New research has highlighted the creative and occasionally unusual lengths fraudsters take to carry out social engineering attacks. Proofpoint has listed what it describes as the five strangest social engineering scams it detected last year, with campaigns including the spoofing of soccer coaches and scholars to trick victims into parting with data and money.
As organizations continue to struggle to defend information, devices, and systems against socially engineered attacks, experts say the most successful social engineering groups are usually the most imaginative. “Social engineering is inherently people-centric, and regardless of whether threat actors are targeting businesses or individuals, they’re responding in real time to the events and themes that have the attention of the wider world,” Lucia Milică, global resident CISO at Proofpoint, tells CSO.
Advanced fee/417 scam, but with a twist
Proofpoint’s report cites some curious social engineering scams, with the strangest a new take on the classic advanced fee/417 scam. In this campaign, a target received a bogus email from the Chief Justice of Canada informing them of not just a $2.5 million inheritance but also a lottery win – if the Royal Bank of Canada doesn’t get there first to confiscate it. The issue could be resolved, and the winnings made available in the form of an ATM Visa card, for just $100, the scammer claimed.
“Advance fee fraud is renowned for occasionally outlandish social engineering tactics, but for its sheer range and variety, this one takes the cake. Or the biscuit. Or the cookie,” Proofpoint wrote.
Using good and bad news to deliver malware
Deemed the second strangest social engineering attack of 2021 is a scam that saw fraudsters experiment in December with a good news/bad news effort in which recipients received a message informing them that their employment had been terminated, while others got news of promotion and a holiday bonus.
Despite the apparent difference in fortune, both messages were really delivering bad news. Downloading an attached Excel file and clicking “enable content” resulted in a Dridex banking Trojan being dropped on the victim’s computer, Proofpoint said. “As a cheerful kicker, victims were rewarded with a ‘Merry Xmas’ pop-up once the malware download began.”
Fake but convincing calculator tool
Third on the list is a campaign took a different approach to the “fake but functional” attack trend, which involved finely crafted but non-functioning lures. The most famous of these is BravoMovies, a fake streaming site used to deliver BazaLoader malware.
“Some attackers went beyond the merely superficial,” Proofpoint stated. “In an August 2021 malware delivery campaign, attackers sent a Microsoft Excel file containing an apparently functional freight calculator. Unfortunately, victims persuaded by the lure’s convincing design found that their shipping quote came with a bonus delivery of Dridex malware.”
Building professional relationships to steal credentials
Fourth spot takes the shape of a scam involving TA453, an Iran-aligned actor, spoofing a senior research fellow at University of London’s SOAS and investing significant time into building relationships with European academics and policy experts to steal credentials via a fake webinar sign up page. “What set this campaign apart is the nature and duration of the engagement between attacker and victim. It wasn’t just limited to email communication, with TA453 attempting to engage via phone calls and videoconferencing in the course of building rapport with victims,” Proofpoint wrote.
Phony sports agents target soccer clubs
Rounding out Proofpoint’s five strangest social engineering attacks of 2021 is a scam that sought to exploit interest in the world’s most popular sport – soccer. Researchers detected multiple campaigns using soccer lures to deliver malware to clubs in France, Italy and the UK. “The threat actor in these cases posed as a sports agent representing young players from Africa and South America, seeking their big break into one of the sport’s richest leagues.”
The emails sent to targeted clubs included seemingly legitimate video files and YouTube links showing training and match highlights. “Any victim intrigued enough by the footage to download and enable the attached Microsoft Excel document found themselves infected with Formbook malware. As this example demonstrates, cyberattackers will go to great lengths to familiarize themselves with the conventions of even the most niche or specialized businesses.”
Social engineering attacks getting more obscure
It is not just Proofpoint that has spotted strange social engineering attacks over the last year, suggesting that scams are getting more obscure. For example, SlashNext CEO Patrick Harr tells CSO about an intriguing case involving a customer using Microsoft Teams and WhatsApp. “The hacker used public knowledge of a CEO of a public company traveling to China and sent a WhatsApp message to the CFO and his team to meet on MS Teams,” he says.
The CFO and team met the CEO, and the attackers used a video of the CEO they scraped from the internet with an obscured background. “The video had no sound, so it looked like his audio would not work,” Harr adds. The attacker then slipped a link into the chat and asked the CFO to upload a series of financial document that he said he needed ASAP.
Carl Wearn, head of e-crime at Mimecast, reflects upon another recent social engineering trend that shows significant creativity on the part of fraudsters – online romance fraud. “Over the past two years, as so many people were stuck at home during lockdown, it wasn’t surprising to see the use of dating applications rise as more people looked for companionship. It’s important to understand that during this time, a lot of people were feeling lonely and were particularly vulnerable to the predation of criminals who specialized in dating and online fraud.”
Common ploys include using false personas of individuals that the user might automatically and naturally feel trust or admiration for, including members of the armed forces or emergency services, Wearn adds. “In this way they seek to play on sentiment and disarm you to gain your trust as rapidly as possible. Their pictures are also likely to have been stolen to enhance the con and there will be multiple excuses over why you cannot meet face to face.”
Ultimately, romance fraudsters get to the real heart of the issue and ask for money, initially a seemingly small amount, but this will escalate. “They will often invoke an urgent operation for a closer family member or other similarly urgent needs. It’s an appalling crime but being aware of it and what you say and do online, can stop you from falling for it.”
“There’s no let-up in the creativity we’re seeing attackers bring to the lures they use,” says Milică. “Attackers are always pivoting to topics that will get the most clicks, and social engineering techniques aren’t seen only in emails. We are seeing these tactics being used successfully across text messages, phone calls, direct messages, and more.”
Preventing social engineering attacks
With attacks becoming more creative, it’s never been more important for businesses to have firm social engineering defenses in place, Milică says. “Train users to spot and report malicious emails. Regular training and simulated attacks can stop many attacks and help identify people who are especially vulnerable.”
The best simulations mimic real-world attack techniques and look for solutions that tie into real-world attack trends and the latest threat intelligence, Milică adds. “Regardless of the social engineering vector used, the messaging and communications are malicious. This means users and organizations need to be vigilant across all communication channels, not just traditional email or text message, but traditional mail, phone calls and internal systems as well.”