Menace actors have usually used enterprise electronic mail compromise (BEC) assaults to steal cash from unwary organizations in recent times. However in a brand new twist, cybercriminals are utilizing them to steal meals shipments and substances from suppliers and distributors across the nation.
The FBI and the Meals and Drug Administration Workplace of Felony Investigations (FDA OCI) on Dec. 16 issued an alert warning that the assaults have been occurring since no less than the start of this 12 months and have price a number of organizations a whole bunch of 1000’s of {dollars} in losses up to now.
“Whereas BEC is mostly used to steal cash, in circumstances like this, criminals spoof emails and domains to impersonate staff of legit firms to order meals merchandise,” the 2 businesses stated within the joint cybersecurity advisory.
Whereas the conduct has a sure rat-like scavenging high quality to it, the objective behind these thefts typically is to repackage and resell the stolen meals objects with out regard for security and sanitation rules, they stated.
A Fridge-Full of Incidents
The advisory highlighted a number of examples — the earliest one going again to February — the place firms have fallen sufferer to the rip-off. In a single incident in August, a meals distributor obtained an electronic mail order supposedly from the chief monetary officer of a multinational snack and beverage firm for 2 full truckloads of powered milk. The attacker used the precise title of the CFO however had an electronic mail handle that contained an additional letter within the area title than that of the actual firm. The meals distributor fell for the rip-off and later needed to pay their provider greater than $160,000 for the fraudulent cargo.
Additionally in February, a meals producer skilled greater than $600,000 in losses after receiving and delivery orders for complete milk powder and nonfat dry milk from 4 completely different fraudulent firms. In every occasion, the attackers used actual worker names and emails with slight variations of domains belonging to legit firms to position the orders.
In one other incident in April, an ingredient provider obtained a request — purportedly from the president of one other giant meals producer — for pricing info for complete milk powder through the corporate’s Net portal. On this occasion, the provider ran a credit score examine on the spoofed meals producer, prolonged a line of credit score to the corporate, and made the primary of two $100,000 shipments to the criminals, earlier than realizing one thing was amiss.
The FBI and FDA OCI alert talked about different incidents as properly the place criminals tried to tug off comparable heists however weren’t profitable.
In every of those assaults, the criminals have created electronic mail accounts and web sites that look almost an identical to these of a legit firm however include almost indiscernible variations — for instance, an additional letter or substitute character akin to a “1” as an alternative of a lowercase “l.” Their ways have typically included getting access to a legit firm’s electronic mail system and utilizing that to ship fraudulent emails to focused victims.
So as to add additional legitimacy to their fraudulent communications, the attackers have used the precise names of executives and staff at legit companies and used copied firm logos of their emails and different paperwork. The attackers have additionally used the precise enterprise info of legit firms to move credit score checks and procure traces of credit score for fraudulently buying meals provides and substances from sufferer firms.
Losses proceed to mount from BEC assaults, though the meals theft scams are completely different from ordinary ways the place risk actors rip-off organizations into making fraudulent cash transfers. In 2021, losses from BEC assaults totaled almost $2.4 billion, making it one of many most financially damaging on-line crimes, in response to the FBI’s Web Crime Criticism Heart (IC3). Many BEC assaults goal small and midsize firms, although giant organizations are sometimes victims as properly.
A report that IC3 launched earlier this 12 months confirmed that BEC assaults are solely persevering with to develop and evolve. IC3 estimated that between June 2016 and final December, there have been some 241,206 BEC assaults that cumulatively induced organizations worldwide a staggering $43 billion in losses.
The Huge Takeaway
The takeaway from these assaults is that risk actors could be intelligent and can adapt their strategies to search out methods round a corporation’s defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber.
“Whereas utilizing the BEC vector to steal completed meals shipments or uncooked supplies looks as if much more work than merely fooling the sufferer into sending money, that will have been the purpose,” he says. “The risk actors right here went for a novel scheme with the intention to slip underneath the radar and, presumably, steal greater than they may have gotten from a single faked bill.”
Mika Aalto, co-founder and CEO at Hoxhunt, says the assaults on the meals business are a reminder of why BEC is the most expensive type of cybercrime worldwide. “We have known as BEC the kingpin of cybercrime up to now. Superior applied sciences will make BEC a monster, notably for world firms.”
The FBI and FDA OCI urged organizations within the meals sector to play nearer consideration to vetting new clients and distributors, particularly to issues like the brand new firm’s title and branding.
“Rigorously examine hyperlinks and electronic mail addresses for slight variations that may make fraudulent addresses seem legit and resemble the names of precise enterprise companions,” they famous.
Organizations ought to search for further punctuation, modifications within the top-level domains, misspellings, and added prefixes or suffixes. They also needs to conduct periodic Net scans to make sure that attackers usually are not spoofing their area and types, the advisory stated.
