An Israel-based threat group was discovered carrying out a business email compromise (BEC) campaign primarily targeting large and multinational enterprises with an average annual revenue of over $10 billion.

According to researchers at Abnormal Security who discovered the attacks, the group has conducted 350 BEC campaigns since February 2021, with email attacks targeting employees from 61 countries across six continents.

The attackers pose as the CEO of the employee being targeted. They then pass on the communication to a second external persona, usually a mergers and acquisitions attorney, whose responsibility is to oversee the payment process.

In some instances, once the attack progresses to this second stage, the attackers request the conversation shift from email to a voice call on WhatsApp to accelerate the attack — and to reduce the possibility of leaving behind an evidence trail.

No Longer Just Nigeria

Historically, West Africa — and Nigeria in particular — has been the epicenter for BEC scams. Of all the attacks that Abnormal analyzed since the beginning of 2022, 74% originated in Nigeria. The next, most-common country associated with BEC attackers is the United Kingdom, where 5.8% of BEC actors are based, followed by South Africa (5.7%), and the United States (3.6%).

Comparatively, countries in Asian and Middle Eastern regions, where Israel sits, are at the very bottom of the list, serving as the home base for 1.2% and 0.5% of BEC actors, respectively. 

"Unfortunately, our research cannot definitively say the threat actors are Israeli — just that we have confidence they are operating out of Israel," says Mike Britton, CISO at Abnormal Security.

Cybercriminals used to be able to get their paydays through distributing generic phishing campaigns, but as organizations have strengthened their defenses and improved security awareness among employees, criminals have adapted accordingly, becoming even more savvy in their attack techniques.

"Now, instead of generic phishing emails, we're seeing the rise of highly sophisticated, socially engineered BEC attacks that can evade detection at many organizations," Britton says. "The Israel-based group's attack method is a good example of this."

They implemented several tactics to give their emails a sense of legitimacy, improving their ability to evade detection by the human eye or by traditional email security solutions, including the targeting of senior leaders, who could reasonably be involved in a financial transaction such as the one the criminals used as their pretext.

In addition to their use of two personas — a CEO and an external attorney — they spoofed email addresses using real domains.

If the target organization had a DMARC policy in place that would prevent email spoofing, the BEC group updated the sending display name to still make it look as though emails were coming from the CEO.

The group also translate emails into the language mainly used by the targeted organization.

BEC Grows

The report puts a spotlight on how BEC attacks are continuing to grow in prevalence, geographically, and in sophistication, such as through multi-phase attacks like this one uncovered by Abnormal Security.

BEC attacks also are wreaking more severe financial devastation on their victims.

"As we saw in these attacks, the amount of money requested was significantly higher, in the range of $700,000, than we've seen historically," he says.

And email has always been (and will continue to be) a lucrative attack vector for cybercriminals, he notes. He also predicts the spread of BEC-like attacks across other communication and collaboration tools.

"There are now hundreds of millions of active users across tools like Slack, Zoom, and Microsoft Teams," he says. "These apps are becoming increasingly attractive targets for cybercriminals looking for other entry points into an organization."

Security Training Against BEC

Britton explains security awareness training for end users should continue to be an integral part of the security strategy.

"Employees must understand BEC risks and what they look like to stay diligent, but it's important to remember that humans get distracted and are susceptible to mistakes," he says.

The best way to prevent an attack is to ensure that defenses are in place to prevent malicious attacks from landing in inboxes in the first place.

New solutions that use behavioral AI to baseline normal behavior across the email environment can detect and block anomalies with greater precision, better preventing sophisticated BEC attacks from ever reaching users. 

"To account for emerging threats across collaboration apps, consolidating visibility across all communications tools will significantly improve security teams' ability to detect suspicious and malicious activity — no matter where attacks originate," Britton says.