Targeting people, instead of systems, is the fastest and most results-driven method of hacking. The reason for this is due to the Dunning-Kruger effect, a cognitive bias where people overestimate their knowledge or ability in a certain area. In the case of network security, people overestimate their ability to gauge risky behavior online. And why not? There is an entire adult generation in the workforce that has never known life without the Internet. They’ve been simultaneously consuming and curating digital content since early childhood. Even older generations have logged tens of thousands of hours of screen time. In 2020, we are all confident in our proficiency in this globally connected world.
Yet, the hacking continues. We’ve become desensitized to people and organizations announcing that their accounts and data centers have been compromised. Now Covid-19 adds a disturbing wrinkle into our digital lives.
The Psychology of Phishing – We’re just the fish in a barrel
We need to understand how social engineering, and by extension (spear) phishing, works, and we need to understand why we fall prey to these types of attacks. In our typical day, we don’t get very emotional while performing our work.
The simple act of receiving an email and writing a response is no more exhilarating than unloading the dishwasher. On a rare occasion, we get an email from our bosses or clients that genuinely get our heart rates up and invokes emotion. Psychologist, Paul Ekman, identified six basic emotions: anger, disgust, fear, happiness, sadness, and surprise. Seeing an urgent email from your manager may initially invoke a sense of fear as your livelihood is tied to their approval. It could then evolve, after reading, into happiness as a result of praise for a job well done. Hopefully it doesn’t result in sadness from being critiqued. Regardless of the nature of the email, you’re not in the same emotional state as when one of your peers requests routine assistance. The social engineer’s goal is to create emotion in the target that causes irrational thought because emotional people make mistakes. Hackers also prey on the target’s vanity where people believe themselves to be savvy and incapable of falling victim to hackers.
COVID-19 is a top-of-mind concern that sets the stage for an emotional response. It depends on the individual, but the odds of an emotional response are quite high. According to a recent survey by the Society for Human Resources Management about the psychological costs of COVID-19, nearly 1 in 4 employees report feeling down, depressed, or hopeless often. Further, 41 percent feel burnt out, drained, or exhausted from their work.
Hackers with good intelligence on their target using “spear phishing” are typically more effective than the “spray and pray” approach to phishing. It takes time in order to find a trigger that instills urgency. Covid-19, a global health threat, fits that bill. We are all eager to find out more.
The Anatomy of COVID-19 Click-bait
Let’s look at an attack. First, finding factual information about COVID-19 has been a challenge. There is so much contradictory information as scientists and politicians bicker over safety precautions and the danger of the coronavirus. This uncertainty is the perfect click-bait.
Let’s examine one URL that my company’s security research team has seen in the wild in an attempt to trick people.:
hxxps:[//]cdc.gov.coronavirus.secure.server[.]shorttermrental[.]org[/]vaccine/auth/cgi-bin/cgi-bin.exe
Don’t worry, the link has been altered to prevent anyone reading this article from clicking it. The unmodified version of the link is also now defunct.
Let’s dissect that link:
- First, the subdomain is cdc.gov
o a ploy to trick the target into fully believing this is information from the US Center for Disease Control, an authoritative source
- The next subdomain is coronavirus
o More info designed to trick the target that this link contains that critical information that will inform them about an emotion-provoking topic
- The next two subdomains are secure and server
o Innocuous and, potentially soothing, domains that further assist and hiding the true domain
- ·shorttermrental[.]org is the domain that is actually being resolved
o Note we use incorrect brackets to ensure our reader do not accidentally browse to a potentially felonious domain
- Within the directory of the link, there is another keyword designed to invoke emotion: vaccine
o This evokes some powerful stuff worth exploring: Is the CDC endorsing a vaccine? Is there a cure?
- ·Next, we have /auth/cgi-bin
o This is a directory for the Apache webserver that runs Common Gateway Interface scripts
o We’ve all seen this in URLs many times before, and, as we’re all experts on using the internet and we never let parts of a URL we’ve seen before, but may not understand, intimidate.
o We’re very smart and our level of understanding is the long tail of the Dunning-Kruger effect [obvious sarcasm]
- ·cgi-bin.exe
o Having the malware hidden by repeating strings that look like something we’ve seen before, but may not understand
o This is a concept called semantic satiation, a psychological phenomenon in which repetition causes a word or phrase to temporarily lose meaning for the reader, who then perceives the content as meaningless.
§ This technique is applied by the malware:
§ /auth/cgi-bin/cgi-bin.exe
This entire URL was specifically crafted to invoke as much emotion as possible while hiding a link executable that downloads malware onto your computer. In reality, cgi-bin.exe is really the malware Other Covid-19 campaigns have used the same technique to invoke emotions in targets but, instead of claiming to have critical information from the CDC, they masquerade as webpages from financial institutions, travel sites, government tax agencies, and many others. Below is a screenshot of a Covid-19 phishing webpage masquerading as the French tax authority. What a brilliant way to invoke multiple emotional triggers by combining Covid-19 with paying your
About the author: Phil Trainor is the Director, Security Solutions at Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that helps enterprises, service providers and governments accelerate innovation to connect and secure the world.
