All of the hundreds of Australian companies studied during the course of a week were targeted by supplier domain cyber attacks, with hackers turning their attention to the supply chain, a new report has found.
Cybersecurity company Proofpoint monitored nearly 3,000 organisations in the United States, United Kingdom and Australia over seven days in February.
It found that 98 per cent of these businesses received a threat from a supplier domain.
For the Australian companies studied, this number was 100 per cent.
This signals that cyber attackers have turned to the supply chain and partner ecosystem into another threat vector, sending all types of threats through this avenue.
These attacks include phishing for credentials and malware, and imposter threats such as business email compromise.
Nearly 75 per cent of these supplier domain attacks were from impersonated and compromised suppliers using phishing or imposter threats, based on social engineering and hoping for human error. Less than a third of the identified attacks were malware-related, the study found.
“The research shows that threats from impersonated and compromised suppliers are more likely to lean on social engineering to prey on human nature,” the Proofpoint report said.
“This is further evidence that attackers are targeting people rather than the vulnerabilities of the infrastructure of an organisation.”
The high level of attacks were consistent across company size, industry and country, meaning all businesses are at risk of the new avenue of attack.
Supplier threats have previously been focused on invoicing fraud, but the study revealed that they can encompass all types of threats.
And the cyber attackers are also following legitimate suppliers to the cloud and exploiting popular platforms such as Microsoft 365, Google G-Suite and Dropbox to host or send threats at an “alarming rate”, the report found.
As part of the study, Proofpoint observed and stopped supplier invoicing fraud attacks that would have potentially cost millions of dollars, the company said.
All companies in the construction sector that were studied received these types of threats, compared to 99 per cent of those in utilities and communications, and 98 per cent of those in financial services.
There’s no simple fix to this type of cyber threat, the report said.
“There’s no silver bullet for supply chain threats,” the Proofpoint report said.
“To better defend against threats from impersonated and compromised suppliers, organisations need a holistic, multi-layered solution.”
In February last year it was revealed that an Australian ice rink company had lost more than $77,7000 in a supplier email scam that tricked a director into sending the money into a cybercriminal’s bank account in Hungary.
The company first received a legitimate invoice from the company it had purchased a new ice resurfacer machine from, but soon after received an amended invoice that appeared to be from the same address.
This invoice had different banking details linking to the Hungary account.
Last year saw cybercriminals up their game, being able to penetrate corporate networks twice as quickly compared to 2019.
It was found that it took just 4 hours 28 minutes on average for attackers to gain entry into a new organisation, half as long as the average time in the previous year.
The report also found that two out of three Australian organisations had been hit by ransomware attacks in 2020.
