SAN FRANCISCO, May 9, 2023 - Abnormal Security, the leading behavioral AI-based email security platform, announced today a new threat report that reveals a number of business email compromise (BEC) attacks linked to a threat group based in Israel—a historically unlikely location for BEC threat actors. The report is based on Abnormal research surrounding more than 350 BEC campaigns from these attackers dating back to February 2021.
Most BEC attacks have historically originated in West Africa, with 74% of all attacks analyzed by Abnormal over the past year based in Nigeria. And while many BEC actors found in other countries are connected to Nigeria, there are no indications that the threat group examined in this report has any direct Nigerian ties—making it a notable outlier in the BEC threat landscape.
The research provides a view into how the Israel-based group executes an attack across two phases, each employing a different persona—one internal and one external. The primary pretext is that the organization is working through the confidential acquisition of another company, and the targeted employee is asked to help with the initial payment required for the merger.
The attackers start by impersonating the targeted employee’s CEO before handing off the correspondence to a second external persona, typically a mergers and acquisitions attorney, whose job it is to coordinate the payment. In some campaigns, once the attack has reached this second stage, the group asks to transition the conversation from email to a voice call via WhatsApp, both to expedite the attack and to minimize the trail of evidence.
Key findings from the report include:
Targets are primarily large and multinational enterprises with more than $10 billion in average annual revenue. Across these targeted organizations, employees from 61 countries across six continents received emails.
The average amount requested in an attack by this group is $712,000, more than ten times the average BEC attack.
Most emails from this threat group are written in English, but they are also translated into Spanish, French, Italian, and Japanese.
The frequency of campaigns follows a cyclical pattern, with 80% of attacks occurring during three periods of the year: March, June-July, and October-December.
“Ultimately, the motivation here is no different from any other BEC attack: to make money as quickly and as easily as possible,” said Mike Britton, chief information security officer at Abnormal. “What is interesting is that these attackers are based in Israel, which is not a country historically connected to cybercrime, and which has traditionally been a location where cybersecurity innovation is prevalent.”
The research shows how BEC is continuing to spread, and how attackers are employing more sophisticated, multi-phase attack tactics as they set their sights on massively larger sums of money than we’ve seen before. To prevent these attacks, enterprises will need an intelligent cloud email security solution that can precisely detect and block attacks before they reach email inboxes.
The Abnormal platform uses behavioral AI to baseline known-good behavior across employees, vendors, applications, and tenants in the email environment. By understanding what is normal, Abnormal can then detect anomalies and remediate malicious emails in seconds, before employees ever have an opportunity to engage with them. This risk-adaptive approach enables Abnormal to prevent emails sent from attackers like this Israel-based group and others, so organizations can stay safe from evolving email attacks.
To learn more about this Israel-based threat group, download the full report here.
About Abnormal Security
Abnormal Security provides the leading behavioral AI-based email security platform that leverages machine learning to stop sophisticated inbound email attacks and dangerous email platform attacks that evade traditional solutions. The anomaly detection engine leverages identity and context to analyze the risk of every cloud email event, preventing inbound email attacks, detecting compromised accounts, and remediating emails and messages —all while providing visibility into configuration drifts across your environment. You can deploy Abnormal in minutes with an API integration for Microsoft 365 or Google Workspace and experience the full value of the platform instantly, with additional protection available for Slack, Teams, and Zoom. More information is available at abnormalsecurity.com.
Director of Communications