As part of Proofpoint’s “2022 Social Engineering report” it was found that many cybercriminals employ unanticipated behaviors as part of their hacking methods. Threat actors typically are not thought of as engaging with their victims or attempting to disguise legitimate technologies as part of their schemes. However, Proofpoint found that many hackers use some of these methods to gain an entry when targeting an individual.
“Despite defenders’ best efforts, cybercriminals continue to defraud, extort, and ransom companies for billions of dollars annually,” said Sherrod DeGrippo, vice president of threat research and detection at Proofpoint. “The struggle with threat actors evolves constantly, as they change tactics to earn clicks from end users.”
Hackers debunking previously held suspicions
Proofpoint entered into the report with a number of assumptions in place, detailing what methods threat actors would go to to carry out an attack, as well as the methods employed to help carry out such attacks.
Threat actors will not spend time building rapport prior to executing attacks
The first assumption put forth by the security company was that cybercriminals were simply sending out malicious links to numerous potential victims, but this was found to be incorrect. In a number of cases analyzed by Proofpoint, Lure and Task Business Email Compromise (BEC) was started via an interaction such as a question from an unknown source. If a potential victim was to reply, it was more likely they would fall for scams such as gift card, payroll or invoice fraud.
Proofpoint also found that threat actors attempting to start a conversation were more likely to receive funds from a victim due to the familiarity the target now believes they have with the criminal. Engaging with a cybercriminal in this way can cost organizations or individuals significant amounts of money.
Hackers would not spoof legitimate services such as Google and Microsoft
Many users assume that if content appears from a trusted source, it must be legitimate. However, Proofpoint found that cybercriminals frequently abuse services such as cloud storage providers and content distribution networks to aid in circulating malware to potential victims. According to the company, Google-related URLs were the most frequently abused in 2021 when it came to threat actors attempting to take advantage of unsuspecting users.
“Security-focused decision makers have prioritized bolstering defenses around physical and cloud-based infrastructure which has led to human beings becoming the most relied upon entry point for compromise,” DeGrippo said. “As a result, a wide array of content and techniques continue to be developed to exploit human behaviors and interests.”
Threats only involve their computer and not the telephone
As with spoofing legitimate sources, a commonly held belief is that email-based threats exist only on laptops or PC’s, but this is also a falsity. Last year, Proofpoint found that threat actors were employing call-center based email attacks. This method has targets contact a fake call center through a number provided in an email, thus engaging with the threat actor themselves. Typically, cybercriminals are executing this scam through free remote assistance software or by sending a document with malware attached to it.
SEE: Mobile device security policy (TechRepublic Premium)
Criminals are unaware of email conversations and existing threads are safe
Another technique used by threat actors is known as thread or conversation hijacking. In this method, a cybercriminal will reply to an existing conversation with a malicious link or piece of ransomware hoping the intended target does not examine the link or file closely. To carry this type of attack out, adversaries are gaining access to a user’s inbox through phishing or malware and then access an email chain to distribute the harmful link or software.
Threat actors only use business-related content for attacks
The final assumption that was dispelled as part of the report was that threat actors would not take advantage of timely social issues to elicit a response from their victims. However, as seen with many adversaries using the war in Ukraine to their own interests, this was proven not to be the case. It is not just news being taken advantage of either, as Proofpoint observed several malicious emails sent to users with Valentine’s Day themes such as flowers and lingerie as the hook for potential victims.
As always, it is important to be vigilant when it comes to email best practices. By employing a zero-trust architecture and being extremely careful when it comes to clicking links or downloading files even from known sources, users can prevent themselves or their companies from falling victim to the next big ransomware or malware attack.
