In this financial services scam, an attacker spoofs the legitimate domain, “libratama[.]com,” and sends the target an email offering various types of loans. The email includes a WhatsApp phone number and a Gmail address, which the target can purportedly use to contact the loan provider for more information and a “quick response.” The attacker was deliberate in scheduling the email (early December) as well as the subject line (“Christmas Loan”), as the holidays often bring about an increase in expenses, and a quick loan would be very attractive to many. The attacker was also calculated in the targeting of students since they often struggle financially in general, and any students with school loans may be in particularly dire straits toward the end of the year. The invitation to contact the loan servicer via WhatsApp also indicates that students are the primary target since the demographics of WhatsApp users tend to skew younger.

Older, legacy email security tools struggle to identify this email as an attack because it passes the SPF check (despite failing the DKIM check), is text-based, and lacks any attachments or links—common elements of malicious messages. Modern, AI-powered email security solutions detect the DKIM failure, analyze the content, and flag the unknown sender to mark this email as an attack accurately.

Status Bar Dots
Jan10 Screenshot

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • DKIM Failure: The DKIM status of the email is marked as a failure (8). However, some legacy security tools might not consider DKIM status in their filtering process, allowing such emails to bypass their security checks.
  • Lack of Attachments: The email does not contain any attachments, often a focus of legacy security tools when searching for malicious content. The absence of attachments might allow the email to bypass these checks.
  • Lack of Links in the Body: The email does not contain any links in the body, which legacy security tools often rely on to detect phishing attempts. The absence of links might allow the email to bypass these checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • DKIM Failure: Abnormal detects that the DKIM status of the email was marked as a failure. This is a strong indicator that the email might be spoofed.
  • Content Analysis: Abnormal analyzes the content of the email. The email is a loan offer, a common theme in scam emails.
  • Unknown Sender Email: The email used to send this message is an unknown email that this recipient has never received emails from in the past. Abnormal uses this as a signal to detect this email as potentially malicious.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Financial Services Scam

Vector

Text-based

Goal

Payment Fraud
Credential Theft

Tactic

Spoofed Email Address
Spoofed Display Name
Mismatched Reply-To Address

Theme

Financial Services

Impersonated Party

External Party - Vendor/Supplier

See How Abnormal Stops Emerging Attacks

See a Demo