Offbeat Social Engineering Tricks in a Scammer’s Handbook

Contrary to stereotype, today’s cyberattacks aren’t limited to complex tactics such as the use of zero-day exploits or polymorphic malware that flies under the radar of traditional defenses. Instead of going the extra mile to set such schemes in motion, most threat actors take a shortcut and piggyback the human factor. A combination of a would-be victim’s security awareness gap, insufficient attention to detail, and innate gullibility create a potential recipe for disaster when seasoned cybercriminals step in.

To increase the success rate of such attacks, fraudsters accurately align their tactics, techniques, and procedures (TTPs) with a specific user or organization rather than casting a wide net in an attempt to trap someone. This way, the payload – whether mental or digital – entices the target’s interests or triggers their pain points.

Let’s face it; malicious actors come up with growingly ingenious brainwashing tricks. However, many CISOs are still confident that garden-variety antimalware tools, paired with regular IT policies and procedures, are enough to stop cybercriminals in their tracks. Tackling this asymmetry in terms of strategies and mindset is a cornerstone of a robust security posture.

It comes as no surprise that security experts consistently push the agenda about social engineering, phishing, and Business Email Compromise (BEC) attacks being increasingly impactful across the cyber threat landscape. The following unorthodox stratagems in the present-day cybercrooks’ genre illustrate how relevant these precautions are and how important it is to be reasonably paranoid about suspicious emails, links, and even paper mail or text messages.

The sketchy @ sign

This technique probably won’t fool vigilant folks, but social engineering relies on a lack of prudence for a reason – most users don’t notice subtle tricks like this one, only to fall for the fraud. Those who always scrutinize URLs for dubious characteristics will instantly realize that a link like https://[email protected] is a dodgy one. Indeed, it seems that the @ symbol doesn’t belong inside a normal URL.

There is a caveat, though. According to conventional URL syntax outlined in RFC 1738, the @ sign can be used to split the <username><password> and <host> attributes of a URL to grant someone permission to access an authentication-protected web page by simply clicking the link. The pitfall is that regardless of the string preceding the @ character, a web browser will forward the user to the site (host) specified right after it. The landing page is a malicious one used for credential phishing or something similarly treacherous.

Malicious encoding

If you take some Arabic characters, encode them using the UTF8 to hexadecimal conversion routine, and concatenate the output to an arbitrary URL, then the resulting string will look unintelligible and may appear to be harmless upon an initial examination. Here’s an example: https://[email protected]%A0%C7%21%B2%B5%64%A0%D1%C0%B8%.

Hovering a mouse over such a URL in a desktop web browser allows you to preview it in decoded form automatically, which gives you clearer information about the risk if you are careful enough. However, this isn’t the case with a mobile browser or an email client like Outlook that displays the encoded variant. When there are no clues suggesting that the link could be malicious, the odds of someone clicking it are much higher.

Link preview exploitation

The Windows operating system hides file extensions by default, and you need to toggle the settings to see them. This quirk is known to propel attacks where malware executables are disguised as benign files. A similar hoax can be accomplished with URLs.

For instance, a harmful link may assume the following shape: https://companyname.com:[email protected]/bbbbbbbbbbbb.html. A scammer can simply replace the “aaa” and “bbb” parts with arbitrary keywords that are typically shown on the genuine web page.

Mozilla Firefox automatically truncates such links in the middle, and therefore, the “badsite.com” part will be obfuscated. All you will see is an array of characters that don’t seem malicious. Other browsers may render such long URLs in different ways, so the techniques for hiding the fraudulent part will vary. If an attacker knows exactly what browser the target uses, they can leverage the appropriate mechanism.

Phone reconnaissance

Impostors can make test phone calls to personnel of the target organization before orchestrating their ploy. If the answering machine message reveals that an employee is currently on vacation, they can try to take advantage of them being out of the office. An example trick is to contact colleagues via email on behalf of that person and discuss some business issues to extract confidential information.

To increase the effectiveness of this ruse, cybercriminals can spoof the email address of the alleged sender. This type of email attack is fueled by the inability of transmission protocols to authenticate the source of a message. Additionally, it’s ridiculously easy for a scammer to change the metadata of an email and make it look legitimate.

Good old paper mail as a lure

If a company’s senior manager is the target, an attacker can try to exploit his or her ego. For a start, they’ll set up a rogue website supposedly dedicated to a business event such as a conference or forum. Their next move is to convince the executive to visit this page. One of the ways is to send the person a regular letter.

The main benefit of using this method is that the attack will circumvent the entirety of electronic defenses deployed in the organization. Furthermore, paper mail will undoubtedly reach the victim because handing it over to the boss is among their staff’s normal day-to-day duties.

From a scammer’s perspective, an important prerequisite of a successful attack in this scenario is to make sure the envelope looks professional enough to match the recipient’s VIP status. The message itself would emphasize the proposed role of the victim in future events, which may come in the form of an invitation as a speaker, awardee, special guest, or jury member. The phishing page can be cloaked within a registration form provided at the end of the letter. Rather than typing the URL itself, more dexterous fraudsters print a QR code that opens the malicious landing page.

Mimicking email templates

To keep the red flags down when impersonating someone’s coworker, an unscrupulous social engineer might submit a general inquiry via the target organization’s contact form and wait for an official response that typically includes branding elements and specific formatting. Then, they will copy the design of that email to masquerade their phishing messages as an internal correspondence of the company.

OSINT

Open Source Intelligence (OSINT), is an ally of a threat actor. If done right, it can speak volumes about the personal life of a target employee. By analyzing the person’s social media profiles, the attacker may be able to find information that leads to exploitable interests and lifestyle details.

For instance, if the malefactor comes across a particular vacation resort that the victim has recently visited, they may impersonate its administration and send an email demanding an extra fee for unpaid services. The message would look like it was generated automatically, and the person can reply using a form in the customer support section on a copycat official site. This way, the scammer can lure the target to follow a phony link and sign in. Chances are that the victim reuses the same authentication details on different sites. This can be a catalyst for expanding the attack surface.

In case the OSINT investigation reveals that the employee mostly uses a particular airline service when traveling, the perpetrator can send a message stating that the target can earn a ton of extra bonus miles by joining an additional loyalty program. The email would typically emphasize that this is a short-term offer to make the user act quickly into activating the phony program.

If the attacker finds out that the person has recently participated in an event, they may write an email providing a link to download the appropriate presentation content. The offer would also notify the recipient that they can get a discount for the next conference once they sign into the site, which is a booby-trapped page in disguise.

“Rabbit hole” manipulation

A particularly intricate method of social engineering is to entice the potential victim into finding a phishing site on their own. This technique relies on decoy information that evokes the target’s curiosity. The person will likely look up the intriguing subject on a search engine, only to come across and visit a recently launched malicious website.

Summary

Automated security mechanisms are the primary protection strategy of modern companies to prevent malware attacks and stop malicious incursions. These defenses alone are insufficient against a competent and determined social engineer.

Even if top-notch security systems are in place, they can be ineffective as long as employees download dubious email attachments, use poor authentication practices, or click on phishing links. Social engineering and phishing awareness are often the missing pieces of the security puzzle toward creating a more secure organization.

About the Author:

David Balaban is a cybersecurity analyst with two decades of track record in malware research and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a solid malware troubleshooting background, with a recent focus on ransomware countermeasures.

Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.