We at Hoxhunt want the security training to mirror the real world and the real attacks that we see every day. Real attackers do not have the same moral compass as the defending side, and we want to simulate that to the best of our abilities. This is why we include some of the more sensitive topics in our training. We will never send a simulation that is meant to inflict fear or embarrassment, but we do want to simulate similar emotions, so that you learn to identify these during the training.
Educating the users to look out for the emotional responses that they might have, is one of the key aspects of security awareness. By disabling these topics, you might give the attacker an advantage - if you do not include some topics in the training and a real attack is executed with that exact topic, your users might not stop and think about the message before reacting to it. Many of the threats that utilize more tabu topics might even lead to the user being too embarrassed to report that they’ve fallen for one. Keeping your training curriculum as wide as you can will help you in the long run.
We feel, that it is extremely important for a user to be left feeling positive after a learning experience, for them to really embrace the learning. Utilizing these topics in our training is a carefully considered decision.
What kinds of brutal tactics do real attackers use?
Producing negative emotions, such as fear and embarrassment, is highly effective for the attackers. Attacks, such as sextortion scams and emails abusing authority, are common nowadays. Other common topics are money, employment, complaints, etc.
During the COVID-19 pandemic and beyond, many people are enduring the worst years of their lives between lay-offs, corporate restructuring, and the loss of loved ones; meanwhile, others have stayed healthy and prospered financially. You could say that the previous year has covered the whole emotional spectrum, and attackers have responded with verifiably potent phishing campaigns hooked into emotions.
After struggling through so much uncertainty, how horrible would it be to receive a contract termination notice from HR? The below example is from a campaign utilizing an extremely emotionally provoking topic to increase the chance that the recipient will stop thinking rationally and just act based on instinct.
People do all kinds of things in the privacy of their own homes. Some activities, like cooking, they are willing to share; and others... less so. Viewing adult websites falls firmly into the “not keen on sharing” category. And Oh la la, imagine the fear and humiliation of being threatened in an email message with: “I know what you looked at last night. And I recorded you doing it.”
Below is a sample email from a sextortion campaign.
Read more: Porn scams, Ooh la la - Hoxhunt
Authority impersonation phishing attacks are nothing new. The topic never gets old and the technique clearly works. They can be carried out in numerous languages exploiting numerous official services around the world, from North Carolina to Belgium. The idea is to mimic a governmental authority or something similar in order to set the phishing hook.
Below is an example campaign that has been very active during 2021, showing how extreme topics these malicious actors use to get a response.
Attempts have also been made to create a sense of authenticity by adding The Ministry of Justice and Europol logos. There’s also a hand written signature and several fake stamps added at the end of the email. Even so, the attacker is a bit sloppy as they are using a different name in the introduction and the final signature. These kinds of small mistakes are good ways to spot a phishing email.
The email proceeds to threaten legal action if the accused doesn’t respond in 72 hours. We have seen emails in this campaign threaten to:
Publish the name and photo of the accused person
Send a further report to prosecutor
Register the accused person as sex offender
Transmit the case to national news channels
Broadcast the case to accused person’s family and loved ones
Seeing these accusations and threats, even knowing you’re innocent, might cause panic in some people. Thinking there’s some kind of tragic misunderstanding, they’ll want to clear their name. Unfortunately, that’s exactly what the attacker wants, to induce their reply.
Replying to the email leads to a scam in which the attacker tries to steal the victim’s financial information and other personal data.
Want to learn more about the tactics criminals use?
Check out our Off the Hook - Threat Stories library on our blog: https://www.hoxhunt.com/blog where we gather stories from the frontlines on the latest attacks we are seeing out in the wild.