New Threat Research Finds Emerging Israeli-Based Threat Group Executing M&A Themed BEC Attacks

Abnormal Security has revealed BEC (business email compromise) attacks linked to a threat group based in Israel, a historically unlikely location for BEC threat actors, based on research surrounding over 350 BEC campaigns from these attackers dating back to February 2021. 

Key findings of the report include:

  • Targets are primarily large and multinational enterprises with average annual revenue of over $10B. Employees from 61 countries across six continents have received emails from these attackers.
  • The average amount requested in an attack is $712K, over ten times the average for BEC attacks.
  • Most emails from this threat group are written in English but translated into Spanish, French, Italian, and Japanese.
  • The frequency of campaigns follows a cyclical pattern, with 80% of attacks occurring during three periods: March, June-July, and October-December.

This Israeli-based group stands out from most BEC threat actors, typically in West Africa, with 74% of all attacks analyzed in the past year originating from Nigeria. There are no indications that this group has any direct ties to Nigeria, making it a significant outlier in the BEC threat landscape.

The report also outlines the two-phase attack strategy employed by the Israel-based group, using both an internal and external persona. The primary pretext is that the target organization is working through the confidential acquisition of another company, and the targeted employee is asked to help with the initial payment required for the merger.

To add some more details on this, I have the following Q&A from Mike Britton, CISO at Abnormal Security:

Why is Israel a historically unlikely location for BEC threat actors

Historically, West Africa and Nigeria have been the epicenters of BEC scams. Many are familiar with “Nigerian prince” scams, and this isn’t a coincidence. 74% of the attacks that Abnormal analyzed since the beginning of 2022 originated in Nigeria. The United Kingdom, where 5.8% of BEC actors are based, followed by South Africa (5.7%) and the United States (3.6%).

Comparatively, countries in Asian and Middle Eastern regions, where Israel sits, are at the bottom of the list, serving as the home base for 1.2% and 0.5% of BEC actors, respectively. 

Israel is also a country that’s known for being a cybersecurity powerhouse and driver of innovation, which perhaps adds to the unexpectedness of a sophisticated threat group originating from this location. 

Why is a group in Israel using this method of attack?

All sophisticated cybercriminals, including this Israel-based group and many others, operate against the same mission: to get as much money as possible successfully. 

Cybercriminals used to be able to get their paydays through distributing generic phishing campaigns, but as organizations have strengthened their defenses and improved security awareness among employees, criminals have adapted accordingly, becoming even savvier in their attack techniques. Instead of generic phishing emails, we’re seeing the rise of highly sophisticated, socially engineered BEC attacks that can evade detection at many organizations. 

The Israel-based group’s attack method is an excellent example of this. They implemented several tactics to give their emails a sense of legitimacy, improving their ability to evade detection by the human eye or by traditional email security solutions:

  • They targeted senior leaders who could reasonably be involved in a financial transaction such as the one the criminals used as their pretext.
  • They conducted the attack using two personas – the CEO of the targeted organization and an external attorney. 
  • They spoofed email addresses using real domains. And if the target organization had a DMARC policy that would prevent email spoofing, the group would update the sending display name to make it look like emails were coming from the CEO.
  • They translated emails into the language that their target organization would ordinarily use. 

What does it say about cybercrime in Israel?

It’s not unexpected. When you have a country with such a high level of technical skill and innovation, you are bound to have some who choose not to apply that knowledge for good. Unfortunately, our research cannot definitively say the threat actors are Israeli – just that we have confidence they are operating out of Israel.

What makes this BEC attack highlighted in the report so concerning?

The report puts a spotlight on how BEC attacks are continuing to grow. Not only are they increasing in prevalence, including geographically, but they are also growing in sophistication, such as through multi-phase attacks, as we saw from this Israel-based group. Lastly, they are increasing in severity regarding the financial devastation they can afflict on their victims. As we saw in these attacks, the amount of money requested was significantly higher – in the $700,000 – than we’ve seen historically. 

How do you see BEC continuing to spread and evolve in 2023?

Email has always been (and will continue to be) a lucrative attack vector for cybercriminals. Because of this, we will likely see threat actors continue to evolve their tactics, test new approaches, and become even more targeted and sophisticated in their attempts to compromise email users. 

But we will also see the spread of BEC-like attacks across other communication and collaboration tools. Hundreds of millions of active users are now across tools like Slack, Zoom, and Microsoft Teams. These apps are becoming increasingly attractive targets for cybercriminals looking for other entry points into an organization. 

How must IT security pros better prepare themselves to defend organizations from BEC?

Security awareness training for end users should continue to be an integral part of the security strategy. Employees must understand BEC risks and what they look like to stay diligent, but it’s important to remember that humans get distracted and are susceptible to mistakes. The best way to prevent them from becoming victims of an attack is to ensure that defenses are in place to prevent malicious attacks from landing in inboxes in the first place. New solutions that use behavioral AI to baseline normal behavior across the email environment can detect and block anomalies with greater precision, better preventing sophisticated BEC attacks from ever reaching users. 

To account for emerging threats across collaboration apps, consolidating visibility across all communications tools will significantly improve security teams’ ability to detect suspicious and malicious activity—no matter where attacks originate. 

You can read the research here.

Leave a Reply

%d bloggers like this: