Cyber attackers can be quite inventive when it comes to social engineering and persuading someone to do something that isn’t always in their best interest— logging into a phishing site and entering their credentials, luring victims to pay a fake invoice, or simply opening a file containing malware.
Cybersecurity firm Proofpoint rounded up the top five strangest lures and social engineering tactics of 2021:
#5 Soccer Scouting
Last year, Proofpoint researchers noticed multiple social engineering campaigns using soccer to deliver malware to clubs in France, Italy and in the U.K. The threat actor posed as a sports agent representing young players in Africa and in South America, seeking their big break into one of the sport’s richest leagues.
The email was sent to soccer clubs with legitimate video files and YouTube links showing training and match highlights. Victims who were intrigued by the video footage were instructed to download and enable a Microsoft Excel document infected with malware.
#4 Spoofing Scholars
Over the summer, Proofpoint reported activity involving an Iran-based threat actor, targeting European academics and policy experts. The attacker posed as a senior research fellow at the University of London using a lookalike email address spoofing a real scholar. The goal of the campaign was to steal credentials via a fake webinar signup page, but before setting this end game in motion, the attacker invested significant time in building relationships. It wasn’t limited to just email communications, the actor was attempting to engage via phone calls and video conferencing in the course of building report with victims.
#3 Fake by Functional
In August of 2021, Proofoint researchers noticed an attacker sending a Microsoft Excel file containing a functional freight calculator. However, when the victim persuaded by the convincing design, found that their shipping quote actually came with a bonus delivery of malware.
#2 Good News, Bad News,
Cyber attackers are experimenting with A/B testing, a concept familiar to most marketers. Proofpoint noted a campaign launched before the end of the year, in which some recipients received a message informing them that their employment was terminated, while others got news of a promotion or that they received a holiday bonus. By downloading the Excel file and clicking “enable content,” resulted in a Trojan being dropped on the victims’ computer. Once the malware download began, victims were greeted with a “Merry Xmas” pop up.
#1 Inheritance or lottery win – why not both?
We all may have received that occasional email from a long-lost family member who left behind an inheritance of 2.5 million, “click now to claim” scheme. A fraudster attempted to weave an email like this last year, posing as a Chief Justice of Canada, also adding in the email that the recipient had won additional lottery winnings, and the Bank of Canada has come to collect the money. The attacker claimed all of it could be resolved for the modest sum of just $100 and once the payment was received, the winnings would be available in the form of an ATM visa card.
Proofpoint notes “this advanced fee fraud is renowned for occasionally outlandish social engineering tactic, but for its sheer range and variety, this one takes the cake.”