A brief history lesson
Cyber threats have come a long way since the seventies, when malware first started to show up. In the beginning, malware was often written by simply-curious individuals who wanted to try out their skills or see how far their worms would travel. Over time however, cyber attacks have taken a darker turn.
One of the early and widespread examples of social engineering techniques being used in cyber attacks was the infamous LoveLetter virus. This virus was spread via email, disguised as a VBS file named “LOVE-LETTER-FOR-YOU.TXT.vbs.” When the attachment was opened, the worm gained access to the address book and sent the same message to all contacts listed there. As the email often came from an address the recipient recognised, many opened the attachment out of curiosity and therefore became infected and helped spread the worm further.
As the technique proved to be extremely efficient, other malicious actors quickly took note. One widespread campaign funnily enough promised protection from the LoveLetter worm, by opening a file called “antivirusupdate.vbs” which in turn infected the machine similarly to the original LoveLetter. In addition to weaponizing curiosity, this campaign also referred to a current event to further increase its credibility.
This simple technique is used even to this day, for example with the phishing message shown below. Clicking on the link initiates a download of a VBS file which, when run, infects the machine.
The modern world of cybercrime
In addition to the emotions typically exploited by social engineering such as curiosity, urgency and greed, many malicious actors use emotions such as fear, sadness, empathy and anger to their advantage.
Producing negative emotions is highly effective for the attackers. Emotions guide our actions, and with a strong enough emotional stimuli, we tend to make unwise decisions.
Recent phishing campaigns producing strong emotional response
Here’s some campaigns making rounds lately in the wild.
You’re fired! Such an email surely would ruin one's morning. If the recipient is unfamiliar with their organization's employee termination process, this one has a high likelihood of getting its recipient to click the link.
In addition to the emotionally provocative topic, the phish is personalised for the recipients company, increasing the credibility further.
This devious technique is great at provoking a strong emotional response. Emotions such as urgency, fear and possibly shame make it very efficient. The user is told they have a virus installed on their computer that has been:
- Following everything they do on their computer
- Recording their internet browsing and messaging history
- Reading their emails
- And, most disturbing (but still false), filming the user--er, “watching” porn--via their webcam
Sometimes, the attacker includes seemingly sensitive information in the threat, such as an old password connected to the user’s email (which was likely purchased on the dark web following a mass breach). The attacker instructs the user to send money to a bitcoin wallet address to prevent the posting of humiliating search history and videos to the user’s contacts and social media.
Sadly, the shame aspect of this scam often prevents victims from seeking help or reporting they have fallen for it.
Sextortion scam prices have increased exponentially during the recent year. In January 2021, most sextortion campaigns were asking for around $600-$800 USD, which was already double the amount of last year. In current campaigns the prices have risen up to $3000-$5000 USD.
Receiving an email from authority tends to make us act. This phishing campaign was spoofed to seem like it is sent by the Internal Revenue Service. Threatening our income tends to make us act even faster. Prompting a great sense of urgency, the phish sets a deadline of one week for the recipient to fill in a form in order to keep their money.
Attached to the phish is the real W-8BEN form. It has been slightly modified though, to include a link for returning the filled form and other required documents. The type of information required in the form would give the malicious actor more than enough data for identity theft.
In addition to these we’ve seen, among other things, disasters being taken advantage of by impersonating organisations such as UNICEF, malicious actors posing as grandchildren in need of urgent help, victims being accused of pedophilia, threatened to be registered as sex offenders, and the list goes on.
Staying off the hook
Malicious actors are usually trying to use your own emotions against you. Most of these messages seem pretty easy to recognise as malicious, but in the heat of the moment, they might slip past your guard.
Take your time
Disarm the attack’s emotional fuse by trying to objectively analyse the email without emotions. If you feel strong emotion, take a breather for a minute or two and then review the message from a different perspective.
Remember to check the sender address when you receive an email. The address might contain small changes such as changing the domain from .com to .net or adding something extra to the name.
Beware of a fake badge
Real authorities' official websites often use some kind of digital authentication service to identify you - they don’t straight up ask for your sensitive information like your social security number when you first enter the website. Phishing sites do.