Scams and scamsters have been prevalent for an extended period. They are as old as humans themselves. Be it face-to-face scams, paper-based scams, or later phone call-based scams. Digital scams, however, have only recently emerged as a significant issue as our daily lives have become increasingly digitized.
They started with emails and have moved on swiftly to social media and smart phones as well. Every day we read about a new trick, a new medium, a new lure, or a new victim. The end goal has always been the same though – financial fraud designed to exploit victims mainly for monetary gain, be it money, cryptocurrency, personally identifiable information, or ransom data. It is something that is inherently valuable to the victim.
Old tricks work
Even though we hear about new tricks and new lures many times, it does not necessarily mean that that is the norm, however. Sometimes scamsters resort to using old tricks, old vulnerabilities, time-tested methods. Something that has proven to yield results may still be preferred by scammers in some cases over trying something new.
Recently, CheckPoint researchers published an article that highlights how old vulnerabilities are still in use by top prevalent malware. These vulnerabilities are not even 0-day or 1-day anymore. Yet, their usefulness has not decreased. In fact, they are looked at as time-tested resorts highly likely to yield results.
Packaging curiosity
This is a similar situation in case of scams as well. Scams rely on the natural human characteristic of ‘curiosity’. If the scam campaign appeals to human curiosity, it will likely work. We like to call this strategy “packaging”. Different scams would entail different packaging even though the enclosed trap is the same, i.e. the lure or fake message/pretense would change (e.g. DHL scam, COVID-scam, Israel war scam, etc.), but the underlying exploit stays the same. The scammer, we believe, focuses more on “packaging”, and lets the old tried-and-tested methods/exploits do the data stealing part.
For example, news about a wedding invite scam recently broke out in Malaysia. That scam tricks users into downloading an Android APK sent via a WhatsApp message. Once the APK is installed, the user loses a lot of information.
The same scam can as well be easily repurposed to use the same packaging (of wedding invite lure) and use an old tried and tested CVE, for example CVE-2017-11882. The medium of email phishing can work very well in this case. The wedding invite itself would be an RTF document that exploits CVE-2017-11882 or a OneNote document that embeds an RTF document (as is the trend now for malware delivery). The entire attack chain may pan out as follows:
Figure 1. Envisaged attack chain using new scam lures but old CVE
Update your systems now
The day is not far when scams will begin using old CVEs under the pretext of new lures. Regularly updating one’s systems and applying patches is a good habit to inculcate. To conclude, we advise everybody to update now, and not later when it might be too late.
Categories