In this financial services scam, cybercriminals attempted to solicit fraudulent donations purportedly for children in Palestine. Crafted to appear as a plea for help, the email first lists the hardships that children in Palestine are experiencing—primarily access to clean water, adequate medical care, and the internet. The email then explains that an unidentified group is “launching a campaign to provide vital support” to the families impacted by the crisis. The perpetrator invites the target to contribute to the cause and provides wallet addresses for Bitcoin, Litecoin, and Ethereum to send donations. To create one final opportunity to manipulate the recipients, three links to recent news articles discussing the impact of the conflict on children in the region are included at the bottom of the email. The attacker took multiple steps to hide their actual email address, including using a spoofed email (erode@gwcindia[.]in), which is a valid address for Goodwill Wealth Management, an India-based stock brokerage, and changing the display name to “help-palestine[.]com”—a non-existent domain. The real address for the attackers, theconollyfoundation@gmail[.]com, is hidden in the reply-to field.

Older, legacy email security tools struggle to properly identify this email as an attack because it contains legitimate-looking links, contains no attachments, and uses social engineering techniques. Modern, AI-powered email security solutions flag the unknown sender, identify the use of cryptocurrency, and detect the reply-to mismatch to correctly mark this email as an attack.

Status Bar Dots
Attack Library Palestine Crypto Email

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Social Engineering: The email uses a compelling and emotional narrative about helping children in Palestine—a tactic that can manipulate the recipient's emotions and is often undetectable by legacy solutions.
  • Legitimate-Looking Links: The email includes links to reputable news sites like Al Jazeera, NBC News, and UNICEF. This can make the email appear more legitimate and less likely to be flagged by security tools that check for malicious links.
  • Lack of Attachments: The email does not contain any attachments, which are often a red flag for security tools. This lack of attachments can help the email bypass security checks.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Unknown Sender: The email is from an unknown sender to whom the company has never sent emails in the past. Abnormal flags this as suspicious, as it's unusual for a company to receive emails from completely unknown senders.
  • Cryptocurrency Wallets: The email asks for donations to be made in cryptocurrency. Abnormal identifies the risks associated with cryptocurrency transactions, which are often used in scams.
  • Reply-To Email Mismatch: The reply-to email is different from the sender's email. Abnormal detects this as a sign of email spoofing.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Type

Financial Services Scam

Vector

Text-based

Goal

Payment Fraud

Tactic

Spoofed Email Address
Spoofed Display Name

Theme

Cryptocurrency

Impersonated Party

External Party - Other

Language

Norwegian

See How Abnormal Stops Emerging Attacks

See a Demo