Proofpoint: Assumptions breeding socially engineered cyber threats

In the breakneck world of cyber threat actors, yesterday’s tactics aren’t good enough for today. Although old tactics reliably earn clicks, legal authorities may be already on to it. So out with the old (love scams), in with the new (false advertisements for cleaning services). Victims responding to engage cleaning services were asked to download an application to their mobile devices which contained malware to steal personal banking credentials. 

Businesses realised the vulnerability of data networks, establishing strong defences around physical and cloud-based infrastructures. Software is patched, now its time to update the end-user – through familiarisation with the tactics threat actors employ and more flagging of content. 

Proofpoint’s 2022 Social Engineering Report proposes a people-centric security model and approach. Humans are the point of entry for compromise, and threat actors are taking notice, targeting content and approaches to exploit human habits and interests.

Security-focused decision makers have prioritized bolstering defenses around physical and cloud-based infrastructure which has led to human beings becoming the most relied upon entry point for compromise. As a result, a wide array of content and techniques continue to be developed to exploit human behaviors and interests.

Sherrod DeGrippo, Vice President of Threat Research and Detection, Proofpoint

---

5 faulty assumptions breeding social engineering tactics

1. Threat actors will not spend time establishing rapport before launching attacks

Attackers are willing to put in time, effort for a pay day. Effective social engineering involves instilling sentiments in a user that motivate them to interact with content. Threat actors create the basis for a relationship to be more easily exploitable by sending innocent emails with the purpose of luring the recipient into a false feeling of security.

Love scams are built upon victims trusting online strangers whom they have been corresponding intimately for a significant period of time. In Singapore, since January 2022, at least 384 victims have fallen prey, with losses amounting to at least $15 million.

2. Current email threads with colleagues are safe from threat actors

Threat actors can access these conversations, identifying your closest contacts and spoofing a convincing work-related request. Thread hijacking, is a technique where a recipient is expecting a reply from the sender, and is therefore more inclined to interact with the injected malicious content.

In Singapore, threat actors are using spoofed emails to impersonate supervisors or fellow colleagues to get their targets to help with payment requests. There have been at least 149 victims since January 2022, with losses amounting to upwards of $70.8 million.

Proofpoint conducted a DMARC analysis and found that 95% of SGX 200 Companies are not properly blocking fraudulent emails. This lack of protection against email fraud means exposing countless parties to imposter emails and business email compromise (BEC). These attacks are designed to trick victims into thinking they received an email from an authoritative superior asking them to transfer funds, divulge sensitive or personally identifiable information, or hand over their credentials.

3. Threat actors won’t make use of timely, topical, socially relevant content to pique interest or exploit emotions

Threat actors are thinking intelligently, and emotionally. They’re humans too, with natural human tendencies, immersed in the same sociopolitical narratives as we are. They know what will make victims tick. 

Proofpoint researchers discovered that only one month after Netflix debuted the big hit Squid Game, cyber criminals were already sending Squid Game-themed emails to victims, promising priority access to the next season or even the chance to be cast in future episodes. Now that a Squid Game reality TV game is actually in the works, scam mails enticing victims to participate are even more “believable”. 

4. Legitimate services such as those provided by authoritative technology companies (e.g. Google, Microsoft) are safe

Threat actors regularly abuse legitimate services to host and distribute malware, as well as steal credentials. According to Proofpoint’s annual Voice of the CISO report, CISOs in Singapore anticipate threat actors will take advantage of the rapid adoption of cloud collaboration technologies. Cloud account compromise becomes a significant organisational challenge. 

5. Cyber threats are only email and text messaging-based, attackers don’t use the telephone

Unconventional scam tactics utilising telephone exists. There has been an uptick in multi-faceted TOAD (telephone-oriented attack delivery) attacks. Such attacks require a lot of human interaction and individuals must proactively call a fake customer service number in the email to engage with the threat actor. Proofpoint researchers identify over 250,000 of these threat types each day globally, where threat actors leverage a robust ecosystem of call center-based email threats. 

---

What can organisations do to aid end-user employees?

Recall, threat actors are humans too. To answer the question of “What will be the next attack?”, think, “What is the thing we are all talking about now?”

From an organisational standpoint, shift the security awareness culture toward a posture where identification of incoming threats is understood as a relevant and necessary daily task. Malicious activity is regular, even inevitable. Threat actors should find it increasingly difficult to exploit socially engineered tactics as this notion gets more generally recognized and threat reporting pipelines become more well-established. 

Pro tip – Double-check an email sender’s identity by clicking on ‘details’ to confirm the sender’s authenticity. Impersonating addresses often have a legitimate username (for example, a colleague’s or friend’s first and last name), but the email address is a jumble of spoofing alphabets and numbers. 

---