Pierluigi Paganini December 19, 2022

US government is warning of business email compromise (BEC) attacks aimed at hijacking shipments of food products and ingredients.

The Federal Bureau of Investigation (FBI), the Food and Drug Administration Office of Criminal Investigations (FDA OCI), and the US Department of Agriculture (USDA) have published a joint security advisory to warn of business email compromise (BEC) attacks leading to the hijack of shipments of food products and ingredients.

In BEC attacks threat actors usually aims at compromising email communications to hijack payments, this time the attacks target the food and agriculture sector with a different purpose.

Attackers impersonate legitimate companies and order food products without paying them, according to US agencies threat actors have stolen high-valued shipments from multiple businesses.

Crooks create email accounts and websites mimicking those of a legitimate company. In order to trick the recipients that the account and the addresses are legitimate, attackers add extra letters or words, substitute characters (such as the number “1” for a lower case “l”), or use a different top level domain (such as .org instead of .gov).

“The victim company fulfills the order and ships the goods, but the criminals do not pay for the products.” reads the joint Cybersecurity Advisory (CSA). Criminals may repackage stolen products for individual sale without regard for food safety regulations and sanitation practices, risking contamination or omitting necessary information about ingredients, allergens, or expiration dates. Counterfeit goods of lesser quality can damage a company’s reputation.”

Attackers may also gain access to a legitimate company’s email system to send fraudulent emails. Experts reported that one of the most prevalent techniques used for initial access to IT networks is spear-phishing in an attempt to infect the recipient’s system and access to the network.

In order to add legitimacy to the BEC attacks, scammers may use the names of actual officers or employees of a legitimate business to communicate with the victim company. The messages are composed using company logos to appear from a legitimate source.

The alert also reports that threat actors may also falsify credit applications to trick the victim company into extending credit. The scammer provides the actual information of a legitimate company so the credit check results in approval of the application, then the victim ships the product but never receives payment.

The alert also provides details of recent BEC incidents targeting the Food & Agriculture sector.

In August 2022, a US sugar supplier received a request through their web portal for a full truckload of sugar to be purchased on credit. The message contained grammatical errors and appeared to come from a senior officer of a US non-food company. The sugar supplier identified the email address had an extra letter in the domain name and discovered the fraudulent activity by contacting the actual company.

In August 2022, a food distributor received a fake message from a multinational snack food and beverage company requesting two full truckloads of powdered milk. The attackers used the real name of the chief financial officer of the snack food company but used an email address with an extra letter in the domain name. In this case, the victim paid their supplier more than $160,000 for the shipment after responding to the fraudulent request.

The alert includes a description of other attacks that took place between February and August 2022.

The alert includes the following recommendations to mitigate this kind of BEC attacks:

• Independently verify contact information provided by new vendors or customers through reputable online sources like associations or business directories.
• Carefully check hyperlinks and email addresses.
  Regularly conduct web searches for your company name to identify results that return multiple websites that may be used in a scam.
• Look for grammar, spelling errors, and awkward wording in all correspondence, to include email or requests through company web portals.
• Enforce policies for verification of any changes to existing invoices, bank deposit information, and contact information. Verify all payment changes, credit requests, and transactions in person or via a known
  telephone number rather than through a number or link provided in a suspicious email.
• Encourage employees to request clarification and report suspicious requests to their management prior to authorizing transactions.
• Confirm legitimacy of advance payment or credit requests when not previously required.
• Be skeptical of unexplained urgency regarding payment requests or orders, especially from
  new customers.
• Be wary of last-minute changes in wire instructions, account information, or shipping destinations as well as changes in established communication platforms or email account addresses.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, BEC)

[adrotate banner=”5″]

[adrotate banner=”13″]