New Novel Campaign Targeting Security Researchers Uses Really Creative Social Engineering to Fool Victims



New Novel Campaign Uses Social EngineeringPretending to be security researchers themselves, this group of cybercriminals went to great lengths to make sure legitimate security researchers would fall for the attack.

Most every scam or attack I cover here is relatively short and sweet: bad guy sends an email with some great impersonation and credibility, some creative malicious tactics are used to avoid detection, the recipient is taken to a website, and the recipient becomes the victim.

But in this new scam highlighted by Google’s Threat Analysis Group, we see scammers from North Korea go to MUCH farther lengths to establish credibility. Why? Because the intended victims are literally some of the world’s best security researchers – the folks that won’t fall for a simple scam.

Here’s how the scam unfolds:

  • The threat actors establish a blog about known exploits and several twitter handles to establish themselves as threat researchers
  • Some of the intended victims are even invited to write guest blogs on the attacker’s fake blog
  • The threat actors invited the victim security researchers to vulnerability research together
  • The victims are provided with a Visual Studio Project that includes source code for exploiting the vulnerability they are collaborating on
  • The code also includes an additional malicious DLL that allowed the attackers to interact with the security researcher’s computer

If you look back at these steps, 4 of 5 are all social engineering tactics used to build up credibility and remove any suspicion of foul play. It’s the same with your users, but in only takes a single email with some normal-looking cues in the email’s content to convince them.

This story goes to show you **everyone** needs to undergo Security Awareness Training – If the smartest, most security-focused people on the planet can be fooled, so can your users.


Request A Demo: Security Awareness Training

products-KB4SAT6-2-1New-school Security Awareness Training is critical to enabling you and your IT staff to connect with users and help them make the right security decisions all of the time. This isn't a one and done deal, continuous training and simulated phishing are both needed to mobilize users as your last line of defense. Request your one-on-one demo of KnowBe4's security awareness training and simulated phishing platform and see how easy it can be!

Save My Spot!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

https://info.knowbe4.com/kmsat-request-a-demo

Subscribe To Our Blog


Ransomware Hostage Rescue Manual




Get the latest about social engineering

Subscribe to CyberheistNews