Worried man counting money

Business Email Compromise attack imitates vendors, targets supply chains

Today we have a fascinating tale of a business email compromise (BEC) group steering clear of targeting executives, in favour of fouling up supply chains instead. The attack, which may sound overly complicated, is a fairly streamlined attack with the intention of making a lot of money.

BEC: What is it?

BEC follows a few different patterns, but primarily revolves around an approach by a criminal who has compromised or spoofed an executive-level email account.

The criminal sends one or more “urgent” emails to a more junior employee about moving money from inside the business to somewhere else entirely. Some attackers perform reconnaissance in advance so they can target people in HR, finance, or accounts.

The criminal is likely to insist the money is moved quickly, and that nobody else is involved.

This technique has been around for a number of years, and some folks are getting wise to it. As a result, attackers are trying to broaden how these scams operate to give them the best chance of flying under the radar.

What we’re looking at below is Vendor Email Compromise (VEC). Instead of going after a company directly, attackers figure out a network of vendors, clients, customers, suppliers…you name it, they’ll try and map it all out. From there, it’s a case of figuring out the weak links in the chain and then pursuing them as best they can.

A splash of fraudulent domain management and social engineering may be all that it takes to get the job done.


The supply chain steps to success

The group at the heart of this particular campaign, the bizarrely monikered “Firebrick Ostrich”, has been flagged as having its hand in no fewer than 350 campaigns dating back several years. 151 organisations were spoofed across 200 or so different URLs. The attacks are said to have been US-centric, with a particular focus on US business.

According to Abnormal Intelligence, the group behind the research, Firebrick Ostrich was at its peak in August 2022, numbers wise, and the majority of URLs used in the various campaigns were less than a day old when they were used.

The steps to success for the VEC group are listed as follows:

  1. Pretend to be a vendor, complete with imitation domain and multiple bogus email addresses related to said bogus “company”.
  2. The bogus vendor initiates communication with the potential victim, going down one of several paths as the ball is set in motion. In the example given, the scammers ask to update a bank account on file, and then note that they’ve “lost track” of outstanding payments. This is how they gain insight into actual potential payments owed, or other relevant information which can be further used against the victim.
  3. Some or all of the additional email addresses created, mentioned above, may be tied into some of the various email chains to add a layer of “this all looks plausible and real” to the recipients. Would scammers go to all this length to steal money? You bet. Many employees looking at this kind of email chain wouldn’t give it a second thought.

Cashing out

If the email antics are successful, a follow-up mail from the fake vendor includes tweaked payment information for the victim to wire funds. Abnormal Security notes that in some cases, PDF documents are attached to the mails containing the payment details. It’s possible that this is done to try and bypass any email flags looking out for suspicious content (such as payment details in the body of the mails).

With all of the imitation details in place, from fake emails and imitation URLs to including real employee names in some of the communications in case someone perhaps jumps onto Google or LinkedIn, this attack could very well cause big problems for an organisation.

Vendor attacks: a slippy customer

Given that this particular group does not appear to target one industry sector specifically, running the range of manufacturing and retail to energy and education, it could affect any business, and if it’s successful, it will be imitated.

The best defence against these kind of attacks is to ensure that staff are aware that they exist and how they work. Many scams rely on isolating and hurrying employees, so they are less diligent, so it also helps to have processes that ensure more than one employee is involved in significant transactions.

Stay safe out there!

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.


Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.