chat
expand_more

Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
November 16, 2023

Threat actors are known to capitalize on geopolitical events to manipulate victims into sending money under the guise of charitable donations, and the ongoing events in Gaza and Israel are no exception.

In a recent charity attack detected by Abnormal, cybercriminals attempted to solicit fraudulent donations by playing on sympathy for children in Palestine. The attackers encouraged recipients to donate funds to the provided cryptocurrency wallet addresses, claiming the money would go to providing basic needs, including water, medical care, and Internet access.

According to our research, the campaign targeted 212 individuals at 88 organizations.

Breaking Down the Cryptocurrency Donation Attack

The email states that an unidentified group (presumably from “help-palestine[.]com”, the sender’s display name) is “launching a campaign to provide vital support” to families in Palestine and invites the target to donate to the cause.

Crypto Donation Attack Email

After asking for contributions ranging from $100 to $5,000, the attacker explains that donations can be made using cryptocurrency and provides wallet addresses for Bitcoin, Litecoin, and Ethereum—three of the most popular digital currencies.

To further increase legitimacy and create one final opportunity to manipulate the recipients, three links to recent news articles discussing the impact of the conflict on children in the region are included at the bottom of the email.

What Makes This Attack Notable

This attack is a perfect example of cybercriminals attempting to exploit the powerful emotional response triggered by humanitarian crises. During natural disasters, national tragedies, or global emergencies, people's need to act and desire to contribute to relief efforts are heightened—making them more susceptible to deception.

Cyberattackers often take advantage of this vulnerability by weaving compelling narratives with requests for donations that appeal to recipients' sympathy. This manipulation is quintessential social engineering, as it preys on the target's goodwill and altruistic tendencies.

The threat actors in this attack deliberately included emotionally charged wording throughout—for example, “children in Palestine face unimaginable challenges daily”, “a lifeline for these children caught in the crossfire”, and “the children in Palestine are dying”. They also used inclusive language, such as “we have the power to make a difference” and “let’s come together,” a linguistic strategy that aims to establish a shared identity between the speaker and the reader and foster a sense of partnership.

From a technical standpoint, the attackers took multiple steps to hide their actual email address. First, they spoofed the sender email address (erode@gwcindia[.]in), which is a valid address for Goodwill Wealth Management, an India-based stock brokerage. Then, to add legitimacy, they changed the display name to “help-palestine[.]com” which is a domain that doesn’t exist. The real address for the attackers, theconollyfoundation@gmail[.]com, is hidden in the reply-to field, which recipients wouldn’t see unless they viewed the expanded email header.

Why This Attack is Difficult to Detect

Older, legacy email security tools like secure email gateways (SEGs) struggle to accurately identify this email as an attack for multiple reasons.

The first is due to the use of social engineering. Social engineering attacks often involve manipulation and deception, exploiting human psychology rather than relying solely on technical vulnerabilities. SEGs have limitations in analyzing and understanding the subtleties of language and human behavior, making it difficult to distinguish between genuine and nefarious intent.

Additionally, the email contains no payloads and lacks obvious misspellings or grammatical errors. Because this attack is entirely text-based and has no clear indicators of compromise such as a phishing link or harmful attachment, it would almost certainly bypass a SEG.

Modern, AI-native email security solutions, on the other hand, utilize the latest machine learning capabilities to correctly identify this email as an attack. Because an AI-powered email security platform is trained to identify social engineering tactics, it recognizes that this email is attempting to leverage emotional manipulation to convince the target to bypass rational thinking and quickly transfer funds. It can also detect and flag the mismatch between the sender’s email and the reply-to address, as this is a common attack tactic.

Preventing Fraudulent Donation Attacks with Behavioral AI

Threat actors will always capitalize on any opportunity to launch attacks that can exploit world events. And with generative AI tools making it easier than ever to create convincing, error-free malicious emails, enterprises can’t rely on legacy email security systems or their employees to consistently recognize these threats.

As such, the only way to prevent a successful attack is by investing in an AI-native cloud email security solution that ensures emails like these never reach end-user inboxes.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.

Schedule a Demo
Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

 

See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

 
Integrates Insights Reporting 09 08 22

Related Posts

B Complex Case of Account Compromise Blog
Discover how Abnormal helped one organization detect the sophisticated tactics an attacker used to compromise an employee's email account.
Read More
B Cross Platform Account Takeover
Discover the dangers of cross-platform account takeover, the challenges of detecting this attack, and how to implement proactive protection against ATO.
Read More
B 5 17 24 Legal
Learn how cybercriminals use superficial disclaimers to deceive others while facilitating illegal activity on cybercrime forums.
Read More
B Cybersecurity Influencers Blog 2024
Stay up to date on the latest cybersecurity trends, industry news, and best practices by following these 15 innovative and influential thought leaders on social media.
Read More
B 5 13 24 Docusign
Cybercriminals are abusing Docusign by selling customizable phishing templates on cybercrime forums, allowing attackers to steal credentials for phishing and business email compromise (BEC) scams.
Read More
B CRN
Abnormal employees honored as CRN 2024 Women of the Channel for their influential leadership in the tech industry.
Read More