The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) have published a joint security advisory to warn of business email compromise (BEC) attacks leading to the hijack of shipments of food products and ingredients.
In BEC attacks threat actors usually aims at compromising email communications to hijack payments, this time the attacks target the food and agriculture sector with a different purpose.
Attackers impersonate legitimate companies and order food products without paying them, according to US agencies threat actors have stolen high-valued shipments from multiple businesses.
Crooks create email accounts and websites mimicking those of a legitimate company. In order to trick the recipients that the account and the addresses are legitimate, attackers add extra letters or words, substitute characters (such as the number “1” for a lower case “l”), or use a different top level domain (such as .org instead of .gov).
“The victim company fulfills the order and ships the goods, but the criminals do not pay for the products.” reads the joint Cybersecurity Advisory (CSA). Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.”
Attackers may also gain access to a legitimate company’s email system to send fraudulent emails. Experts reported that one of the most prevalent techniques used for initial access to IT networks is spear-phishing in an attempt to infect the recipient’s system and access to the network.
In order to add legitimacy to the BEC attacks, scammers may use the names of actual officers or employees of a legitimate business to communicate with the victim company. The messages are composed using company logos to appear from a legitimate source.
The alert also reports that threat actors may also falsify credit applications to trick the victim company into extending credit. The scammer provides the actual information of a legitimate company so the credit check results in approval of the application, then the victim ships the product but never receives payment.
The alert also provides details of recent BEC incidents targeting the Food & Agriculture sector.
In August 2022, a US sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit. The message contained grammatical errors and appeared to come from a senior officer of a US non-food company. The sugar supplier identified the email address had an extra letter in the domain name and discovered the fraudulent activity by contacting the actual company.
In August 2022, a food distributor received a fake message from a multinational snack food and beverage company requesting two full truckloads of powdered milk. The attackers used the real name of the chief financial officer of the snack food company but used an email address with an extra letter in the domain name. In this case, the victim paid their supplier more than $160,000 for the shipment after responding to the fraudulent request.
The alert includes a description of other attacks that took place between February and August 2022.
The alert includes the following recommendations to mitigate this kind of BEC attacks:
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, BEC)