In this phishing attack, cybercriminals use a phishing link to impersonate Eventbrite and deceive recipients. The email, titled "[Action Required] Verify Account Info," claims that there is an issue with the recipient's Eventbrite account that prevents the authorization of ticket purchases for upcoming events. The email urges the recipient to verify their account information by clicking on a provided link. Though the link clearly does not lead to an Eventbrite domain, this is masked by the button, which simply says “Verify Account Info”. The threat actor uses a legitimate site to design and send on-brand marketing emails and create a fake login page similar to Eventbrite. This login page is designed to steal sensitive information. The email employs professional language, incorporates Eventbrite branding, and creates a sense of urgency to foster an impression of legitimacy. By leveraging the trusted name of Eventbrite and the urgency surrounding ticket purchases, the attacker manipulates the recipient into clicking the link without fully scrutinizing the email's authenticity.

Older, legacy email security tools struggle to accurately identify this email as an attack because it contains legitimate links, uses an unregistered sender domain, and lacks malicious attachments. Modern, AI-powered email security solutions analyze suspicious links, flag unusual content within the message, and recognize the sender name is different from the domain to correctly identify the email as an attack.

Status Bar Dots
SCR 20240924 okna

Malicious email posing as Eventbrite to steal personal information from targets

Status Bar Dots
SCR 20240924 olnz

Phishing link leads to this portal that has stolen Eventbrite’s branding.

How Does This Attack Bypass Email Defenses?

This email attack bypasses traditional security solutions for multiple reasons, including the following:

  • Legitimate Links: The email includes links that appear to be associated with known domains ("flodesk[.]com" and "fdske[.]com"), which can pass through link verification checks as they are not inherently malicious.
  • Unregistered Domain: The attacker uses an unregistered sender domain ("bills[.]ps"), which may not be blacklisted or flagged by basic email filters, adding perceived authenticity.
  • Absence of Malicious Attachments: By not including suspicious attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.

How Did Abnormal Detect This Attack?

This attack was detected using AI and ML by analyzing various factors, including the following:

  • Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising suspicion during Abnormal’s analysis.
  • Suspicious Link Analysis: The presence of a link that leads to a suspicious domain is scrutinized by Abnormal’s systems, triggering deeper analysis for possible malicious intent.
  • Content Analysis: The email’s urgent message about verifying account information is flagged by Abnormal’s content analysis algorithms as a common phishing tactic.

By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.

Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.

Analysis Overview

Vector

Link-based

Goal

Credential Theft

Tactic

Masked Phishing Link
Branded Phishing Page

Theme

Account Verification

Impersonated Party

Brand

Impersonated Brands

Eventbrite

See How Abnormal Stops Emerging Attacks

See a Demo