. That message used modified banking details to trick the customer into sending payment to an attacker-controlled bank account.

The Rise (and Fall) of BEC Scammers

The costs associated with BEC scams are at an all-time high. In September 2019, the FBI’s Internet Crime Complaint Center (IC3) revealed that global losses stemming from BEC scams cost approximately 160,000 victims more than $26 billion in damages between June 2016 and July 2019.

It’s no wonder the FBI has stepped up its efforts to bring BEC scammers to justice. One big crackdown came in June 2018 when the Department of Justice arrested 74 alleged fraudsters, including 42 U.S. residents, for targeting hundreds of individuals with BEC scams. Even so, that takedown paled in comparison to Operation reWired, during which the FBI arrested 281 individuals involved with an international BEC scheme.

Help Defend Against Vendor Email Compromise

Security professionals can help defend against vendor email compromise attacks by creating a security awareness program and developing a security culture that’s unique to the organization. Companies should also seek to leverage partnerships and third-party services, including phishing intelligence feeds that integrate with security information and event management (SIEM), to stay on top of the latest email threat campaigns.