Back to All Research

Attackers Exploit Middle East Crisis to Solicit Fraudulent Cryptocurrency Donations for Children

Attackers attempt to solicit fraudulent donations via cryptocurrency transfers under the guise of collecting donations for children in Palestine.
November 16, 2023

Threat actors are known to capitalize on geopolitical events to manipulate victims into sending money under the guise of charitable donations, and the ongoing events in Gaza and Israel are no exception.

In a recent charity attack detected by Abnormal, cybercriminals attempted to solicit fraudulent donations by playing on sympathy for children in Palestine. The attackers encouraged recipients to donate funds to the provided cryptocurrency wallet addresses, claiming the money would go to providing basic needs, including water, medical care, and Internet access.

According to our research, the campaign targeted 212 individuals at 88 organizations.

Breaking Down the Cryptocurrency Donation Attack

The email states that an unidentified group (presumably from “help-palestine[.]com”, the sender’s display name) is “launching a campaign to provide vital support” to families in Palestine and invites the target to donate to the cause.

After asking for contributions ranging from $100 to $5,000, the attacker explains that donations can be made using cryptocurrency and provides wallet addresses for Bitcoin, Litecoin, and Ethereum—three of the most popular digital currencies.

To further increase legitimacy and create one final opportunity to manipulate the recipients, three links to recent news articles discussing the impact of the conflict on children in the region are included at the bottom of the email.

What Makes This Attack Notable

This attack is a perfect example of cybercriminals attempting to exploit the powerful emotional response triggered by humanitarian crises. During natural disasters, national tragedies, or global emergencies, people's need to act and desire to contribute to relief efforts are heightened—making them more susceptible to deception.

Cyberattackers often take advantage of this vulnerability by weaving compelling narratives with requests for donations that appeal to recipients' sympathy. This manipulation is quintessential social engineering, as it preys on the target's goodwill and altruistic tendencies.

The threat actors in this attack deliberately included emotionally charged wording throughout—for example, “children in Palestine face unimaginable challenges daily”, “a lifeline for these children caught in the crossfire”, and “the children in Palestine are dying”. They also used inclusive language, such as “we have the power to make a difference” and “let’s come together,” a linguistic strategy that aims to establish a shared identity between the speaker and the reader and foster a sense of partnership.

From a technical standpoint, the attackers took multiple steps to hide their actual email address. First, they spoofed the sender email address (erode@gwcindia[.]in), which is a valid address for Goodwill Wealth Management, an India-based stock brokerage. Then, to add legitimacy, they changed the display name to “help-palestine[.]com” which is a domain that doesn’t exist. The real address for the attackers, theconollyfoundation@gmail[.]com, is hidden in the reply-to field, which recipients wouldn’t see unless they viewed the expanded email header.

Why This Attack is Difficult to Detect

Older, legacy email security tools like secure email gateways (SEGs) struggle to accurately identify this email as an attack for multiple reasons.

The first is due to the use of social engineering. Social engineering attacks often involve manipulation and deception, exploiting human psychology rather than relying solely on technical vulnerabilities. SEGs have limitations in analyzing and understanding the subtleties of language and human behavior, making it difficult to distinguish between genuine and nefarious intent.

Additionally, the email contains no payloads and lacks obvious misspellings or grammatical errors. Because this attack is entirely text-based and has no clear indicators of compromise such as a phishing link or harmful attachment, it would almost certainly bypass a SEG.

Modern, AI-native email security solutions, on the other hand, utilize the latest machine learning capabilities to correctly identify this email as an attack. Because an AI-powered email security platform is trained to identify social engineering tactics, it recognizes that this email is attempting to leverage emotional manipulation to convince the target to bypass rational thinking and quickly transfer funds. It can also detect and flag the mismatch between the sender’s email and the reply-to address, as this is a common attack tactic.

Preventing Fraudulent Donation Attacks with Behavioral AI

Threat actors will always capitalize on any opportunity to launch attacks that can exploit world events. And with generative AI tools making it easier than ever to create convincing, error-free malicious emails, enterprises can’t rely on legacy email security systems or their employees to consistently recognize these threats.

As such, the only way to prevent a successful attack is by investing in an AI-native cloud email security solution that ensures emails like these never reach end-user inboxes.

To see how Abnormal can help your organization block modern threats, reduce spend, and prevent emerging attacks, schedule a demo.

B AI Cryptocurrency Donations Attack

See How Abnormal Stops Emerging Attacks

See a Demo

Get the Latest from Abnormal Intelligence

Subscribe to our monthly newsletter to receive the latest insights from our team directly in your inbox.