From a contractor with love, or Top-5 phishing topics

From a contractor with love, or Top-5 phishing topics

Image generated by Midjourney neural network and added by the author of the article

Hello, Habre! Kateryna Kosolapova is with you. I’m an analyst at Positive Technologies and today I want to talk to you about phishing, or rather: about phishing lovers. Valentine’s Day after all ๐Ÿ˜Š This type of scam never gets old, cybercriminals love it to tears, and in 2023, almost half of all successful attacks on organizations were carried out using it. Everything goes: e-mail, text messages, social networks and messengers. Phishers don’t shy away from calls from the bank (because it works!) and use artificial intelligence (you’ve probably heard of deepfakes).

Phishing attacks are effective. Think for yourself: the costs are small, and if you aim correctly, you can win a big one. In this article, my colleagues and I have collected the five most popular themes used by phishers today. And, of course, exciting examples were given – where would we go without them! Let’s talk about organizations and targeted phishing. Have we hooked you yet? Then hold on!

Favorite contractors

In most attacks on organizations, phishers pretend to be contractors, sending fake reconciliations, invoices, contract extension documents and other data related to interactions with contractors. The popularity of this trick is explained by the fact that it is applicable to almost all organizations and involves the presence of links or attachments in the message. At the same time, this topic is used most often in targeted attacks on medical and financial organizations.

For example, in June 2023, a notice was sent to Italian companies with a request for delayed payment.

Phishing in Italian

The link in the phishing email downloaded a ZIP file that contained spyware. The campaign targeted several organizations from different industries. Needless to say, the reception is universal. Additional information about the victim is not required for such masking, which facilitates the process of preparing an attack without losing quality.

From your favorite IT department

Phishers are very fond of using messages purporting to be from tech support or the IT department, because they know how much we all love to call tech support. Such e-mails look familiar, so attackers have nothing to invent.

Letters from such colleagues usually contain clear instructions calling for certain actions, and no one dares to disobey, which also plays into the hands of attackers. The most common topics in such emails are: account verification, software or security updates, information about postal service disruptions, and password expiration notifications. An addressee with a basic level of digital literacy cannot always independently determine the authenticity of such a message, and the risk of blocking or deleting access or data creates a sense of urgency and prompts rash actions.

In addition, the success of such campaigns does not require detailed information about the victim – it is enough to consider what information products are used in the country of the organization under attack.

It is interesting that in companies specializing in IT technologies, employees receive such messages much more often. It is understandable: most of the work processes here are tied to information systems with which almost everyone interacts, so it is more difficult to distinguish a fake from the general flow.

By the way, this topic is often used in scenarios with phone calls allegedly on behalf of technical support or, conversely, in cases where you need to simulate a call to technical support.

In December 2022, the Muddled Libra group sent phishing messages to the mobile phones of targeted employees, claiming that they needed to update their account information or re-login to the corporate application. The messages contained a link to a fake corporate domain imitating a familiar login page. After the attackers intercepted the credentials needed for initial access, they had one of two options: continue the authentication process from the computer they controlled and immediately request a Multi-Factor Authentication (MFA) code, or wait and start generating an endless stream of MFA requests until the user will not get tired and will accept one of them. If the technique did not work, the attacker would contact the organization’s help desk, pretending to be the victim, claiming that their phone was broken or lost, and asking to register a new device using MFA authentication.

With love from the state

In baits from “state authorities”, the mechanisms of influence are respect for authority and fear of the consequences that may follow if the letter is left unanswered. In order to prepare believable phishing messages of such a topic, attackers need general information about the organization under attack, for example, location, field of activity. The text of the newsletter can be an invitation to a meeting or an offer to jointly work on documents, an urgent request or request for information from a state body, a message with information of state importance, a recommendation from the ministry.

Such emails are mostly sent as part of phishing campaigns targeting the government sector and defense industries, as they are familiar to ordinary employees who often receive genuine emails with similar content.

In February 2023, our PT ESC detected a phishing email addressed to government agencies in Tajikistan, which used the decoy document “Agenda for the High-Level Technical Consultative Meeting on the Health Sector in Tajikistan”. The probability that the victim will respond to such a message is very high, because it merges with the general flow of letters, and the uniform formal style and well-thought-out content are unmistakable.

Fake news

Current news is an effective context for deceiving employees with the help of phishing. In one in ten attacks last year, attackers addressed hot topics, including nuclear power and weapons, protests in Latin America, monkey pox and more.

In June 2023, our expert security center recorded a cyber attack on Russian state institutions and companies from other industries, including trade and services. A hacker group, which we called Cloud Atlas, used a resonant theme – partial mobilization.

Phishing email from the Cloud Atlas campaign

The victim believes that he received a list with a lot of data that needed to be placed in an archive for sending, but when he opens it, the device is infected. In connection with the increased interest in the issue of mobilization, such letters arouse curiosity and are unlikely to be ignored.

Phishing messages with topical news are most often found in attacks on defense and industrial enterprises, scientific and educational institutions, and mass media.

A self-extracting archive disguised as a PDF file and containing an article about Oleksandr Lapshin (a Russian-Israeli travel blogger, journalist and human rights activist) served as a decoy document in a malicious campaign against the Azerbaijani media. In 2021, the European Court of Human Rights ruled that Lapshin’s right to life was violated by the Azerbaijani authorities, and ordered Azerbaijan to pay him compensation in the amount of 30,000 euros. This incident was probably used as bait, as the Lapshin case is widely known in Azerbaijan.

We believe that phishing messages on the topic of the March presidential elections of Russia, the summer Olympic Games in France, and the November presidential elections of the United States are waiting for us soon.

What other events do you think phishers could take advantage of this year?

From your favorite employer or from a well-known brand

Messages from an employer or from a well-known brand affect the recipient due to the authority of the sender. Phishers like to use topics such as employee leave, various manuals, instructions, work recommendations, cost estimates or statements, offers with corporate discounts, billing information, notifications of unread messages in Zoom. However, in order to create the most authentic text, the attacker must have additional information about the victim, including company internal procedures, mailing addresses, job titles, and employee names.

Note that the effectiveness of attacks with messages allegedly from the employer is reduced due to the fact that the victim can easily check the legitimacy of the received message, for example, by asking colleagues if they received such a letter or by checking the sender’s address in the employee directory.

When developing attacks on behalf of well-known brands, phishing masters follow the best practices of the marketing departments of the most famous companies. Banal mass mailings are becoming a thing of the past, the success of which is connected with the desire of the recipients to purchase running goods at a discount or with the impossibility of purchasing them legally (for example, due to sanctions on many categories of goods that were previously supplied to Russia). Modern hackers take into account audience reach, conversion, interest in certain products, targeting and personalization. In some campaigns, victims received advertising messages on behalf of popular brands and were then repeatedly redirected through a chain of sites, where detailed data about the user, his browser, device, user agent, and IP address were collected along the way. Depending on this information, the victim was taken to a unique page with a personalized offer that was difficult to refuse. Based on all collected user parameters, a token was formed for entering the phishing resource, which made it practically untraceable, since the link sent from the phishing message was no longer opened by other users.

Preparing a phishing message is one of the most important stages of an attack: if the bait is unconvincing, spending resources will be in vain. The choice of the subject of the decoy message is determined by the attackers’ goal. At the same time, it should not stand out from the general flow of letters, so that there are no doubts about its legitimacy.

This article lists the most common themes, but they are not the only ones used in phishing messages. There are a number of signs that should arouse suspicion in the addressees. For example, an unfamiliar sender, spelling, syntactic, stylistic errors in the text of the letter or in the name of the brand, a demand for an urgent response, as well as a direct or indirect call to perform suspicious actions. Attackers use relevant, well-designed baits, so you should evaluate messages based on a combination of characteristics and be careful when working with different communication channels. Don’t get caught!

Six emotions that attackers often exploit in phishing messages:

  1. Fear (for example, “Pay off your tax debt immediately”).

  2. Annoyance (for example, when using the “MFA fatigue” technique, where attackers send a constant stream of multifactor authentication requests to cause annoyance and provoke the user to accept one of them).

  3. Carelessness (for example, in the case of using characters that look like writing in links).

  4. Curiosity (eg “Pretty Girls on OnlyFans”).

  5. Greed (eg “Marketplace Discounts and Coupons”).

  6. A desire to help (for example, “Humanitarian aid to victims of the earthquake in Turkey”).

The urgency of the response and the authority of the sender increase the effectiveness of phishing attacks!


Kateryna Kosolapova

Analyst of the research group of the Positive Technologies analytics department

Related posts