Cybercriminals who use Business Email Compromise (BEC) attacks are switching up their tactics, with some groups now targeting actual merchandise instead of money in their phishing attacks.
Trustwave’s email security solution MailMarshal is aware of and investigating this new methodology. MailMarshal is capable of defending an organization against BEC attacks.
This Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the U.S. Department of Agriculture (USDA) issued a special joint cybersecurity on Dec. 16, 2022, detailing recent incidents where threat actors stole large shipments of food, produce, and ingredients.
BEC is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center, victims losses of almost $2.4 billion in 2021, based on 19,954 recorded complaints linked to BEC attacks targeting individuals and businesses. However, the vast majority of these incidents saw the criminals attempting to simply convince a target to send them money via a wire transfer using a fake contract or invoice.
The joint cybersecurity advisory included several examples of attempted and completed thefts, mostly involving dairy products and, in one case, a large amount of sugar. However, the agencies gave no reason why the attackers singled out this particular product nor where the stolen goods were shipped.
The attacks took place from February to August 2022. In each case, the target company received a fraudulent email, or an order placed through an online purchasing portal. The BEC actors continue to use their standard tactics that have unfortunately worked so well with their prior fraudulent efforts. These include:
Two successful attacks discussed in the advisory resulted in the victims losing in excess of several hundred thousand dollars.
In April 2022, a U.S. food manufacturer and supplier received a request through its web portal inquiring about pricing for whole milk powder purportedly from another food company. The attackers spoofed a legitimate food company using a version of its email configuration and the name of the company’s actual president and the company’s real physical address. The ingredient supplier ran a credit check on the company, which came up acceptable as it is a real company and extended a line of credit, and the first of two shipments – valued at more than $100,000 – was picked up from the “supplier.”
Luckily, the victim company refused to release the second load until payment was received, and only then realized the email address used by the criminals was a slight variation on the actual company’s domain name. As a result, the victim contacted the legitimate company, which confirmed that attackers have previously used their identity in similar scams.
In a separate incident in February 2022, four fraudulent companies placed large orders for whole milk powder and non-fat dry milk from a food manufacturer. The orders, valued at almost $600,000, were picked up, and the victim company was unaware something was wrong until it did not receive payment. In all four instances, the threat actors used real employee names and slight variations of legitimate domain names.
The advisory noted that one BEC was foiled due to the fact that the target company used proper email security procedures.
In August 2022, a U.S. sugar supplier received a request through its web portal for an entire truckload of sugar to be purchased on credit. The request contained grammatical errors, which the victim noted, and purportedly came from a senior officer of a U.S. non-food company. The sugar supplier identified that the email address had an extra letter in the domain name and independently contacted the company to verify there was no employee by that name working there.
Trustwave SpiderLabs recommends a combination of technology and employee training that all companies should implement to ensure emails are legitimate.
Deploying anti-spoofing technologies on your domains at the email gateway and deploying techniques to detect domain misspellings to detect phishing and BEC attacks. Also, ensure there are robust processes in place for approving financial payments via email