Authored by: Phil Trainor, Director, Security Solutions, Keysight Technologies
Targeting people, instead of systems, is the fastest and most results-driven method of hacking. The reason for this is due to the Dunning-Kruger effect, a cognitive bias where people overestimate their knowledge or ability in a certain area. In the case of network security, people overestimate their ability to gauge risky behaviour online. And why not? There is an entire adult generation in the workforce that has never known life without the Internet. They’ve been simultaneously consuming and curating digital content since early childhood. Even older generations have logged tens of thousands of hours of screen time. In 2020, we are all confident in our proficiency in this globally connected world.
Yet, the hacking continues. We’ve become desensitised to people and organisations announcing that their accounts and data centres have been compromised. Now Covid-19 adds a disturbing wrinkle into our digital lives.
The Psychology of Phishing – We’re just the fish in a barrel
We need to understand how social engineering, and by extension (spear) phishing, works, and we need to understand why we fall prey to these types of attacks. In our typical day, we don’t get very emotional while performing our work.
The simple act of receiving an email and writing a response is no more exhilarating than unloading the dishwasher. On a rare occasion, we get an email from our bosses or clients that genuinely gets our heart rates up and invokes emotion. Psychologist, Paul Ekman, identified six basic emotions: anger, disgust, fear, happiness, sadness, and surprise. Seeing an urgent email from your manager may initially invoke a sense of fear as your livelihood is tied to their approval. It could then evolve, after reading, into happiness as a result of praise for a job well done. Hopefully it doesn’t result in sadness from being critiqued. Regardless of the nature of the email, you’re not in the same emotional state as when one of your peers requests routine assistance. The social engineer’s goal is to create emotion in the target that causes irrational thought because emotional people make mistakes. Hackers also prey on the target’s vanity where people believe themselves to be savvy and incapable of falling victim to hackers.
COVID-19 is a top-of-mind concern that sets the stage for an emotional response. It depends on the individual, but the odds of an emotional response are quite high. According to a recent survey by the Society for Human Resources Management about the psychological costs of COVID-19, nearly 1 in 4 employees report feeling down, depressed, or hopeless often. Further, 41 per cent feel burnt out, drained, or exhausted from their work.
Hackers with good intelligence on their target using “spear phishing” are typically more effective than the “spray and pray” approach to phishing. It takes time in order to find a trigger that instills urgency. Covid-19, a global health threat, fits that bill. We are all eager to find out more.
The Anatomy of COVID-19 Click-bait
Let’s look at an attack. First, finding factual information about COVID-19 has been a challenge. There is so much contradictory information as scientists and politicians bicker over safety precautions and the danger of the coronavirus. This uncertainty is the perfect click-bait.
Let’s examine one url that my company’s security research team has seen in the wild in an attempt to trick people.:
Don’t worry, the link has been altered to prevent anyone reading this article from clicking it. The unmodified version of the link is also now defunct.
Let’s dissect that link:
First, the subdomain is cdc.gov
a ploy to trick the target into fully believing this is information from the US Center for Disease Control, an authoritative source
The next subdomain is coronavirus
More info designed to trick the target that this link contains that critical information that will inform them about an emotion-provoking topic
The next two subdomains are secure and server
Innocuous and, potentially soothing, domains that further assist and hiding the true domain
shorttermrental[.]org is the domain that is actually being resolved
Note we use incorrect brackets to ensure our reader do not accidentally browse to a potentially felonious domain
Within the directory of the link there is another keyword designed to invoke emotion: vaccine
This evokes some powerful stuff worth exploring: Is the CDC endorsing a vaccine? Is there a cure?
Next we have /auth/cgi-bin
This is a directory for the Apache webserver that runs Common Gateway Interface scripts
We’ve all seen this in urls many times before, and, as we’re all experts on using the internet and we never let parts of a url we’ve seen before, but may not understand, intimidate.
We’re very smart and our level of understanding is the long tail of the Dunning-Kruger effect [obvious sarcasm]
Having the malware hidden by repeating strings that look like something we’ve seen before, but may not understand
This is a concept called semantic satiation, a psychological phenomenon in which repetition causes a word or phrase to temporarily lose meaning for the reader, who then perceives the content as meaningless.
This technique is applied by the malware:
This entire URL was specifically crafted to invoke as much emotion as possible while hiding a link executable that downloads malware onto your computer. In reality, cgi-bin.exe is really the malware Win.Worm.Brontok-88 which copies itself into various folders and modifies the operating system security settings before modifying the hosts file which acts as a database for resolving domain names. This malware has been fairly prevalent in Russia, but it has a global reach.
Other Covid-19 campaigns have used the same technique to invoke emotions in targets but, instead of claiming to have critical information from the CDC, they masquerade as webpages from financial institutions, travel sites, government tax agencies, and many others. Below is a screenshot of a Covid-19 phishing webpage masquerading as the French tax authority. What a brilliant way to invoke multiple emotional triggers by combining Covid-19 with paying your taxes!
The good news is that now with a little more awareness of how spearfishing and social engineering works, you’ll be a little better prepared to not fall victim of the next attack.