Your mobile device buzzes, you lift it up and see the the notification: “You’ve been mentioned in a discussion!”. In this moment, you probably feel really important and accomplished as a human being because someone is talking about you. So, what do you do now? If you’re not in the middle of something very important, or have almost supernatural self-discipline, you’re probably gonna let curiosity win and check what people are saying about you, right?
WRONG. That’s exactly the response the malicious actors are hoping for.
Curiosity is one of the most powerful human qualities that malicious actors can weaponise to increase the efficiency of their campaigns. Curiosity makes us act quickly, without taking the time to think things through, and sometimes it can even make us act completely irrationally. Succeeding to bring the target into such a state of mind lets the malicious actors get away with mistakes or inconsistencies the target would otherwise notice.
Our training data shows this well: many of the simulations that play into the user’s sense of curiosity are amongst the the most failed sims we run. More information and statistics from our 30 million+ simulations sent out in 2022 alone can be read in our ebook Behavioral Cybersecurity Statistics.
Here’s a phishing campaign weaponising curiosity
This leads us to our phishing campaign example of the day! This campaign stands out for many different reasons. First off, the automatic personalisation usage is great. Both the subject and the body contents are dynamically changed to match the recipient, making the email seem much more legitimate. The personalisation is also done in a better way than usual. A common method used by malicious actors to personalise emails automatically is to extract the domain of the recipients email address and use that as the company name, and similarly extract the user name or the first part of the email and use that as the recipient's name. This returns poor results, as the capitalisation is wrong and the domain might be far from the real name of the company.
In this campaign however, the capitalisation of the personalised parts are correct and the first and last name is separated by a spacebar instead of a dot as usual in email addresses. As a neat extra touch, the malicious actors have even added some registry information about the recipient's company at the bottom.
As a payload, the campaign has links leading to a typical credential harvesting site impersonating the Microsoft login page. Examples of these can be found in our Off the Hook discussing credential harvesting, and Logokits that take these sites a step further. In addition to using multiple domains for hosting the credential harvesting sites, the campaign also utilised multiple different domains for sending the emails, reducing the amount of emails caught in spam filters.
Staying Off the Hook
- Phishing emails often have some emotional triggers, and the most common of these are urgency, fear, and curiosity. Sometimes there’ll be all three at once! Recognising these triggers (and, for example, taking a break when noticing these feelings arising) will help you identify and prevent most phishing attacks.
- Curiosity is one of the most powerful emotions that social engineers abuse. By presenting something interesting or something mysterious, the attacker tries to get you to perform a wanted action.
- Always check where the email originates from. Phishing campaigns often originate from domains completely unrelated to the contents of the email, making them easy to spot.
- Remember to hover on links to see where they lead! Similar to the domains used in sending emails, malicious sites are often hosted on completely unrelated domains.
