Attackers Pose as American Financial Group and Send Malware Disguised as Password-Protected Zip File
In this malware attack, cybercriminals impersonate American Financial Group, a reputable financial services company, and send a fraudulent document notification to their target. Using the spoofed email address "info@o3[.]gr", the attacker informs the recipient that requested documents, including an invoice and an insurance certificate, are attached in a password-protected ZIP file. The email includes a personal password purportedly to access the documents, giving it the appearance of legitimacy. However, the ZIP file actually contains malware designed to infect the recipient's system. The email exploits the trusted name of American Financial Group and the perceived security of password protection to manipulate the recipient into opening the malicious attachment without scrutinizing the email.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed email address, utilizes a password-protected attachment, and lacks obvious malicious links. Modern, AI-powered email security solutions recognize that the sender is unknown to the recipient, detect the suspicious nature of the attachment, and recognize the mismatch between the sender name and domain to correctly flag this email as an attack.
Threat actor impersonates AFG and uses a password-protected attachment in this malware attack
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate email address "info@o3[.]gr", bypassing basic email verification checks and adding perceived authenticity.
- Password-Protected Attachment: The use of a password-protected ZIP file can bypass antivirus and anti-malware scanning, as the content within the ZIP file is not immediately accessible.
- Absence of Malicious Links: By not including suspicious links in the email body, the email avoids detection by link-scanning mechanisms used by legacy security tools.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Suspicious Attachment Analysis: The presence of a password-protected ZIP file triggers Abnormal’s systems to scrutinize and flag the email for potentially malicious content, as this is a known tactic used to bypass traditional security measures.
- Sender Name and Domain Mismatch: The sender name (AFG Partners) does not match the domain "o3[.]gr", raising further suspicion during Abnormal’s analysis.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.