During class, we talked about Vishing. Below is a link to a short video that shows an IT professional being duped after receiving compliments, a promise of an award, in exchange for his contact details and credit card information to pay for shipping the “reward”.
After watching your video at https://youtu.be/D_yAYhjNE-0 , What social engineering tactics did you observe in the video?
Nicholas Fabrizio says
The attacker seemed to have done some reconnaissance before attempting the vishing attack. The award was specifically for cybersecurity, possibly targeted him based off the blogs the victim mentioned he writes, and exploited the victim’s emotions for not getting the recognition for all the work he as done to protect his organization. Lastly, the attacker was confident and friendly which help make the scam appear more legitimate.
William Bailey says
Reading into the scenario a little, and seeing the blogs, Dave, our victim, probably cheerfully volunteered his WORK email address in order to be able to read the blog. Whether on the blog itself, or on third party content on the blog site, at that point the victim is being tracked. Dave made himself the target.
Humbert Amiani says
https://youtu.be/D_yAYhjNE-0
In the video I watched, Dave is duped into believing he missed the most amazing new episode of Game of Dragons. Since Dave does not have cable, he falls for an email with a link to watch this episode for free. Little does he know that all his files will be encrypted and licked by ransomware until he pays $1000 in bitcoin. So, Dave was presented with something enticing yet unavailable to him, so the first chance he gets to watch the episode for free, he takes it.
Zhuofu Wang says
A typical phishing case. Two colleagues (maybe social engineers) of the victim recommended a new episode to him and prompted a free version (maybe hint the victim there has a free version, to increase the success rate of phishing ). Later, the victim received an external phishing email, which contains a ‘free streaming online’ link.
It is worth mentioning that when the victim clicked on the link and triggered the ransomware. By facing blackmail from attackers, he said that he had backed up the data, which is obviously a good habit. Subsequently, the attacker used another method to blackmail the victim, threatening to disclose some sensitive information about the victim. This trick took effect, and the victim paid the attacker a ransom.
William Bailey says
The co-workers are very likely not part of the incident, other than being someone that the victim works with, and they’re talking about a television show that the victim can’t watch. In the year 2020, do we all buy each and every subscription streaming service?
The comment about backing up the data is perhaps a bit of sarcasm. In reality, most people fail to really back up their data – either due to time/cost/laziness, or outright perceiving that “it can’t happen to me”.
As the video shows, it does happen to the victim.
Zhuofu Wang says
Yeah, for this video they are only co-workers. But in actual situations, the social engineer may cooperate with other attackers to try to hint/guide the victim to open those pushing emails, which contain malicious malware.
When it comes to backing up data, many people choose the cloud. I think there are still some risks in using cloud storage to back up certain sensitive information, even if the cloud is becoming more and more secure.
Kelly Sharadin says
My video involved the ransomware attack via a phishing email. This attack used a combination of tactics to ensnare the victim. The phishing email ultilized trends in pop culture (a top tv show) so the chances that someone would click on a free-stream of the latest episode are high. Secondly, the fact the stream is ‘free’ also helped increased the chances that the target would click on the email. In a post Napster world privacy has become the norm. Also the timing of the phishing email plays alot into the attack’s success. The target’s coworkers are featured talking about the most recent episode so a phishing email sent shortly after the legitimate’s episode premiere is a smart tactic.
Of course, the subsequent blackmailing tactic of threatening to expose the target’s embarrassing personal data helped propel the target to pay the ransomware.
Anthony Wong says
The social engineering tactics I see in the video are phishing and baiting. The phishing email was perfectly timed and directed to Dave as it offered downloads of your favorite shows for “free”. In this case, the latest episode of Game of Dragons was the bait. After he watched an episode and started talking to his colleagues about the episode, he soon realized that he was duped and was provided an older episode from a few weeks ago.
Bryan Garrahan says
In this scenario Dave fell victim to a phishing attack by the hacker. I don’t necessarily know how much reconnaissance was performed prior to delivering the phishing email as Game of Dragons is clearly referring to Game of Thrones, which has an extremely diverse adult audience. I believe in this case sending this phishing communication to a number of obtained emails would have attracted some clicks (i.e. tempting attachment) due to the popularity of the show.
Now I understand the purpose of these videos are to exaggerate scenarios in order to get a certain point across but I found the senders name of extortion.entertainment.spy to be humorous. Additionally, I noticed a number of misspellings in the email itself – for example, the attacker spelled “your” as “ur”. The email Dave receives reminds me of some of the simulated phishing emails that my organizations security team sends out in order to maintain security awareness.
Candace T Nelson says
Well, this was most definitely a phishing attack that lured Dave into throwing caution to the wind in the hopes that he could catch up on the program episode and “fit in” better with hi colleagues. I noted that Dave was looking at an article titled How to be a Better Manager when the video began, and one of the paragraphs was titled “Connect With Direct Reports over Common Interests.” This brought two things to mind:
– It was not unusual for Dave to be looking at sites that may not have been associated with his work.
– Dave had a desire to improve his managerial skills by being accepted by his colleagues.
In the article titled 5 Emotions Used in Social Engineering Attacks, author Bruce Sussman described the following five emotions that hackers and cybercriminals use against us:
1. Greed – as it relates to this video, Dave thought he was going to get his hands on the desirable episode for free!
2. Curiosity – Dave was intrigued when he received the email from extortionentertainment.spy.
3. Urgency – Dave was given 10 minutes to wire $1,000 in Bitcoin or (perhaps?) his data would be destroyed.
4. Helpfulness – I didn’t see any specific examples of this emotion in Dave’s situation.
5. Fear – once again, the threat of destroying Dave’s data (that he failed to back up, which would make him look inferior since his colleague had specifically told him to do so) caused Dave to respond out of fear, as did the humiliation of the karaoke video being released. Incidentally, this made me wonder if Dave had been profiled, or if it was just a lucky guess that there had been a sales meeting, that there was karaoke at this meeting, and that Dave had performed badly. So much peer pressure throughout!
https://www.secureworldexpo.com/industry-news/5-emotions-hackers-use-social-engineering-attacks
Finally, I noticed that the extortionentertainment.spy contained the word CONGRATULATIONS but that it was spelled CONGRATURATION (potentially indicative of a state actor) – which should have been a signal to Dave that to proceed would be dangerous!
Amelia Safirstein says
The point about the misspelled word “Congraturation” is great! Attackers sometimes misspell certain words in an attempt to get more phishing emails through spam filters.
Amelia Safirstein says
The victim received a phishing email that promised a free viewing of Game of Dragons, a show that is typically paid for through service subscriptions. The bad actor followed a few common social engineering tactics.
First, the attacker emailed the victim from a strange and somewhat suspicious email address. Sometimes attackers actually intentionally add details like this that will tip off more cybersecurity savvy recipients. The attacker likely sent this email to many people and their end goal is to get the $1000 ransomware payments, not to waste their own time on recipients who will have backed up their data or who have better plans in place for ransomware attacks.
Second, the attacker included a reward that was timely and that seemed almost too good to be true. They use these kinds of rewards to lure victims into downloading files or clicking links.
Lastly, after the victim clicked the link, the attacker implemented a short time limit on payment to cause the victim to panick. If the victim had weeks to pay the attacker, they may have been able to reach out to their company for help, or to think through a smarter plan to circumvent paying the attacker.