Abnormal Security finds financial supply chain under threat
New research by Abnormal Security has found a rising trend in financial supply chain compromise as threat actors increasingly impersonate vendors.
The AI-based cloud-native email security platform's research notes that in January, the number of business email compromise (BEC) attacks impersonating external third parties surpassed those impersonating internal employees for the first time and has continued to exceed traditional internal impersonations throughout the year.
Further, in May, external, third-party impersonation accounted for 52% of all BEC attacks seen by Abnormal Security, while internal impersonation fell to 48% of all attacks.
In contrast, internal impersonation made up 60% of all attacks this time last year, signalling a 30% year-over-year increase in third-party impersonation.
Abnormal Security says financial supply chain compromise is a subset of business email compromise, where cybercriminals exploit known or unknown third-party relationships to carry out sophisticated attacks.
It adds that they intend to use the legitimacy of the vendor name to fool an unsuspecting employee into paying a fraudulent invoice, changing billing account details or sharing insight into other customers to target.
Abnormal Security says these tactics are only becoming more of a threat, with one attack the company stopped requesting $2.1 million for a fake invoice.
The report examines four known types of financial supply chain compromise: Vendor email compromise, aging report theft, third-party reconnaissance and blind third-party impersonation, each with varying levels of sophistication.
While a vendor email compromise attack depends on the threat actor understanding business relationships and financial transaction schedules, a blind-third party attack only uses traditional engineering tactics to request payments using pretexts such as impending legal actions.
Abnormal Security's research acknowledges that all four types of attacks have been successful but says that the ones using legitimate compromised accounts are challenging to detect and can have disastrous consequences for the organisations they target.
"While financial supply chain compromise is not new, the increase in using third-party impersonation tactics is worrisome," Abnormal Security threat intelligence director Crane Hassold says.
"Our threat intelligence team has discovered increasingly sophisticated attacks that are nearly impossible for legacy systems or end users to detect, particularly because they come from real vendor accounts, hijack ongoing conversations, and reference legitimate transactions.
According to the FBI, business email compromise has exposed enterprises to US$43 billion in losses over the past six years, and actual losses continue to grow year-over-year, making up 35% of all losses to cybercrime in 2021 alone.
Abnormal Security says this new trend is only one example of how modern email threats have become more sophisticated and how cybercriminals continue to evolve and pivot their strategies for greater success.
Because employees have become more aware of traditional BEC attacks that depend on executive impersonation, threat actors have successfully begun impersonating other entities, often affording them greater success.
"This shift to financial supply chain attacks is another important milestone in the evolution of threat actors from low-value, low-impact threats like spam to targeted high-value, high-impact attacks," Hassold adds.
"And because they are successful, we expect that this external impersonation will continue to rise as a percentage of all attacks, ultimately dominating the BEC landscape for the foreseeable future.
Abnormal says this change in attacker tactics is significant because it means the ultimate victims of financial supply chain attacks are not in control of the initial compromise.
This makes it more critical for companies to maintain a strong understanding of their supply chain.
Abnormal Security uses unique AI to precisely baseline good behaviour across internal and external identities and communications to address these issues.
The proprietary VendorBase technology identifies all vendors in a customer's ecosystem to understand individual risk levels, using a federated database across all Abnormal customers.
By identifying when a vendor may have a high risk of fraud, Abnormal Security knows when an email should be examined closer for malicious activity, effectively preventing all forms of financial supply chain compromise.