Connect with us

Cyber Security

Cybercriminals’ Strangest Recent Tactics: From Trips to Mars to Piano Giveaways

Published

on

Written by Emile Abou Saleh, Regional Director, Middle East and Africa, Proofpoint

We all know that the internet can be a strange place at the best of times, so it should come as no surprise the world’s cybercriminals contribute their fair share of strangeness. Our researchers continue to encounter malicious campaigns that go way beyond the usual level of bizarre to achieve their social engineering aims.

Social engineering is a common tactic used by cybercriminals to gain access to a user’s passwords, account details, email accounts and even funds. It involves exploiting human behaviour to encourage people to open and respond to fraudulent emails. In the digital realm, threat actors use this psychological manipulation tactic to drive people to break normal security procedures. It is a con game that relies on human error rather than digital hacking.

Social Engineering in the UAE
In social engineering attacks, bad actors exploit psychological principles like trust, the fear of missing out, authority, and the desire to be helpful. Cybercriminals understand that people can be exploited, either through negligence or simply obliviousness. Social engineering is a part of many of the threats analysed by Proofpoint used to steal credentials, extract sensitive data, and fraudulently transfer funds.

Many users engage – either knowingly, or unknowingly – in actions which may heighten their risk of falling victim to these very social engineering attacks. Proofpoint’s 2024 State of the Phish report revealed a concerning trend: 86% of surveyed working adults in the UAE admitted to taking risky actions, such as reusing or sharing a password, clicking on links from unknown senders, or handing over their credentials to an untrustworthy source.

A vast majority (97%) of them did so knowing the inherent risks involved, meaning that 83% of employees in the UAE willingly undermined their organization’s security. The motivations behind risky actions are varied, with most employees citing convenience (32%), the desire to save time (46%), and a sense of urgency as their main reasons (31%).

As cybercriminals continue to refine their techniques, the lures they deploy are becoming increasingly outlandish and creative. This escalation in social engineering sophistication underscores the critical need for enhanced vigilance and education.

Tickets to Mars
Just a few years ago, space tourism was making big headlines. It seemed like the age of orbital jaunts was just around the corner and that NASA would be building moon bases before long. Sadly, there have been setbacks, and for now, space remains the preserve of astronauts, scientists, and the very rich. But following the “go big or go home” principle, a recent malicious email campaign didn’t just stop at sub-orbital spaceflight or visits to the moon, promising recipients the chance to win a trip to Mars.

With a subject line of “You win a trip to Mars,” the messages contained a PDF featuring an image of a recent Elon Musk biography and a spoofed update dialogue for Adobe Reader. The download button on the fake image linked to a tar.gz file containing an executable that ultimately downloaded Redline Stealer.

Occasionally threat actors come up with lures so improbable that it’s hard to imagine anyone falling for them. But there is a method in their madness. For some recipients, curiosity alone will be an effective lure. After all, social engineering is about getting your victim to do what you want—in this case, clicking a download link. And you don’t have to believe that you’re going to win a trip to Mars to be interested in finding out why you’re being offered one.

The Free Piano Scam
Equally unusual, another peculiar lure observed by Proofpoint involves a piano giveaway scam. In the campaigns, the threat actor purports to offer up a free piano, often due to alleged circumstances like a death in the family. When a target replies, the actor instructs them to contact a shipping company to arrange delivery.

When a victim responds, they are directed to arrange delivery with a fraudulent shipping company, also managed by the scammer, who demands payment for transportation costs upfront while also attempting to collect personal information such as names, addresses, and phone numbers. At least one Bitcoin wallet linked to these scams has seen transactions totalling over $900,000, indicating a substantial financial impact. Once the victim provides a small amount of money to the fraudster, however, they cut all contact and disappear.

These cases illustrate the odd yet effective nature of social engineering. Protecting against such threats requires constant vigilance, a deep understanding of the tactics employed, and robust security measures. Education and scepticism are crucial defences, as is the prudent use of technology. It’s essential to approach unsolicited offers with caution, particularly on social media, where these scams often find a ready audience.

Cyber Security

Cybersecurity has Gained Significant Traction in the Region

Published

on

Fernando Cea, the VP of Technology for New Markets at Globant, says 45% of business leaders prioritise cyber risk management in the region, surpassing the global average of 43% (more…)

Continue Reading

Cyber Security

A Reliable Data Backup Strategy is Very Important

Published

on

Sertan Selcuk, the Vice President of METAP and CIS Regions at OPSWAT says hackers are now targeting third-party vendors—companies that have access to critical infrastructure but often have less robust security measures (more…)

Continue Reading

Cyber Security

Cloud and IoT Vulnerabilities Expose Smart Cities and Industrial Systems to Cyber Risks

Published

on

Ezzeldin Husein, the Regional Senior Director for Solution Engineering – META at SentinelOne says cyberattacks on MEA’s critical infrastructure are becoming more sophisticated, with nation-state actors, ransomware gangs, and hacktivists targeting energy, finance, and transportation sectors (more…)

Continue Reading
Advertisement

Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.