Risk actors have usually used enterprise e mail compromise (BEC) assaults to steal cash from unwary organizations lately. However in a brand new twist, cybercriminals are utilizing them to steal meals shipments and components from suppliers and distributors across the nation.
The FBI and the Meals and Drug Administration Workplace of Legal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the assaults have been happening since a minimum of the start of this 12 months and have value a number of organizations tons of of 1000’s of {dollars} in losses to this point.
“Whereas BEC is mostly used to steal cash, in instances like this, criminals spoof emails and domains to impersonate workers of authentic firms to order meals merchandise,” the 2 businesses mentioned within the joint cybersecurity advisory.
Whereas the habits has a sure rat-like scavenging high quality to it, the aim behind these thefts typically is to repackage and resell the stolen meals gadgets with out regard for security and sanitation rules, they mentioned.
A Fridge-Full of Incidents
The advisory highlighted a number of examples — the earliest one going again to February — the place firms have fallen sufferer to the rip-off. In a single incident in August, a meals distributor acquired an e mail order supposedly from the chief monetary officer of a multinational snack and beverage firm for 2 full truckloads of powered milk. The attacker used the precise title of the CFO however had an e mail deal with that contained an additional letter within the area title than that of the actual firm. The meals distributor fell for the rip-off and later needed to pay their provider greater than $160,000 for the fraudulent cargo.
Additionally in February, a meals producer skilled greater than $600,000 in losses after receiving and delivery orders for entire milk powder and nonfat dry milk from 4 totally different fraudulent firms. In every occasion, the attackers used actual worker names and emails with slight variations of domains belonging to authentic firms to put the orders.
In one other incident in April, an ingredient provider acquired a request — purportedly from the president of one other giant meals producer — for pricing data for entire milk powder by way of the corporate’s Net portal. On this occasion, the provider ran a credit score test on the spoofed meals producer, prolonged a line of credit score to the corporate, and made the primary of two $100,000 shipments to the criminals, earlier than realizing one thing was amiss.
The FBI and FDA OCI alert talked about different incidents as nicely the place criminals tried to tug off related heists however weren’t profitable.
In every of those assaults, the criminals have created e mail accounts and web sites that look almost similar to these of a authentic firm however comprise almost indiscernible variations — for instance, an additional letter or substitute character corresponding to a “1” as a substitute of a lowercase “l.” Their techniques have typically included having access to a authentic firm’s e mail system and utilizing that to ship fraudulent emails to focused victims.
So as to add additional legitimacy to their fraudulent communications, the attackers have used the precise names of executives and workers at authentic companies and used copied firm logos of their emails and different paperwork. The attackers have additionally used the precise enterprise data of authentic firms to cross credit score checks and acquire strains of credit score for fraudulently buying meals provides and components from sufferer firms.
Losses proceed to mount from BEC assaults, though the meals theft scams are totally different from common techniques the place menace actors rip-off organizations into making fraudulent cash transfers. In 2021, losses from BEC assaults totaled almost $2.4 billion, making it one of many most financially damaging on-line crimes, in accordance with the FBI’s Web Crime Grievance Heart (IC3). Many BEC assaults goal small and midsize firms, although giant organizations are sometimes victims as nicely.
A report that IC3 launched earlier this 12 months confirmed that BEC assaults are solely persevering with to develop and evolve. IC3 estimated that between June 2016 and final December, there have been some 241,206 BEC assaults that cumulatively induced organizations worldwide a staggering $43 billion in losses.
The Large Takeaway
The takeaway from these assaults is that menace actors will be intelligent and can adapt their methods to search out methods round a company’s defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber.
“Whereas utilizing the BEC vector to steal completed meals shipments or uncooked supplies looks as if much more work than merely fooling the sufferer into sending money, that will have been the purpose,” he says. “The menace actors right here went for a novel scheme with a purpose to slip beneath the radar and, presumably, steal greater than they could have gotten from a single faked bill.”
Mika Aalto, co-founder and CEO at Hoxhunt, says the assaults on the meals business are a reminder of why BEC is the most costly type of cybercrime worldwide. “We have referred to as BEC the kingpin of cybercrime prior to now. Superior applied sciences will make BEC a monster, notably for international firms.”
The FBI and FDA OCI urged organizations within the meals sector to play nearer consideration to vetting new prospects and distributors, particularly to issues like the brand new firm’s title and branding.
“Fastidiously test hyperlinks and e mail addresses for slight variations that may make fraudulent addresses seem authentic and resemble the names of precise enterprise companions,” they famous.
Organizations ought to search for extra punctuation, modifications within the top-level domains, misspellings, and added prefixes or suffixes. They must also conduct periodic Net scans to make sure that attackers will not be spoofing their area and types, the advisory mentioned.
