When sending social engineering-based attacks, attackers have always used context and timing to their advantage. Combined with the psychological advantage of impersonating someone in a position of authority, the attackers can lure the target, often a low or mid-level employee, to take an action desired by the attacker by simply sending a well-timed email that has highly relevant contextual information —without requiring any type of malicious payload.
A great example of this approach is a recent large-scale impersonation campaign involving gift cards, which is the subject of this month’s Threat Spotlight.Attackers are using social engineering to trick office managers, executive assistants, and receptionists into sending gift cards to the attackersClick To Tweet
Gift card spear phishing – Attackers use social engineering to trick office managers, executive assistants, and receptionists into sending gift cards to the attackers, claiming it’s for employee rewards, perhaps as a holiday surprise. The specific ask for gift cards this time of year is also interesting, and another example of just how targeted these attacks are.
Since early October, the Barracuda team has seen an uptick in social engineering attacks where the goal is to get the target to send gift cards to the attacker. Attackers know that many companies are asking their office managers, executive assistants, and receptionists to purchase gift cards for employees in anticipation of the holiday season. Therefore, they are specifically targeting these roles, often impersonating the CEO of organization. Of course, the employee will be under pressure to quickly execute the request of the CEO, which adds extra pressure to the transaction.
Let's take a look at some of the specific tactics the attackers are using.
Tactic 1: CEO impersonation
In this first anonymized example, the attacker impersonates the company's CEO and asks specifically for some Google Play gift cards. It is possible that this company was already planning to purchase such gift cards.
Tactic 2: Request for secrecy
In the second example, the attacker asks the recipient to keep it confidential (because the gift cards are meant to be a reward). Given the timing is so close to the holidays, the uptick in seeing an ask specifically for gift cards is interesting.
Tactic 3: Researching relevant details
In the third example, the target company is a multi-national organization, it appears the attacker knows that they will require gift cards in different currencies.
Tactic 4: Implied urgency
In all of the examples, the attacker uses language that implies urgency (“Do get back to me,” “How soon can you get this done”). The attacker even includes a signature pointing out that the email was sent from a mobile device. This conveys a sense of urgency and implies that the impersonated employee is out of the office, so there is no way to contact them in person to verify the request.'These types of attacks are very hard for traditional email filters to pick up because they are targeted and do not contain any obvious malicious signals.'Click To Tweet
Why the attacks work
In all of these attacks, the emails were sent from free personal email services with a relatively high reputation. In addition, they do not contain any type of malicious payload, such as links or attachments. Instead the emails rely solely on social engineering and impersonation to trick their targets. These types of attacks are very hard for traditional email filters to pick up because they are targeted, have a high reputation, and do not contain any obvious malicious signals.
Comment vous protéger
The most effective way to stop these types of attacks is using an AI-based email security solution, which understands the specific context of the organization and can use it to detect anomalies. For example, in the emails we shared above, an AI solution can recognize that the attackers are not using email addresses normally used by the CEO. In addition, the AI can pick up on the urgent call to action and the request for a financial transaction, which would raise a red flag.
Regular security awareness training and phishing simulations for employees can also help teach them how to spot this type of attack. And, if you don’t already have procedures in place spelling out how to confirm any financial requests that come in via email, whether they’re for wire transfers or gift card purchases, now is a good time to create those guidelines. It could help employees avoid making a costly mistake.The most effective way to stop gift card scam #phishing attacks is using an AI-based email security solutionClick To Tweet
Asaf Cidon is a professor of electrical engineering and computer science at Columbia University and a Barracuda adviser. He previously served as vice president of content security services at Barracuda Networks. In this role, he was one of the leaders for Barracuda Sentinel, the company's AI solution for real-time spear phishing and cyber fraud defense. Asaf was previously CEO and co-founder of Sookasa, a cloud storage security startup that was acquired by Barracuda. Prior to that, he completed his PhD at Stanford, where his research focused on cloud storage reliability and performance. He also worked at Google’s web search engineering team. Asaf holds a PhD and MS in Electrical Engineering from Stanford, and BSc in Computer Engineering from the Technion.