Israel BEC group is so good at robbing big firms it only needs to work part time

A business email compromise group (BEC) has been spotted in Israel. It’s crafting fake messages in multiple languages and impersonating real company bosses to hoodwink target companies out of more than ten times the average amount for payment fraud attacks.

The group has been under observation by Abnormal, a cybersecurity firm that uses artificial intelligence to help it investigate suspected threat actors, since February 2021. During that time it has carried out 350 campaigns targeting more than 100 large companies with an average yearly revenue of $10 billion.

“All of the attacks by this group follow a similar, but effective, formula,” said Abnormal. “The primary pretext in their attacks is that the targeted employee’s organization is working through the confidential acquisition of another company and the employee is being asked to help with an initial payment required for the merger.”

It added: “The attacks consist of two stages, each employing a different persona. One is internal, typically the CEO, and the other is external, generally an attorney focused on mergers and acquisitions.”

Not your average BEC gang

Abnormal claims that this group, which has perpetrated BEC attacks on more than 60 countries all over the world, differs from the usual type in several ways.

First is its provenance. While an overwhelming proportion of BEC groups operate out of Nigeria, Abnormal says it tracks the location of this one to Israel.

Second is its choice of employee targets. Usually BEC groups go after finance department workers or accountants, hoping to trick them into authorizing transactions to dummy accounts controlled by the criminals. But in this case, the gang is targeting heads of department and other senior leaders who might report directly to the CEO.

Abnormal believes this serves two purposes — first it enables the group to ask for much higher transactions, with an average sting by the group costing the victim $712,000 as opposed to the going average of $65,000. Second, by targeting high-authority figures who may not be used to processing transactions, the gang might be finding it easier to pull off a con.

“In most other BEC attacks focused on payment fraud, the targeted employees are specialists on the finance or accounting team,” said Abnormal. “However, a vast majority of the employees targeted by this group are company executives or senior leaders that may not necessarily work with payments on a daily basis.”

Abnormal says this approach makes sense from a cybercriminal’s perspective for a number of reasons.

“Members of the executive team are likely to send and receive legitimate communications with the CEO on a regular basis, which means an email from the head of the organization may not seem abnormal,” it said.

“Based on the stated importance of the supposed acquisition project, it’s reasonable for a senior leader at the company to be entrusted to help. And because of their seniority within the organization, there is presumably less red tape that would need to be cut through in order for them to authorize a large financial transaction.”

Sworn to secrecy

Another key social engineering tactic employed by the Israeli gang is confidentiality, convincing the victim that they are being entrusted to help out in a major acquisition of a bogus corporate entity somewhere in Asia.

This discourages the victim from reaching out to others within their organization who might then expose the scam for what it is, while also playing to a decision-maker’s ego. Such emotive tricks are meat and drink to the social engineer, who seeks to manipulate victims into making irrational decisions.

To further enhance the illusion, real-life third parties are named by the con artists as acting in a legal capacity to facilitate the phony takeover, with KPMG the preferred choice of entity to spoof in this case.

Email addresses are well mimicked too: even if the target company has a DMARC feature enabled to prevent direct spoofing of brand names, the gang has a cunning workaround, inserting the impersonated CEO’s name into a fake email address instead.

“If an organization has established a DMARC policy that prevents bad actors from directly spoofing email addresses on their domain, the group updates the sending display name to include the CEO’s email address in the display name,” said Abnormal.

“Because many email clients only show the sender’s display name by default, the use of an extended spoofed display name still has the intended effect of making it appear that a message is sent from the real email address of the impersonated CEO.”

Criminal tower of Babel

This BEC gang appears happy to have a go at scamming in other languages apart from English, including French, Spanish, Italian, and even Japanese — although Abnormal stresses that its capabilities in foreign tongues are more limited.

“All of the non-English attacks have used short templates, which is a departure from many of the long and detailed English-based attacks typically sent by the group. This likely indicates they don’t have access to native non-English speakers, nor do they leverage advanced translation services.”

Nevertheless, the Israel-based group appears to be enjoying a certain amount of success with this approach, which allows it to impersonate a wider range of corporations. To date, the gang has targeted victims across the healthcare, financial, tech, and other industries in North and South America, Europe, Asia, Africa, and Oceania.

“BEC attacks are often translated into other languages to fit in with the communications an employee usually receives,” said Abnormal. “If an employee who typically conducts business in Japanese receives an email from what appears to be their CEO in English, it will likely raise some red flags. But if that email is written in Japanese, it is more likely to blend in with other communications and thus increase the attacker's chance of success.”

Abnormal shared with Cybernews email texts used by the gang it scrutinized earlier in 2023, and as far as composition goes they certainly appear to be more sophisticated than many social engineering or phishing messages.

We spotted one or two typos and small grammatical errors, but nothing that couldn’t have plausibly been sent in a hurry by a real executive under pressure to close an important deal.

Bad actors good at what they do

In fact, these con artists appear to be so good at what they do that they only need to ‘work’ part-time — Abnormal said that 80% of the BEC attacks it traced to the group occurred within three set periods every year.

“This threat group is focused on the same thing as all other BEC actors: making money as quickly and easily as possible,” said Abnormal. “The Israel-based group is also unique in that they use executive impersonation to request huge sums of money, a far cry from the $100 gift card requests that comprised the CEO fraud of the past.

“Even one successful attack each year means they’re making more than most people do in a decade — particularly when you consider that all of this money is tax-free,” it added. “Just one successful attack each month means that these threat actors could be set for life, which is perhaps why they appear to only work a few months each year.”