Israel-Based Threat Group Launches Multi-Phase BEC Attacks Using an M&A Lure

For as long as business email compromise (BEC) schemes have existed, they have always been driven by a singular mission: to get away with as much money as possible. Cybercriminals used to be able to get their paydays through distributing generic phishing campaigns, but as organizations have strengthened their defense and improved security awareness among employees over time, criminals have adapted accordingly, becoming even more savvy in their attack techniques. Now, instead of generic phishing emails, we’re seeing the rise of highly sophisticated, socially-engineered BEC attacks that can slip by unnoticed—until it’s too late.

We recently discovered a threat group that has gone to extra lengths to do just that, and their profile is not one that you’d expect.

Dating back to February 2021, we identified more than 350 BEC campaigns that can be linked to Israel, a historically unlikely location for BEC activity.

The primary epicenter for BEC scams is typically linked to West Africa, specifically Nigeria. Many are familiar with notoriously popular “Nigerian prince” scams, and this isn’t a coincidence. Of all the attacks that Abnormal analyzed since the beginning of 2022, 74% originated in Nigeria, far ahead of the next most common countries associated with BEC attackers: the United Kingdom (5.8%), South Africa (5.7%) and the United States (3.6%). Meanwhile, countries in Asian and Middle Eastern regions, where Israel sits, are at the very bottom of the list, serving as the home base for 1.2% and 0.5% of BEC actors respectively. Israel is also a country that’s known for being a cybersecurity innovation powerhouse, which perhaps adds to the unexpectedness of a sophisticated threat group originating from this location.

Targets by country:

When it came to targeting their victims, this Israel-based group aimed high. They went after large and multinational enterprises with more than $10 billion in average annual revenue, casting a wide net. Across these targeted organizations, employees from 61 countries across six continents received emails.

But what really stood out about this group was the highly sophisticated, multi-phase method they used to execute their attack. Here is a look into how a typical attack flow would play out.

The primary pretext used by this group is a merger and acquisition (M&A) transaction, where the criminals impersonate the targeted employee’s CEO and ask for their help––confidentially––with the initial payment required for the merger. The criminals used several tactics to give their emails a sense of legitimacy, improving their ability to evade detection by the human eye or by traditional email security solutions:

• They targeted senior leaders, who could reasonably be involved in a financial transaction such as the one the criminals used as their pretext.

• They spoofed CEO email addresses using real domains. And if the target organization had a DMARC policy in place that would prevent email spoofing, the group would update the sending display name to still make it look as though emails were coming from the CEO.

• They translated emails into the language that their target organization would ordinarily use. Translations included English, Spanish, French, Italian, and Japanese.

Examples of an initial email that spoofs the impersonated CEO’s address, and an initial email that uses an extended spoofed display name:

(Note: Names and email addresses have been changed.)

Examples of initial email correspondence in Spanish, French, Italian, and Japanese:

After the targeted employee responds to the initial email, the attack moves to the next stage: a handoff to a second external persona, typically a spoofed M&A attorney, whose job it is to facilitate the payment.

The employee is introduced to an “attorney” and asked by the “CEO” to coordinate on bank account details and on sending the initial payment. The attorney’s email address is usually hosted either on a lookalike domain mimicking the law firm’s legitimate domain, or a free mail.com domain like consultant.com or accountant.com. While the impersonated attorneys come from a number of different law firms, the threat group seems to prefer impersonating solicitors at KPMG, which carries a perception of reputability.

Examples of follow-up emails introducing a KPMG attorney, written in English and Spanish:

While the average amount requested in payment fraud attacks is around $65,000, this group requests an average of $712,000—more than ten times the average––which is unknowingly sent to a mule account operated by the criminals. Because the main theme of these attacks is the acquisition of a company, the exchange of such a large sum of money is unlikely to raise any red flags.

In some campaigns, once the attack has reached this second stage, the group asks to transition the conversation from email to a voice call via WhatsApp, both to expedite the attack and to minimize the trail of evidence.

Example of an email requesting to switch to WhatsApp:

Our research into this Israel-based threat group puts a spotlight on the continuing rise of BEC attacks. In addition to increasing in prevalence geographically, these attacks are also becoming more sophisticated, as seen in the execution of multi-phase attacks like this one. Furthermore, the amount of money requested is becoming significantly higher than we've seen historically, causing often irreparable financial devastation to victims.

To prevent these attacks, enterprises will need an intelligent cloud email security solution that can precisely detect and block attacks before they reach email inboxes.

The Abnormal platform uses behavioral AI to baseline known-good behavior across employees, vendors, applications, and tenants in the email environment. By understanding what is normal, Abnormal can then detect anomalies and remediate malicious emails in seconds, before employees ever have an opportunity to engage with them. This risk-adaptive approach enables Abnormal to prevent emails sent from attackers like this Israel-based group and others, so organizations can stay safe from evolving email attacks.

To learn more about this Israel-based threat group, download the full report here.

To discover how Abnormal helps protect organizations from sophisticated, multi-phase BEC attacks and other emerging threats, schedule a demo today.