Strangest phishing lures that changed the social engineering threat landscape in 2018-19

• Companies in the marketing sector were one of the top targets between 2018 and 2019.
• A commonly spoofed email includes a subject line detailing new products released by a marketing company.

Attackers have taken phishing attacks to a whole new level in the past years. They are actively playing on the emotions of people and consumers to deploy a successful attack and steal their sensitive information without the victims’ being aware.

According to Proofpoint’s 2019 Human Factor Report, the top social engineering tactics were implemented on a wide range of people apart from C-level executives. These include the support team, HR team, or billing officials in organizations.

The report also highlights that threat actors are also building their profiles, creating their brands on social media as a lure to entrap more and more victims.

Strange phishing lures

With a wide range of targets, attackers have been observed using some unique themes of social engineering to launch their phishing attacks between 2018 and 2019. They are:

• Brain food - These cleverly-crafted phishing emails were sent to victims, promoting bogus intelligence-boosting supplements and diet pills. The email included a steady diet of junk messages containing links to malicious pages. These malicious pages were hosted on more than 5,000 compromised websites that used content management systems.

• Fake cloud storage or services - In 2019, the malicious actors shifted to cloud storage or services links like DocuSign, Dropbox, Box link and Microsoft Cloud Services as a method to bypass secure email gateway. These services have become really effective phishing lures in 2019.

The affected sectors

• Companies in the marketing sector were one of the top targets between 2018 and 2019. These companies hold a good amount of sensitive information related to their customers - such as their names, locations and maybe work habits - which make them a lucrative target among cybercriminals.

A common spoofed email includes a subject line detailing new products released by a marketing company.

• Real estate also saw a good number of phishing attacks between 2019 and 2020. Scammers duped the real estate industries with emails that typically dealt with transactions of funds that need to be done immediately.

“Getting into a real estate organization is a really successful get for a threat actor if they can get inside those transactions and start siphoning off those little payments and fees that go through a lot of real estate agents,” explained Sherrod DeGrippo, the senior director of the threat research and detection team at Proofpoint, Threatpost reported.

What next?

Threat actors are devising several ways in launching a lot of these campaigns. In a recent campaign, they have been observed using new technologies like deep fake and artificial intelligence to trick victims into believing that they are talking with a legitimate person.