Abnormal Security announced a
new threat report
that reveals a number of business email compromise (BEC) attacks linked
to a threat group based in Israel-a historically unlikely location for
BEC threat actors. The report is based on Abnormal research surrounding
more than 350 BEC campaigns from these attackers dating back to February
2021.
Most BEC attacks have historically originated in
West Africa, with 74% of all attacks analyzed by Abnormal over the past
year based in Nigeria. And while many BEC actors found in other
countries are connected to Nigeria, there are no indications that the
threat group examined in this report has any direct Nigerian ties-making
it a notable outlier in the BEC threat landscape.
The
research provides a view into how the Israel-based group executes an
attack across two phases, each employing a different persona-one
internal and one external. The primary pretext is that the organization
is working through the confidential acquisition of another company, and
the targeted employee is asked to help with the initial payment required
for the merger.
The attackers start by impersonating
the targeted employee's CEO before handing off the correspondence to a
second external persona, typically a mergers and acquisitions attorney,
whose job it is to coordinate the payment. In some campaigns, once the
attack has reached this second stage, the group asks to transition the
conversation from email to a voice call via WhatsApp, both to expedite
the attack and to minimize the trail of evidence.
Key findings from the report include:
-
Targets
are primarily large and multinational enterprises with more than $10
billion in average annual revenue. Across these targeted organizations,
employees from 61 countries across six continents received emails.
-
The average amount requested in an attack by this group is $712,000, more than ten times the average BEC attack.
-
Most
emails from this threat group are written in English, but they are also
translated into Spanish, French, Italian, and Japanese.
-
The
frequency of campaigns follows a cyclical pattern, with 80% of attacks
occurring during three periods of the year: March, June-July, and
October-December.
"Ultimately, the motivation
here is no different from any other BEC attack: to make money as quickly
and as easily as possible," said Mike Britton, chief information
security officer at Abnormal. "What is interesting is that these
attackers are based in Israel, which is not a country historically
connected to cybercrime, and which has traditionally been a location
where cybersecurity innovation is prevalent."
The
research shows how BEC is continuing to spread, and how attackers are
employing more sophisticated, multi-phase attack tactics as they set
their sights on massively larger sums of money than we've seen before.
To prevent these attacks, enterprises will need an intelligent cloud email security solution that can precisely detect and block attacks before they reach email inboxes.
The
Abnormal platform uses behavioral AI to baseline known-good behavior
across employees, vendors, applications, and tenants in the email
environment. By understanding what is normal, Abnormal can then detect
anomalies and remediate malicious emails in seconds, before employees
ever have an opportunity to engage with them. This risk-adaptive
approach enables Abnormal to prevent emails sent from attackers like
this Israel-based group and others, so organizations can stay safe from
evolving email attacks.
To learn more about this Israel-based threat group, download the full report here.