Threat Actor Impersonates Social Security Administration Using Malicious Gmail Account in Vishing Attack
In this credential vishing attack, the threat actor impersonates the Social Security Administration (SSA) and emails the target regarding fraudulent financial activity. The attacker uses a Gmail address to avoid basic security filters and sets the display name to include “SSA”, “GOV ADVISORY”, and a bogus case ID to hide the actual sending address. The email, which contains the SSA’s logo and uses official-sounding language to increase the appearance of legitimacy, claims the FTC has discovered numerous overseas wire transfers made to blacklisted account numbers. It urges the recipient to contact the Office of Inspector General (OIG) using the provided phone number to refute these accusations or request further information. However, should the target call the number, they will actually be connected to the threat actor, who will initiate the next stage of the attack, in which they will attempt to steal sensitive information and/or convince the target to download malicious software.
Older, legacy email security tools struggle to accurately identify this email as an attack because it is sent from a reputable email hosting address and does not employ the use of a malicious link or malicious attachments. Modern, AI-powered email security solutions detect the mismatch between the domain and sender name, recognize that the sender is unknown to the recipient, and flag the suspicious urgency of the request to correctly identify the email as an attack.
Malicious email in which attackers impersonate the Social Security Administration to compel recipient to call provided number
How Does This Attack Bypass Email Defenses?
This email attack bypasses traditional security solutions for multiple reasons, including the following:
- Reputable Email Provider: The attacker uses a free hosting email service, which is less likely to be blacklisted and can bypass basic email filters.
- Absence of Malicious Links: By not including suspicious links, the email avoids detection by antivirus and anti-malware systems focused on traditional phishing indicators.
- Absence of Malicious Attachments: By not including any attachments, the email avoids detection by antivirus and anti-malware systems focused on attachment-based threats.
How Did Abnormal Detect This Attack?
This attack was detected using AI and ML by analyzing various factors, including the following:
- Sender Name and Domain Mismatch: The sender name does not match the sender domain, raising further suspicion during Abnormal’s analysis.
- Unknown Sender Consideration: The email is recognized as coming from an unknown sender who has never communicated with the recipient. Abnormal’s platform maintains a communication history and quickly flags deviations from established patterns of sender-recipient interactions.
- Content Analysis: Abnormal's algorithms flag the email's urgent message about potential fraudulent activity as a common phishing tactic.
By recognizing established normal behavior and detecting these abnormal indicators, a modern email security solution has the ability to prevent this attack from reaching inboxes.
Please note the exact detection mechanism from Abnormal Security's system might include proprietary techniques and methodologies not disclosed here.