New research has revealed the creative and sometimes unusual efforts of scammers in conducting social engineering attacks. Proofpoint has listed the five strangest social engineering scams it uncovered over the past year, with campaigns including spoofing soccer coaches and scholars to trick victims into parting with data and money.
As organizations continue to struggle to defend information, devices, and systems against socially engineered attacks, experts say the most successful social engineering groups are typically the most resourceful. “Social engineering is inherently human-centric, and whether threat actors are targeting organizations or individuals, they respond in real-time to events and issues that capture the world’s attention,” says Lucia Milică, Global Resident CISO at Proofpoint CSO.
Advanced Fee/417 scam but with a twist
Proofpoint report cites some strange social engineering scams, the strangest of which is a new version of the classic Advance Fees/417 scam. In this campaign, a target received a fake email from the Chief Justice of Canada informing them not only of a $2.5 million inheritance but also of winning the lottery – if the Royal Bank of Canada didn’t do it first come there to confiscate them. The problem was solved and the winnings were made available in the form of an ATM Visa card for as little as $100, the scammer claimed.
“Advance fee scams are known for the occasionally outlandish social engineering tactics, but for its sheer reach and variety, this one blows the mind. Or the cookie. Or the cookie,” Proofpoint wrote.
Using good news and bad news to spread malware
The second strangest social engineering attack of 2021 is a scam where scammers experimented with good news/bad news in December, where recipients received a message about their job termination while others received messages about a promotion and vacation received bonuses.
Despite the apparent difference in fortunes, both of these brought some really bad news. According to Proofpoint, downloading an attached Excel file and clicking “Activate Content” resulted in a Dridex banking Trojan being dropped on the victim’s computer. “As a happy kicker, victims were rewarded with a ‘Merry Xmas’ pop-up once the malware download began.”
Fake but convincing calculator tool
Third on the list is a campaign that took a different approach to the “fake but functional” attack trend that involved finely crafted but non-functional decoys. The most well-known of these is BravoMovies, a fake streaming site used to distribute BazaLoader malware.
“Some attackers went beyond the mere surface,” noted Proofpoint. “In a malware delivery campaign in August 2021, attackers sent a Microsoft Excel file containing what appeared to be a working freight calculator. Unfortunately, victims who were won over by the lure’s compelling design found that their shipping offer came with a bonus shipment of Dridex malware.”
Building professional relationships to steal credentials
Fourth place takes the form of a scam involving TA453, an actor with Iranian orientation who poses as a senior research fellow at the University of London’s SOAS and invests significant time in building relationships with European academics and policy experts, to steal credentials via a fake webinar registration page. “What sets this campaign apart is the nature and duration of the altercation between attacker and victim. It wasn’t just limited to email communications, as TA453 attempted to engage through phone calls and video conferencing to build rapport with victims,” Proofpoint wrote.
Fake sports agents target soccer clubs
Rounding out Proofpoint’s five weirdest social engineering attacks of 2021 is a scam aimed at exploiting interest in the world’s most popular sport – soccer. Researchers uncovered several football-baiting campaigns to deliver malware to clubs in France, Italy and the UK. “The threat actor in these cases posed as a sports agent representing young players from Africa and South America who are aiming for their big break in one of the richest leagues in sport.”
The emails sent to the target clubs contained what appeared to be legitimate video files and YouTube links showing training and match highlights. “Any victim who was so intrigued by the footage that they downloaded and activated the attached Microsoft Excel document was infected with Formbook malware. As this example shows, cyber attackers will go to great lengths to familiarize themselves with the conventions of even niche or specialty companies.”
Social engineering attacks are becoming more and more obscure
Not only Proofpoint has discovered strange social engineering attacks in the last year, which indicates that fraud is becoming more and more obscure. For example, Patrick Harr, CEO of SlashNext, CSO shares an intriguing case involving a customer using Microsoft Teams and WhatsApp. “The hacker used public knowledge of a public company CEO who was traveling to China and sent a WhatsApp message to the CFO and his team to meet via MS Teams,” he says.
The CFO and team met the CEO, and the attackers used a video of the CEO that they scraped off the internet with an obscured background. “The video had no sound, so it looked like its audio wasn’t working,” adds Harr. The attacker then pasted a link into the chat and asked the CFO to upload a series of financial documents, which he said he needed as soon as possible.
Carl Wearn, Head of E-Crime at Mimecast, reflects on another recent social engineering trend that is showing considerable creativity from scammers – online love scams. “Over the past two years, with so many people stuck at home during lockdown, it’s no surprise that dating app usage has increased as more people sought company. It’s important to understand that during this time, many people felt lonely and were particularly vulnerable to predation by criminals specializing in dating and online scams.”
Common tricks include using fake personas of people the user may automatically and naturally trust or admire, including members of the armed forces or emergency services, Wearn adds. “In this way, they try to play with the mood and disarm you in order to gain your trust as quickly as possible. Your pictures were also likely stolen to enhance the scam and there will be multiple excuses as to why you can’t meet face to face.”
Ultimately, love scammers get to the bottom of the problem and demand money, initially a seemingly small amount that will escalate. “They often request urgent surgery for a close family member or other similar urgent needs. It’s a horrific crime, but being aware of it and what you say and do online can prevent you from falling for it.”
“The creativity with which attackers use their decoys does not diminish,” says Milică. “Attackers always target the topics that get the most clicks, and social engineering techniques aren’t unique to email. We see these tactics being used successfully in text messages, phone calls, direct messages and more.”
Preventing Social Engineering Attacks
As attacks become more creative, it’s never been more important for organizations to have solid socially engineered protections in place, says Milică. “Train users to recognize and report malicious email. Regular training and simulated attacks can stop many attacks and help identify those who are particularly vulnerable.”
The best simulations mimic real-world attack techniques and look for solutions linked to real-world attack trends and the latest threat intelligence, Milică adds. “Regardless of the social engineering vector used, the messages and communications are malicious. This means users and organizations need to be vigilant across all communication channels, not just traditional email or text messages, but also traditional mail, phone calls and internal systems.”
Copyright © 2022 IDG Communications, Inc.