Attackers Pose as Social Security Administration and Use Fake Benefits Update to Deploy Malware
In this malware attack, cybercriminals impersonate the Social Security Administration (SSA) using a spoofed email address to deceive recipients with a fraudulent notification. The email, which contains mimicked SSA branding, falsely claims that the recipient’s 2025 benefits have been updated and instructs them to click on a provided link to access their account to review the details. However, clicking the link triggers the automatic download of an executable file, which is likely malware. Once executed, the malware is designed to steal sensitive credentials or compromise the recipient’s system. By mimicking official SSA communications and referencing benefits updates, the attacker creates a sense of urgency and legitimacy, increasing the likelihood that recipients will click the embedded button and download the malicious payload.
Older, legacy email security tools struggle to accurately identify this email as an attack because it originates from a spoofed sender, does not include attachments, and contains legitimate links. Modern, AI-powered email security solutions flag that the sender is unknown to the recipient, detect links to suspicious domains, and recognize that the sender name does not match the sender domain to correctly identify the email as an attack.
Malicious email impersonating notification from Social Security Administration containing embedded link to malware
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Spoofed Email Address: The attacker spoofs a legitimate-sounding email address, bypassing basic email verification checks and adding perceived authenticity.
- Lack of Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
- Legitimate Links Included: The email includes links associated with recognizable domains, which can pass through basic link verification checks.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established sender-recipient interaction patterns.
- Suspicious Link Analysis: Abnormal's systems scrutinize the presence of links leading to suspicious domains, triggering deeper analysis for possible malicious intent.
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.