Cyber Criminals Target Vendor Portals Belonging to U.S. Government and Academic Entities to Steal Payments Intended for Vendors

 

The Federal Bureau of Investigation (FBI) and the Multi-State Information Sharing & Analysis Center (MS-ISAC) are releasing this joint product to raise awareness of cyber threat actors (CTAs) activity targeting vendor accounts within vendor portals belonging to U.S. State, Local, Tribal, and Territorial (SLTT) government or public entities, as well as school districts and higher-education institutions. The FBI refers to these incidents as vendor account compromises (VACs). Since 2023, the FBI has recorded an uptick in the number of unique threat actor groups conducting VACs. This uptick appears to be in part due to CTAs’ increased awareness of the extent to which government and academic entities rely on online systems for conducting business and managing payment information. These CTAs use a mix of social engineering and exploitation of portal authentication measures to gain unauthorized access to vendor accounts, with the goal of manipulating vendor records and redirecting vendor payments. Increased cyber actor adoption of this scheme for stealing vendor payments poses an increased risk, as successful VACs can result in millions or tens of millions of lost dollars.