In the current digital landscape, scammers can easily impersonate legitimate vendors, deceiving unsuspecting businesses into disclosing sensitive information. These scams are often quite sophisticated and can be challenging to detect, yet they can lead to severe repercussions for businesses that become targets.
We have recently encountered two alarming cases of vendor scams in one of our deployments, that highlight the growing threat of business email compromise (BEC) and vendor impersonation. In both cases, scammers used convincing emails in an attempt to impersonate legitimate vendors and deceive users into providing seemingly innocuous information, such as company profiles and past track records. While these requests may have seemed harmless, they were likely an initial attempt to establish a trust relationship and lay the groundwork for more malicious requests.
Both emails share a common theme: they invite the recipient to explore a business opportunity, as illustrated in the following screenshots.
Figure: 1 - ExxonMobil Impersonation
Figure: 2 - Larsen & Toubro Impersonation
Moreover, many small and medium-sized enterprises legitimately use free email providers for their business communications. This makes it increasingly challenging to distinguish between a legitimate business utilizing a free email service and an attacker attempting to impersonate a legitimate entity.
Figure 3: ExxonMobil Fake Vendor Procurement Detection
By employing Generative and Predictive AI for semantic and thematic analysis, NACE derives intent from email body and headers, leveraging this information along with auxiliary data from domains found in the email to inform its expert system.
The AI models employed by NACE extract various semantic features irrespective if these are from threat actors or AI, that serve as key indicators of intent and inform decision-making, including:
Figure 4.0 Results from VirusTotal of exxonmobilvendor[.]com
At the time of writing the blog, only 1 out of 96 vendors in VirusTotal classified exxonmobilvendor[.]com as malicious, while another flagged it as SPAM.
Figure 5: Larsen & Toubro Fake Registration Detection
In both of the above scenarios, NACE successfully isolated and classified the Business Email Compromise (BEC) email as a "Vendor Impersonation" threat. This achievement was made possible by leveraging Generative and Predictive AI to extract critical features and their contextual relationships, enabling NACE to detect sophisticated BEC attempts that may evade traditional detection methods.
Figure 6.0 Results from VirusTotal of larssentoubro[.]com
At the time of writing the blog, only 1 out of 96 vendors in VirusTotal classified larssentourbo.com as malicious.
These two cases highlight the evolving nature of business email compromise (BEC) threats and their ability to evade traditional detection methods. The sophistication of these scams is alarming, utilizing free email providers, plain-text emails, typosquatting, and combosquatting to deceive unsuspecting businesses into exploring seemingly legitimate business opportunities that are actually a ruse for more malicious activity. Moreover, the use of legitimate domains and the absence of URLs, images, and attachments make it increasingly challenging for traditional spam filters to detect such threats.
The fact that none of the vendors on VirusTotal detected any of the samples and so few detected domains suggests a significant gap in current detection capabilities. The reliance on SPF, DKIM, sender domain, and IP reputation checks is no longer sufficient to combat these sophisticated attacks. It is essential that businesses remain vigilant and implement robust security measures to safeguard against such threats.
Ultimately, the success of BEC scams underscores the need for more advanced detection techniques that can identify intent and contextual relationships within emails. By acknowledging the limitations of traditional technologies and embracing new approaches, we can work towards a safer digital landscape where businesses are protected from falling victim to these sophisticated attacks.