A baiting attack is a type of phishing attack that uses social engineering to manipulate you. These attacks often appeal to your greed or curiosity to trick you into infecting your device with malware.
These attacks often come in three forms:
One of the most infamous baiting attacks in history was the 2008 attack of the U.S. Department of Defense.
It was dubbed the “worst breach of U.S. military computers in history”, and it led to the creation of the States Cyber Command of the Department of Defense.
Operation Buckshot Yankee, as it came to be known, involved an infected USB flash drive left over in the parking lot of a DoD facility in the Middle East.
An agent plugged in an infected flash drive into a laptop and inadvertently installed malicious code that was meant to steal information from the computers on the base.
The malware itself was a self-replicating worm that spread automatically throughout the DoD’s network. It took the Pentagon 14 months to fully eliminate the worm from their systems.
And this was a classic baiting tactic that appealed to the victim’s curiosity. It almost led to a national crisis of untold proportions.
Both individuals and organizations are at risk of baiting attacks. But it’s organizations that should take greater caution. After all, the stakes are higher, and the consequences are much more severe.
A single employee falling prey to a baiting attack lead cause a chain reaction of data breaches, reputational losses, financial damage, and more.
Below, I’ll take you through a deep dive of baiting attacks. I’ll show you what they are, specific principles used, common scenarios and techniques, case studies, and red flags.
A baiting attack is a subset of generalized phishing attacks. At its core, baiting is a form of phishing.
However, a baiting attack has a few specific elements:
Let’s go over both of these points below and see how baiting attacks work:
The vast majority of baiting attacks appeal to two basic emotions – greed and curiosity.
When it comes to greed, hackers often try to convince you with promises of richness, discounts, exclusive offers, and things that sound too good to be true.
The prospect of financial benefit often blinds victims into making impulsive decisions without thinking things through.
This makes them take risks that they would otherwise not take. Through greed, baiting attacks manipulate their victims into compromising their security by themselves.
This could mean downloading a malicious software or accessing a link that promises a heavy discount on a product.
With curiosity, the story is somewhat different. Hackers will most often use physical media to attract attention and play on their victims’ curiosity.
The idea is to create a sense of mystery and intrigue through this attack. Victims will feel compelled to see what’s on the random USB drive they found, or open the mysterious link they received.
Bad actors will often put a “Confidential” or “Classified” label on these physical USB drives to spark their victims’ curiosity even more.
Online, these curiosity-driven baiting attacks could promise confidential information or secrets that you couldn’t access otherwise.
By understanding how baiting attacks use these two emotions to manipulate you into taking impulsive actions, you can raise your awareness and defend yourself.
This is true for individuals and organizations alike. Employees should also receive a basic education in baiting attacks to avoid falling prey to these attacks.
Baiting attacks often have specific scenarios that are more common compared to basic phishing attacks.
Let’s go through some of them:
You may receive a message or email talking about a very high (too good to be true) discount on a product or service you’ve been looking for.
Sometimes, the products/service being promised in a baiting attack is free. The hacker wants to play on your greed as much as possible.
And who can resist free?
Another common scenario is winning a large sum of money. This could be a lottery that you’ve been automatically enrolled in (according to the hacker) or an inheritance.
I’ve personally received many lottery-type emails in the past, and they all ask for your personal information to wire you the money.
Don’t get tricked – it’s a scam!
The hacker could impersonate a shopping service that you’ve used before, and surprise you with an unexpected prize.
They could come up with various reasons, like a loyalty program that rewards customers.
Of course, both the links and phone numbers provided by the hacker are fake. Don’t fall for it!
Another baiting scenario is when the threat actor leaves you a door tag saying that you missed a delivery. This time, we’re dealing with a physical attack, and the fact that the hacker knows where you live is extremely dangerous.
The tag may contain a phone number or another contact method – don’t use them. Let your curiosity die down because it’s a scam.
But how do attackers construct their baiting attacks and how do they ensure their effectiveness? Let’s see below!
Threat actors use certain techniques to ensure the efficiency of their baiting attack. Let’s see what these techniques are:
In baiting attacks that involve malicious files, hackers will make sure to disguise those files in innocent-looking formats.
They’ll use harmless extensions, legitimate-sounding names, and non-threatening icons that won’t raise red flags.
This is all a hoax to fool you into opening them. It’s all meant to create the illusion of innocence and hide the danger.
This also works on malicious links that the hacker tries to disguise by editing their URLs and make them non-threatening.
Baiting attacks rely almost entirely on the first initial impression. Hackers know that they only have a few seconds to convince you to do something stupid.
So, they need you to trust them just enough to click a link or download a malicious software.
They’ll often pretend to represent legitimate companies that you’ve dealt with before. This is all to gain your trust and make you drop your defenses.
The hacker could also assume a sense of authority in a given domain – like a marketing specialist or secretary – to gain your trust.
All baiting attacks use emotions to make you do things you otherwise wouldn’t do. But why do they work?
That’s because of emotional amplification. These attacks work by amplifying certain emotions like greed, curiosity, scarcity, and urgency.
This increases the chance that you’ll fall for the trap because your emotions will get the better of you.
When we give in to curiosity, greed or urgency, our rational thought processes go to the back and make way for impulsive decision-making.
That’s what hackers are betting on – that by amplifying these emotions, you’ll make thoughtless decisions.
To understand how baiting attacks function in the real world, and to send home the potential consequences, I’ve prepared 5 real-world case studies involving baiting attacks.
Analyzing them will shed light on how these attacks work. So, let’s begin!
Stuxnet is, perhaps, the most notorious baiting attack in history, one that led to severe geopolitical repercussions.
Here are the specifics of Stuxnet or Operation Olympic Games, as it came to be known:
The Natanz nuclear facility was known to be infiltration-foolproof at the time, since its systems did not connect to the internet at any point.
The only way someone could infiltrate the facility was physically. And that’s exactly how Stuxnet made its way inside – a Natanz employee plugged in the USB drive on a work device.
Once the worm was out in the wild, it spread indiscriminately from device to device on Natanz’s internal network and found all the Siemens PLCs.
Interestingly enough, Stuxnet exploited five zero-day vulnerabilities and a backdoor to spread through the Windows PCs in the Natanz facility:
If you know anything about cybersecurity, then you know that exploiting so many vulnerabilities simultaneously is extremely uncommon.
That’s because hackers don’t want to reveal all their cards at once. Typically, once a zero-day vulnerability is out in the wild, security companies will develop a patch and cut off the hacker’s access.
However, Stuxnet was a no-holds-barred cyberattack that needed just one opportunity to infiltrate the Natanz facility and ruin its nuclear program.
The worm was also written in multiple programming languages, including, C, C++, and other object-oriented languages.
Even to this day, it remains one of the most sophisticated pieces of malware ever written. Experts are dissecting it even today to learn from it.
Was Stuxnet successful, though? In a word, yes. It managed to decommission about 2,000 centrifuges in a year, where the typical number of decommissioned centrifuges was around 800.
Rumors have it that Stuxnet set Iran’s nuclear program back by at least two years. The only reason it was ever discovered was that a Natanz employee brought it out on a work device.
Security researches eventually found it and decoded it, for the most part. It had over 15,000 lines of code, which is miles ahead of what any other malware comprises.
And it all started from a single USB drive that a Natanz employee randomly found and plugged into a work device.
A baiting attack through and through!
Disclaimer – Operation Aurora only included baiting elements (spear phishing tactics) but was not a typical baiting attack. It focused on exploiting zero-day vulnerabilities and backdoors instead.
Operation Aurora was one of the most extensive cyberattacks in history conducted by the Elderwood Group (Chinese ties) against several high-profile American companies.
Confirmed targets include:
According to various reports, Symantec, Yahoo, Dow Chemical, Northrop Grumman, and Morgan Stanley were also targeted by Operation Aurora.
The main goal of the attack was to steal trade secrets from the American private sector – their source code repositories.
Here’s the order of events:
I. The Attack Begins
The anatomy of Operation Aurora is fascinating because of how sophisticated it was. According to McAfee, the attackers used several zero-day vulnerabilities in the Internet Explorer browser app and the Perforce revision software.
The hackers effectively sent baiting emails to employees working at these companies, trying to pass as colleagues or trusted sources. They lured the victims into clicking on malicious links that would install the infected malware on company devices.
Through spear-phishing tactics and zero-day exploitation, the attackers gained the elevated access they needed to access the companies’ computer systems.
They also used backdoor connections into Gmail accounts to gain access to the computer systems.
II. Google Announces the Attack
On January 12th, 2010, Google announced on its blog that it had suffered a cyberattack in mid-December that came from China.
They also claimed that over 20 companies had been attacked in the same period by the same group.
For this reason, Google stated that it would consider ending its business relations in China. Several other political statements were released on the same day by various parties.
The Chinese government did not release a formal response to these allegations.
III. Symantec Starts Investigation the Attacks
Cybersecurity firms Symantec and McAfee offered to investigate the attack on behalf of Google and all the other affected companies.
After going through the evidence (domain names, malware signatures, IP addresses, etc.), they found that the Elderwood Group was responsible for Operation Aurora.
The hacker group is also known as the “Beijing Group”, and they got their hands on some of Google’s source code and information about several Chinese activists.
McAfee VP of Threat Research Dmitri Alperovitch identified the attack as “Operation Aurora” because “Aurora” was a file path included in two of the malwares used in the attacks.
After the attacks became public knowledge, many countries temporarily stopped using Internet Explorer due to the zero-day vulnerabilities embedded in it.
Google also pulled out of China and only maintains a local version of the search engine from Hong Kong.
Operation Aurora proved to be more detrimental to China than to the US since the former lost more in the aftermath of the attack.
Baiting attacks aren’t hard to spot, for the most part. Fortunately, taking a few precautions and being aware of how baiting attacks trick you will go a long way in protecting you.
First, let me show you the most common red flags for baiting attacks!
From the get-go, if you see an alarmist email subject line, your scam-o-meter should already be beeping.
Such subject lines could read “Change Your Password Now” or “Get this Discount While It’s Still Here”.
If the other party creates a sense of urgency and wants to tap into your emotions and make you take impulsive decisions, you should start second guessing their intent.
It’s either a legit (?) marketing email or a baiting attack meant to con you. In many cases, the two aren’t as clear-cut as we’d hope they were.
If the other party is asking for personal or sensitive information like your credit card number, do NOT provide it.
No legitimate company will ever request sensitive information via email or direct messages. That’s because sensitive information is just that – sensitive for your identity, and only you should know it.
99.99% of all emails asking for such information are baiting attacks. The rest 0.01% are either unprofessional companies or companies dealing with particularly severe security issues.
When you receive an odd email from someone you know (even your superior), have a look at their email address or domain.
Then compare it with the actual think from your contact list. Are they the same? Or is the one used in the email a bit different?
Perhaps it has one extra letter or it uses caps-lock, or one of the letters is doubled. That’s a phishing email address carefully (or not) crafted to fool you.
Since baiting attacks are a sub-category of phishing attacks, I’ll direct you to my guide on phishing attacks.
The prevention methods and red flags are the exact same for both:
A premium antimalware service provider will help you prevent infections in case you mistakenly fall for a baiting attack and download a malware.
You might also want to choose a more private and secure email provider like Proton. Their email filters are better-suited to identifying potential spam and phishing attacks (the emails will be sent to Spam automatically).
This will give you a better idea of what to expect from these emails. But take care – not all emails in your Spam folder are phishing emails.
Email filters are not 100% accurate all the time, so they might make a mistake.
Baiting attacks are the most common form of phishing attacks. They use psychology to trick you into accessing an infected link or downloading a malicious attachment.
But they’re also some of the easiest attacks to defend against. It only takes two things to render a baiting attack useless:
In all seriousness, all you need is these two things to never fall for a baiting attack ever again.
Knowing how to identify a baiting attack is not always easy, though. So, let this guide (and the other one about phishing in general) to learn how to do it!
CSO Online – Stuxnet Explained: The First Known Cyberweapon
Google Blog – A New Approach to China
Privacy Affairs – Why Is Phishing So Common & How to Protect Against It?