A business email compromise (BEC) campaign has been tracked to a threat group in Israel, an unlikely genesis for a cyberattack of any kind, Abnormal Security said in a new report.
Abnormal is an email security specialist that uses behavioral artificial intelligence (AI) to baseline known-good behavior across employees, vendors, applications and tenants to detect malware anomalies. Accordingly, it has analyzed some 350 BEC attacks attributed to the threat group since February 2021.
How BEC Campaigns Trick Employees
In the BEC campaigns sent from Israel, an employee is tricked into providing money for the initial payment in an acquisition of another company. The contact impersonates the company’s chief executive before handing the conversation off to an external person pretending to be a mergers and acquisition attorney.
Mike Britton, chief information security officer at Abnormal, explained how the BEC attacks in this case are basically the same as in others:
“Ultimately, the motivation here is no different from any other BEC attack: to make money as quickly and as easily as possible. What is interesting is that these attackers are based in Israel, which is not a country historically connected to cybercrime, and which has traditionally been a location where cybersecurity innovation is prevalent.”
Large Enterprises Primary Targets
Key findings from the report include:
- Targets are primarily large and multinational enterprises with more than $10 billion in average annual revenue. Across these targeted organizations, employees from 61 countries across six continents received emails.
- The average amount requested in an attack by this group is $712,000, more than ten times the average BEC attack.
- Most emails from this threat group are written in English, but they are also translated into Spanish, French, Italian and Japanese.
- The frequency of campaigns follows a cyclical pattern, with 80% of attacks occurring during three periods of the year: March, June-July, and October-December.
Most BEC attacks have historically originated in West Africa, with 74% of all attacks analyzed by Abnormal over the past year based in Nigeria. There are no indications that the threat group examined in this report has any direct Nigerian ties, Abnormal said.