Creators of phishing messages usually want to create anxiety in their targets so they’ll unwittingly download malware. And nothing gets stomachs churning more than the possibility of losing your job.
One of the latest examples of this was detected by Cloudflare, which issued a report Thursday on a recent job termination phishing scam that included some novel techniques.
The report is a reminder to CISOs that all employees have to be regularly warned not to click on links or download documents in messages that spark an emotional response — and to carefully check the email header to verify the sender is legitimate.
Defenders may also want to expand the number of brands and organizations their reputation detection software should cover.
“Fear of losing your job is an incredible social engineering tactic,” said David Shipley of Canadian-based security awareness provider Beauceron Security.
It’s tied in persuasiveness with phishing campaigns promising a document listing what your fellow employees are being paid, he added. “That one is dynamite,” because staff have what he called “an insatiable curiosity about what their colleagues are making.”
This particular high-volume campaign was aimed at people in the United Kingdom who are subject to that country’s Employment Tribunals Service that hears employment-related complaints, which would be a huge chunk of the working population.
Targets received an email, supposedly from the “Employment Court,” that bore a copy of the Tribunal’s logo. The subject line read: “Action Required: Tribunal Proceedings Against You,” and the message started with “Immediate action required.” It listed what looks like official case information data, including an alleged case number, and the so-called case topic was “Termination Notice.”
The message added that failure to comply with the instructions to download and reply to a document could result in “serious legal consequences.”
If a user clicked on the included link, it didn’t directly download malware. That might be detected by defenses. So instead the link went to a fraudulent website that impersonates a Microsoft service. It said the user couldn’t access the document on their current device, a trick to get them to download the file.
Actually, there was no document that the victim could read. The downloaded file was a .rar archive that contained a malicious Visual Basic script. That script contained command obfuscation, which Cloudflare noted made the malicious payload less likely to be flagged by traditional scanning techniques. It led to the further system compromise.
