Threat analyst, Jon Gellin explains how social engineering has evolved malware from its humble origins in the seventies to chain email letters in the 90s, which laid the tracks for the sophisticated, and cruel, phishing techniques we see today. In this article, he shows current examples of authority impersonation, sextortion, and authority impersonation --and how to stay off the hook!
Cyber threats have come a long way since the seventies, when malware first started to show up. In the beginning, malware was often written by simply-curious individuals who wanted to try out their skills or see how far their worms would travel. Over time however, cyber attacks have taken a darker turn.
One of the early and widespread examples of social engineering techniques being used in cyber attacks was the infamous LoveLetter virus. This virus was spread via email, disguised as a VBS file named “LOVE-LETTER-FOR-YOU.TXT.vbs.” When the attachment was opened, the worm gained access to the address book and sent the same message to all contacts listed there. As the email often came from an address the recipient recognised, many opened the attachment out of curiosity and therefore became infected and helped spread the worm further.
As the technique proved to be extremely efficient, other malicious actors quickly took note. One widespread campaign funnily enough promised protection from the LoveLetter worm, by opening a file called “antivirusupdate.vbs” which in turn infected the machine similarly to the original LoveLetter. In addition to weaponizing curiosity, this campaign also referred to a current event to further increase its credibility.
This simple technique is used even to this day, for example with the phishing message shown below. Clicking on the link initiates a download of a VBS file which, when run, infects the machine.
In addition to the emotions typically exploited by social engineering such as curiosity, urgency and greed, many malicious actors use emotions such as fear, sadness, empathy and anger to their advantage.
Producing negative emotions is highly effective for the attackers. Emotions guide our actions, and with a strong enough emotional stimuli, we tend to make unwise decisions.
Here’s some campaigns making rounds lately in the wild.
You’re fired! Such an email surely would ruin one's morning. If the recipient is unfamiliar with their organization's employee termination process, this one has a high likelihood of getting its recipient to click the link.
In addition to the emotionally provocative topic, the phish is personalised for the recipients company, increasing the credibility further.
This devious technique is great at provoking a strong emotional response. Emotions such as urgency, fear and possibly shame make it very efficient. The user is told they have a virus installed on their computer that has been:
Sometimes, the attacker includes seemingly sensitive information in the threat, such as an old password connected to the user’s email (which was likely purchased on the dark web following a mass breach). The attacker instructs the user to send money to a bitcoin wallet address to prevent the posting of humiliating search history and videos to the user’s contacts and social media.
Sadly, the shame aspect of this scam often prevents victims from seeking help or reporting they have fallen for it.
Sextortion scam prices have increased exponentially during the recent year. In January 2021, most sextortion campaigns were asking for around $600-$800 USD, which was already double the amount of last year. In current campaigns the prices have risen up to $3000-$5000 USD.
Receiving an email from authority tends to make us act. This phishing campaign was spoofed to seem like it is sent by the Internal Revenue Service. Threatening our income tends to make us act even faster. Prompting a great sense of urgency, the phish sets a deadline of one week for the recipient to fill in a form in order to keep their money.
Attached to the phish is the real W-8BEN form. It has been slightly modified though, to include a link for returning the filled form and other required documents. The type of information required in the form would give the malicious actor more than enough data for identity theft.
In addition to these we’ve seen, among other things, disasters being taken advantage of by impersonating organisations such as UNICEF, malicious actors posing as grandchildren in need of urgent help, victims being accused of pedophilia, threatened to be registered as sex offenders, and the list goes on.
Malicious actors are usually trying to use your own emotions against you. Most of these messages seem pretty easy to recognise as malicious, but in the heat of the moment, they might slip past your guard.