Baiting Tactics and Examples

How do you recognize a baiting attack? Perhaps someone attempts to appeal to your natural curiosity or greed, often with an interesting looking USB thumb drive that they either directly give you or that you find. Technical conference sponsors are always passing out free stuff, or swag, to attendees. Maybe you won a prize in a contest you didn’t enter, or perhaps you missed a delivery for a package you weren’t expecting. A cyber criminal might leave a USB stick loaded with malware in a place where the target will see it. In addition, the criminal might label the device in a compelling way, “confidential” or “bonuses”.

A target who takes the bait will pick up the device and plug it into the computer to see what’s on it. The malware will then automatically inject itself into the computer. This is a method used by the attackers who created Stuxnet, which was an attack on Iranian centrifuges in the year 2010, except they were much more deliberate. They targeted Iranian engineers at a conference and made sure they got their infected USB drive into the engineers’ hands while passing out harmless drives to other attendees. The “you won a prize” tactic is very common.

You may get a call, email, or text message saying that you’ve won a cruise or a hotel stay, and you just need to provide them with all your personal information, which is exactly what they’re looking for. I was just made aware of a new scam when I got a call from an old friend about getting a notification of a missed package delivery to his new home. I’ll tell you more about that one in my example, because it uses an interesting combination of techniques that we’ve already talked about in this course. So I got a call from a friend last week, because he had a strange experience and wanted my opinion.

He had just purchased a new home, and that day he had a tag left on his door saying he had missed a delivery of a package even though he’d been home all day and had not heard anyone come to the door. The tag had a local phone number to call regarding the delivery, so of course he called it. When he called, the person taking his call seemed suspiciously unprofessional. She told him that she wasn’t able to look up what the package was unless she sent him a text to verify his information. This is the text she sent. It had a link to click to verify his information.

In this case, it seems that the link was intended only to harvest information, but that link could just as easily have downloaded some type of malware, like a key logger, onto his phone. Even replying “stop” would have verified his phone number for them. While I was on the phone with my friend, I did an internet search for “next day delivery LLC,” the name of the company on the door tag, and I found this news story. It was indeed a scam intended to harvest contact information to sell to contractors marketing home services. I thought this was a great example of several of the tactics we’ve discussed.

The attackers used publicly available information, also known as open source intelligence or OSINT, basically, digital dumpster diving, to find out my friend had just purchased his house. So they had his name and his new address. Then they went to the effort of physically going to his house to hang the door tag, which I find more than a little creepy. At this point, they used a baiting tactic, because of course, he would want to receive his package. Then they used phishing to convince him to give them more information. And then they used smishing to try to get him to click a link to their text message.

This was a very elaborate attack for what I would consider to be not very valuable results. So be aware that in the real world, you might see a combination of several attack types used in a single attack. So what can you do to prevent baiting attacks? The most important defence is to never let greed or curiosity get the best of you. Never underestimate the value of your personal information or the amount of effort an attacker might put into trying to get to it– just like my friend. If you find or are given a USB thumb drive, do not plug it into a computer.

If you happen to find a USB thumb drive in a conspicuous location at your organization, give it to the security team at your organization. If it’s part of an attack, there will very likely be more than one. And they will need to inform others, so that they don’t make the mistake of using it. In conclusion, you’ve learned what baiting is. What objectives attackers are aiming for in baiting. And who is at risk for baiting attacks. We discussed red flags and warning signs of a baiting attack and went over examples, as well as what you can do to protect yourself from a baiting attack. In the next video, we will discuss impersonation, another type of social engineering attack.

I look forward to seeing you there.