dark reading threat intel and cybersecurity news

Threat actors have typically used business email compromise (BEC) attacks to steal money from unwary organizations in recent years. But in a new twist, cybercriminals are using them to steal food shipments and ingredients from suppliers and distributors around the country.

The FBI and the Food and Drug Administration Office of Criminal Investigations (FDA OCI) on Dec. 16 issued an alert warning that the attacks have been going on since at least the beginning of this year and have cost several organizations hundreds of thousands of dollars in losses so far.

“While BEC is most commonly used to steal money, in cases like this, criminals spoof emails and domains to impersonate employees of legitimate companies to order food products,” the two agencies said in the joint cybersecurity advisory.

While the behavior has a certain rat-like scavenging quality to it, the goal behind these thefts often is to repackage and resell the stolen food items without regard for safety and sanitation regulations, they said.

A Fridge-Full of Incidents

The advisory highlighted several examples — the earliest one going back to February — where companies have fallen victim to the scam. In one incident in August, a food distributor received an email order supposedly from the chief financial officer of a multinational snack and beverage company for two full truckloads of powered milk. The attacker used the actual name of the CFO but had an email address that contained an extra letter in the domain name than that of the real company. The food distributor fell for the scam and later had to pay their supplier more than $160,000 for the fraudulent shipment.

Also in February, a food manufacturer experienced more than $600,000 in losses after receiving and shipping orders for whole milk powder and nonfat dry milk from four different fraudulent companies. In each instance, the attackers used real employee names and emails with slight variations of domain names belonging to legitimate companies to place the orders.

In another incident in April, an ingredient supplier received a request — purportedly from the president of another large food manufacturer — for pricing information for whole milk powder via the company’s Web portal. In this instance, the supplier ran a credit check on the spoofed food manufacturer, extended a line of credit to the company, and made the first of two $100,000 shipments to the criminals, before realizing something was amiss. 

The FBI and FDA OCI alert mentioned other incidents as well where criminals attempted to pull off similar heists but were not successful. 

In each of these attacks, the criminals have created email accounts and websites that look nearly identical to those of a legitimate company but contain nearly indiscernible differences — for example, an extra letter or substitute character such as a “1” instead of a lowercase “l.” Their tactics have often included gaining access to a legitimate company’s email system and using that to send fraudulent emails to targeted victims.

To add further legitimacy to their fraudulent communications, the attackers have used the actual names of executives and employees at legitimate businesses and used copied company logos in their emails and other documents. The attackers have also used the actual business information of legitimate companies to pass credit checks and obtain lines of credit for fraudulently purchasing food supplies and ingredients from victim companies.

Losses continue to mount from BEC attacks, although the food theft scams are different from usual tactics where threat actors scam organizations into making fraudulent money transfers. In 2021, losses from BEC attacks totaled nearly $2.4 billion, making it one of the most financially damaging online crimes, according to the FBI’s Internet Crime Complaint Center (IC3). Many BEC attacks target small and midsize companies, though large organizations are often victims as well. 

A report that IC3 released earlier this year showed that BEC attacks are only continuing to grow and evolve. IC3 estimated that between June 2016 and last December, there were some 241,206 BEC attacks that cumulatively caused organizations worldwide a staggering $43 billion in losses.

The Big Takeaway

The takeaway from these attacks is that threat actors can be clever and will adapt their techniques to find ways around an organization’s defenses, says Mike Parkin, senior technical engineer at Vulcan Cyber. 

“While using the BEC vector to steal finished food shipments or raw materials seems like a lot more work than simply fooling the victim into sending cash, that may have been the point,” he says. “The threat actors here went for a novel scheme in order to slip under the radar and, possibly, steal more than they might have gotten from a single faked invoice.”

Mika Aalto, co-founder and CEO at Hoxhunt, says the attacks on the food industry are a reminder of why BEC is the costliest form of cybercrime worldwide. “We’ve called BEC the kingpin of cybercrime in the past. Advanced technologies will make BEC a monster, particularly for global companies.”

The FBI and FDA OCI urged organizations in the food sector to play closer attention to vetting new customers and vendors, especially to things like the new company’s name and branding. 

“Carefully check hyperlinks and email addresses for slight variations that can make fraudulent addresses appear legitimate and resemble the names of actual business partners,” they noted. 

Organizations should look for additional punctuation, changes in the top-level domains, misspellings, and added prefixes or suffixes. They should also conduct periodic Web scans to ensure that attackers are not spoofing their domain and brands, the advisory said.