Social engineering is the underlying factor of the overwhelming majority of cyberattacks today. Whether a cybercriminal’s goal is to directly instigate fraud, gather your credentials or install malware, social engineering threat trends are increasing.
Despite the general public’s best efforts, threat actors continue to defraud, ransom and extort companies for billions of dollars annually. As new defenses are created and implemented, technologically talented and crafty criminals look for new ways to undermine them.
While security-focused decision makers have opted to strengthen defenses around physical and cloud-based infrastructure, your people are quickly becoming the most reliable and easy entry point for compromise.
Social Engineering as an Exploit
Lots of content and techniques are being currently developed to exploit human behaviors and interests. The most effective methods use human tendencies and undermine instincts that raise an alarm that “something isn’t right.”
The victim is oftentimes presented with familiar content or something that they regularly interact with in their day-to-day jobs: receipts, invoices, spreadsheets or documents.
The content appears like it’s just another Tuesday at the office, and therefore raises no alarm. A threat actor might pretend to be a trusted partner or an authority figure like your company’s CEO.
Social interest is also frequently at play: At the start of the COVID-19 pandemic, there was a massive desire for information about vaccine development, updated health guidelines, regional mandates and new company policies. As a result, threat actors of every sophistication level pivoted to make use of COVID-19-related content because of the universal relevance of the subject matter.
5 False Assumptions People Make About Threat Actors
Most office workers aren’t actively looking for phishing attempts or cybercriminal activity, so it’s easy for them to make false assumptions about the nature of threat actors and cybercriminal behaviors.
Here are five of the most common false assumptions people make about threat actors:
- Threat actors won’t spend time building rapport before initiating attacks, like holding regular conversations.
- Authoritative services like those provided by established technology companies like Google and Microsoft are always safe to use.
- Threats only ever involve computers and not outside technologies such as mobile phones.
- Threat actors don’t have access to email conversations held with coworkers and those conversation threads are safe.
- Threat actors won’t use timely, topical, socially relevant content to pique interest or exploit emotions.
In the next section, we’ll dive into each of these false assumptions in more detail.
Assumption #1: Criminals Won’t Talk With You
The best kind of social engineering is about generating feelings within an end user or coworker that mentally drives them into engaging with content: Something in their inbox may appear urgent, another person appears trustworthy or maybe they can help with something.
By sending benign, conversational emails with the intent to lure the user into a false sense of security, cybercriminals start a relationship with the end goal to make that person more easily exploitable.
An example of this threat can be seen in a Lure and Task Business Email Compromise (BEC) threat. These typically start with a seemingly innocent conversation or ask a question to get the recipient to engage with the email.
Image: Lure/Task BEC Email
Lure/task emails typically follow a gateway theme: If the person replies, they may be led to another type of threat such as a gift card, payroll information request or invoice fraud.
The threat actor then tries to get a recipient to engage with them and will send follow-up requests – such as for transferring money – in future emails once a connection has been established. The result can cost individuals and organizations thousands of dollars, and it all started just by having a simple conversation with a “trusted” source.
Assumption #2: Microsoft and Google Platforms Are Always Safe
People may be more inclined to interact with content if it appears to come from a source they trust and recognize, like Microsoft or Google products. However, threat actors regularly abuse legitimate services like cloud storage providers and content distribution networks to host and distribute malware as well as create credential harvesting portals.
According to Proofpoint, Google-related URLs were the most frequently exploited in 2021. However, when looking at which domains are clicked, Microsoft-related URL-based threats received more than twice the clicks of those hosted by Google.
This finding could help explain why Proofpoint’s analysis shows Microsoft OneDrive is the most frequently abused service by top-tier cybercriminals, followed by Google Drive, Dropbox, Discord, Firebase and SendGrid.
Assumption #3: Threat Actors Won’t Pick Up the Phone
It’s not crazy for people to believe email-based threats exist only on computers. But in 2021, Proofpoint researchers found an increase in attacks leveraging an intricate ecosystem of call center-based email threats.
Phone-based threats require a lot of human interaction, something not regularly seen with phishing attempts. While the emails themselves don’t contain malicious links or attachments, individuals must proactively call a fake customer service number in the email to engage with the threat actor.
The reality is there are over 250,000 of these threat types every day.
Call Center Threats Explained
There are two types of call center threat activity. One uses free, legitimate remote assistance software to steal money. The second uses malware disguised as a document to compromise a computer and that initial download can lead to additional malware. The second attack type is often associated with BazaLoader malware and is commonly referred to as BazaCall.
Both attack types are referred to as telephone-oriented attack delivery (or TOAD).
Below is an example of a financially motivated TOAD threat masquerading as a PayPal invoice from a U.S. weapons manufacturer:
Image: TOAD lure spoofing PayPal.
People just like you and me can lose tens of thousands of dollars to these types of threats. In one unfortunate example, Proofpoint identified a victim losing almost $50,000 to an attack from a threat actor masquerading as a Norton LifeLock representative.
Assumption #4: Replying to Existing Emails Is Safe
Thread hijacking or conversation hijacking is a phishing technique where cybercriminals reply to existing email conversations with a malicious attachment, URL or request to perform some action on the threat actor’s behalf. The cybercriminal in question exploits the person’s trust in the existing email conversation.
Usually, a recipient is expecting a reply from the sender in the existing conversation and is therefore more inclined to interact with the affected content. To successfully hijack an existing conversation, cybercriminals need to gain access to legitimate users’ inboxes.
There are multiple ways to gain access to your coworkers’ inboxes, including credential lists available on hacking forums, phishing, malware attacks or password-spraying techniques. Threat actors can also take over entire email servers or mailboxes and automatically send replies from threat actor-controlled botnets.
Email messages will appear real and organic, and because the threat is a reply to a legitimate conversation thread, the message history will be attached.
Assumption #5: Threat Actors Exclusively Discuss Business-Related Content
Every year threat actors capitalize on popular culture, current events and news using lure themes coinciding with things the general public will be interested in to get them to engage with malicious content.
Proofpoint researchers observed a couple of BazaLoader campaigns leveraging Valentine’s Day themes like lingerie and flowers in January 2021.
Image: BazaLoader Valentine’s Day lure
BazaLoader threat actors in 2021 began using infection chains that required a large amount of human interaction, like visiting cybercriminal-controlled websites to download a payload, or even calling the threat actor directly to get assistance with an erroneous purchase seen in the example image above.
In October 2021, pop culture was used as an exploit to tempt people into interacting with affected content. Proofpoint identified the large cybercrime actor TA575 distributing the Dridex banking trojan using “Squid Game” themes.
The cybercriminal entity disguised themselves as entities associated with the Netflix global phenomenon using emails enticing targets to get early access to a new season of Squid Game or to become a part of the TV show casting.
Image: Squid Game lure.
Valuable Takeaways for Social Engineering Threat Trends
Now that you’ve read about social engineering threat trends for 2023, here are five valuable takeaways from this article:
- Threat actors build trust with people by holding extended conversations.
- Threat actors have expanded the abuse of effective tactics like using trusted companies’ services (Microsoft and Google products).
- Threat actors can, and regularly use, phones in their attack chain.
- Threat actors make use of and know of existing conversation threads between coworkers.
- Threat actors regularly discuss topical, timely and socially relevant themes to entice users to interact with affected content.
Be Prepared for the Social Engineering Threat Trends in 2023
Threat actors are getting increasingly good at exploiting human weaknesses as time goes on, and they’re more than willing to go the extra mile to gain access to your data. Luckily, finding the right cybersecurity partner in the Miami area is easier than you think.
Book a meeting or contact us to discuss any cybersecurity issues you may have.
*The information and example images in this article were provided by Proofpoint, 2022.*