Threat actors have sometimes used enterprise e-mail compromise (BEC) assaults to steal cash from unwary organizations lately. But in a brand new twist, cybercriminals are utilizing them to steal meals shipments and substances from suppliers and distributors across the nation.
The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the assaults have been occurring since at the very least the start of this 12 months and have value a number of organizations a whole bunch of hundreds of {dollars} in losses to this point.
“While BEC is mostly used to steal cash, in circumstances like this, criminals spoof emails and domains to impersonate staff of reputable firms to order meals merchandise,” the 2 businesses mentioned within the joint cybersecurity advisory.
While the habits has a sure rat-like scavenging high quality to it, the purpose behind these thefts usually is to repackage and resell the stolen meals objects with out regard for security and sanitation rules, they mentioned.
A Fridge-Full of Incidents
The advisory highlighted a number of examples — the earliest one going again to February — the place firms have fallen sufferer to the rip-off. In one incident in August, a meals distributor acquired an e-mail order supposedly from the chief monetary officer of a multinational snack and beverage firm for 2 full truckloads of powered milk. The attacker used the precise title of the CFO however had an e-mail handle that contained an additional letter within the area title than that of the actual firm. The meals distributor fell for the rip-off and later needed to pay their provider greater than $160,000 for the fraudulent cargo.
Also in February, a meals producer skilled greater than $600,000 in losses after receiving and delivery orders for entire milk powder and nonfat dry milk from 4 completely different fraudulent firms. In every occasion, the attackers used actual worker names and emails with slight variations of domains belonging to reputable firms to position the orders.
In one other incident in April, an ingredient provider acquired a request — purportedly from the president of one other giant meals producer — for pricing data for entire milk powder by way of the corporate’s Web portal. In this occasion, the provider ran a credit score test on the spoofed meals producer, prolonged a line of credit score to the corporate, and made the primary of two $100,000 shipments to the criminals, earlier than realizing one thing was amiss.
The FBI and FDA OCI alert talked about different incidents as effectively the place criminals tried to tug off comparable heists however weren’t profitable.
In every of those assaults, the criminals have created e-mail accounts and web sites that look almost equivalent to these of a reputable firm however include almost indiscernible variations — for instance, an additional letter or substitute character reminiscent of a “1” as a substitute of a lowercase “l.” Their techniques have usually included getting access to a reputable firm’s e-mail system and utilizing that to ship fraudulent emails to focused victims.
To add additional legitimacy to their fraudulent communications, the attackers have used the precise names of executives and staff at reputable companies and used copied firm logos of their emails and different paperwork. The attackers have additionally used the precise enterprise data of reputable firms to go credit score checks and procure traces of credit score for fraudulently buying meals provides and substances from sufferer firms.
Losses proceed to mount from BEC assaults, though the meals theft scams are completely different from ordinary techniques the place risk actors rip-off organizations into making fraudulent cash transfers. In 2021, losses from BEC assaults totaled almost $2.4 billion, making it one of many most financially damaging on-line crimes, in line with the FBI’s Internet Crime Complaint Center (IC3). Many BEC assaults goal small and midsize firms, although giant organizations are sometimes victims as effectively.
A report that IC3 launched earlier this 12 months confirmed that BEC assaults are solely persevering with to develop and evolve. IC3 estimated that between June 2016 and final December, there have been some 241,206 BEC assaults that cumulatively brought about organizations worldwide a staggering $43 billion in losses.
The Big Takeaway
The takeaway from these assaults is that risk actors may be intelligent and can adapt their methods to seek out methods round a company’s defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber.
“While utilizing the BEC vector to steal completed meals shipments or uncooked supplies looks like much more work than merely fooling the sufferer into sending money, which will have been the purpose,” he says. “The risk actors right here went for a novel scheme with a view to slip beneath the radar and, probably, steal greater than they may have gotten from a single faked bill.”
Mika Aalto, co-founder and CEO at Hoxhunt, says the assaults on the meals business are a reminder of why BEC is the most expensive type of cybercrime worldwide. “We’ve referred to as BEC the kingpin of cybercrime up to now. Advanced applied sciences will make BEC a monster, notably for international firms.”
The FBI and FDA OCI urged organizations within the meals sector to play nearer consideration to vetting new prospects and distributors, particularly to issues like the brand new firm’s title and branding.
“Carefully test hyperlinks and e-mail addresses for slight variations that may make fraudulent addresses seem reputable and resemble the names of precise enterprise companions,” they famous.
Organizations ought to search for further punctuation, modifications within the top-level domains, misspellings, and added prefixes or suffixes. They must also conduct periodic Web scans to make sure that attackers should not spoofing their area and types, the advisory mentioned.