How phishing gangs weaponize the 24-hour news cycle

Jack Chapman | 30th Jun 2022

Thanks to social media, online publications, and 24-hour news channels, we’ve never been more hooked into the news cycle. Whether you want to see them or not, the headlines are never far from your eyes and ears. Cybercriminals can weaponize this to their advantage and tailor their phishing attacks to coincide with topical news stories.

Which news stories work best for phishing?

There are four key components to a news-based phish. First, it needs to be a story that’s prominent enough for people to actually know about, so it grabs their attention in the inbox. But it’s not enough for a story to just be in the news – it needs to impact people personally. There has to be a realistic reason for them to interact with an email.

Next, it needs to be time sensitive. There needs to be a pressing reason for the recipient to act urgently, before they think about the request too much and spot any signs of phishing. Finally, there has to be a degree of ambiguity. This is an important aspect, as phishing attacks pounce on any uncertainty and confusion around a topic. It’s easier to trick someone with a one-off email about a new and specific event, than to impersonate, for example, an everyday email from a bank. 

Covid was the perfect example of these four factors coming together. It was a story with plenty of sticking power that affected nearly everyone. Both individuals and businesses needed to act by certain deadlines, whether that was for booking vaccinations or claiming government support. There was also plenty of ambiguity and uncertainty, with people having to react to novel emails and requests they wouldn’t normally see.

How do the attacks work?

Attackers will spot a news headline that lines up with the four factors described above. As a hypothetical example, let’s say a major global airline is going out of business. Cybercriminals can easily get hold of mass email lists and run a script to check these email addresses against the airline’s login portal. They will either get a ‘this account doesn’t exist’ message or one that says the password is incorrect – confirming which addresses are already linked with an account. 

A phishing email is then sent to everyone who has an account with the airline with a subject line along the lines of ‘Your compensation from airline X’, plus graphics, headers and footers copied from the real airline. Many people might legitimately be expecting communication about compensation after seeing the news, while others might see it as a pleasant surprise to get some money back.

The attackers will add a link where people can either put in their password to ‘log in’ and farm those credentials to use on other sites. Or they’ll request bank details to make the refund, and steal that information. Cybercriminals can cast a wide net when targeting individuals in this way, but it’s still possible (and often more lucrative) to use news stories to scam organizations too.

How are organizations targeted?

Businesses are trickier to phish than individuals. There are fewer news stories that apply to them directly, and individuals within the business are almost always protected by better cybersecurity than when using their personal accounts. However, it’s still possible to weaponize a news story against a business – attackers just need to dig deeper.

There are some stories that will apply to most of the general public, like covid vaccinations. For businesses, topical but less widely reported news like changes to government legislation can be highly relevant. Attackers look for news affecting specific industries or even specific companies. For example, targeting a DPO at a bank after a change in banking regulations – it’s highly relevant to that individual, and there is an element of unknown. These principles stay the same.

Another option for attackers is using newsworthy events to target disgruntled people within an organization. We often imagine everyone within a business to be on the same side regarding a topical news story – the Ukraine crisis for example. But how likely is this to be true, in a global organization of many people with different politics and personalities? Attackers might use social media reactions to topical news stories to scout potential malicious insiders.

Real-life example of a news-based phishing attack

This is an example of an attack our threat intelligence team found targeting both individuals and organizations across the US and the UK. Over the past few months, we’ve seen a surge in phishing relating to communications and appeals regarding the Russia-Ukraine conflict. These social engineering attacks play on the consciences of people who want to do a good deed after seeing tragedy in the news – so they miss the warning signs of phishing in their rush to offer support.

These phishing emails come in the form of donation requests for cryptocurrency, often impersonating known bodies in Ukraine and begging for assistance. Figure 1 shows an email impersonating the Ukrainian Government asking for cryptocurrency donations to assist their war effort.

Figure 1: Impersonation attempt of a Ukrainian government appeal

Interested in more threat intelligence? Download our Summer 2022 round-up of emerging threats.