Last month, we ran a cybersecurity workshop for one of our clients. But there was a twist: participants were tasked with the role of cybercriminals. Working in small groups, they had to concoct schemes to deceive and exploit their targets. It was fun! Maybe a little too fun for some… 😉 While all schemes were clever and convincing, here are two activities which really stood out to me.
Spear Phishing Email
Participants were given details about a potential victim from the Neiman Marcus breach, which was reported on Have I Been Pwned. They leveraged these details to craft convincing and targeting phishing emails (i.e., spear phishing). It was an interesting puzzle – how to use the available data to convince the target to click a link and extend their information. Here is one that caught my eye:
What’s Great:
- Unexpected purchases creates a sense of urgency
- Reinforced a sense of urgency with a tight 24-hour timeline
- Showed partial credit card data to indicate legitimacy
- Included address to reinforce legitimacy
- Created a believable spoof domain of www.neimanmarcussecurity.com
- Instead of flagging on transaction time, flag on a suspiciously high amount. For example, “We noticed your recent purchase of $8,423.90. While we appreciate your patronage, our team flagged this purchase as suspicious as it does not match your previous shopping history with us. As a courtesy, we are reaching out to confirm that this purchase is legitimate. If you would like to review this purchase, please click the link below.” This is more believable and is more likely to get your target to panic-click.
Quishing Campaign
In the second activity, participants were asked to create a QR phishing, or “quishing” campaign which would exploit the highest number of high-value targets. I think that there were a lot of Swifties in this group, as most campaigns were centered on the recent Taylor Swift concert. Again, there were many creative ideas, but this one was a beauty:
What’s Great:
- It would not seem out of place at a concert. Best to post it in areas with long queues such as near washrooms or concession stands so audience members would be more inclined to engage with the scam
- A busy, euphoric event with distractions and lowered inhibitions make for a great venue for cybercrime
- The design is simple and uncluttered, with a clear message and call to action
- Promotes a believable, high-value item. You could consider including the retail value to further reinforce its value
- Indicates scarcity so targets act quickly, perhaps without thinking
Even Better If:
- State that the t-shirts are from the official Taylor Swift Store and include their logo. Suggest that it’s a store promo to increase the perceived credibility of the scam.
- You can take small bites for data requests. First, ask them to enter their username and password, then shirt size to reinforce legitimacy.
- Once the target has already invested their time and extended some of their data, ask for their home address, then their phone number, then their date of birth. If you are feeling very daring, ask for their social security number. This would allow you to complete a full identity theft: Name + SSN + DOB (trifecta). If they don’t give it, no big deal, you’ve already gotten all of their other information.
- Include a 5-minute countdown timer on the page, suggesting that their free t-shirt is reserved for them as long as they input their information before time runs out.
Summary
Overall, participants demonstrated a high level or resourcefulness and creativity to develop convincing scams during our morning workshop. More importantly, though, is that there are countless real-life cybercriminals that do this on a daily basis as a profession. If a few neophyte armchair cybercriminals could come up with such high quality scams in such a short period of time, imagine how sophisticated attacks will be (or perhaps already are).
Time to doff the black hat for now. Hopefully it has given you some insight into how successful scams snare their targets, and how you as an individual can avoid these traps in your day-to-day work and personal life.
If you think you’re being targeted by an email or online scam, don’t engage with it. Instead, reach out to your IT department so they can evaluate and steer you straight.