Cybersecurity Deep Dive: What Is a Baiting Attack?

By Alex Popa . 23 November 2023

Cybersecurity Journalist

A baiting attack is a type of phishing attack that uses social engineering to manipulate you. These attacks often appeal to your greed or curiosity to trick you into infecting your device with malware.

These attacks often come in three forms:

Physical Media – Bad actors will often leave infected USB drives lying around workspaces, parking spaces or office hallways, hoping that someone will find it and plug it into a device

Online Downloads – The hacker can send you a direct message on social media or via email trying to convince you to access a link. These messages contain links to malicious files that will install malware on your device once opened. There are also websites that promise free materials that can become baiting attacks

Tempting Offers – Email offers that promise you something free or heavily discounted if you click on a link. These links are infected and will install malware on your device

One of the most infamous baiting attacks in history was the 2008 attack of the U.S. Department of Defense.

It was dubbed the “worst breach of U.S. military computers in history”, and it led to the creation of the States Cyber Command of the Department of Defense.

Operation Buckshot Yankee, as it came to be known, involved an infected USB flash drive left over in the parking lot of a DoD facility in the Middle East.

An agent plugged in an infected flash drive into a laptop and inadvertently installed malicious code that was meant to steal information from the computers on the base.

The malware itself was a self-replicating worm that spread automatically throughout the DoD’s network. It took the Pentagon 14 months to fully eliminate the worm from their systems.

And this was a classic baiting tactic that appealed to the victim’s curiosity. It almost led to a national crisis of untold proportions.

Both individuals and organizations are at risk of baiting attacks. But it’s organizations that should take greater caution. After all, the stakes are higher, and the consequences are much more severe.

A single employee falling prey to a baiting attack lead cause a chain reaction of data breaches, reputational losses, financial damage, and more.

Below, I’ll take you through a deep dive of baiting attacks. I’ll show you what they are, specific principles used, common scenarios and techniques, case studies, and red flags.

Let’s start!

How Does Baiting Differ from Traditional Phishing?

Image showing a dual cybersecurity landscape

A baiting attack is a subset of generalized phishing attacks. At its core, baiting is a form of phishing.

However, a baiting attack has a few specific elements:

The emotions it appeals to
The common scenarios used

Let’s go over both of these points below and see how baiting attacks work:

1. Psychology of Baiting Attacks

The vast majority of baiting attacks appeal to two basic emotions – greed and curiosity.

When it comes to greed, hackers often try to convince you with promises of richness, discounts, exclusive offers, and things that sound too good to be true.

The prospect of financial benefit often blinds victims into making impulsive decisions without thinking things through.

This makes them take risks that they would otherwise not take. Through greed, baiting attacks manipulate their victims into compromising their security by themselves.

This could mean downloading a malicious software or accessing a link that promises a heavy discount on a product.

With curiosity, the story is somewhat different. Hackers will most often use physical media to attract attention and play on their victims’ curiosity.

The idea is to create a sense of mystery and intrigue through this attack. Victims will feel compelled to see what’s on the random USB drive they found, or open the mysterious link they received.

Bad actors will often put a “Confidential” or “Classified” label on these physical USB drives to spark their victims’ curiosity even more.

Online, these curiosity-driven baiting attacks could promise confidential information or secrets that you couldn’t access otherwise.

By understanding how baiting attacks use these two emotions to manipulate you into taking impulsive actions, you can raise your awareness and defend yourself.

This is true for individuals and organizations alike. Employees should also receive a basic education in baiting attacks to avoid falling prey to these attacks.

2. Common Attack Scenarios

Baiting attacks often have specific scenarios that are more common compared to basic phishing attacks.

Let’s go through some of them:

High discounts

You may receive a message or email talking about a very high (too good to be true) discount on a product or service you’ve been looking for.

Free products/services

Sometimes, the products/service being promised in a baiting attack is free. The hacker wants to play on your greed as much as possible.

And who can resist free?

Winning a grand prize

Another common scenario is winning a large sum of money. This could be a lottery that you’ve been automatically enrolled in (according to the hacker) or an inheritance.

I’ve personally received many lottery-type emails in the past, and they all ask for your personal information to wire you the money.

Don’t get tricked – it’s a scam!

Unexpected prize

The hacker could impersonate a shopping service that you’ve used before, and surprise you with an unexpected prize.

They could come up with various reasons, like a loyalty program that rewards customers.

Of course, both the links and phone numbers provided by the hacker are fake. Don’t fall for it!

Fake delivery

Another baiting scenario is when the threat actor leaves you a door tag saying that you missed a delivery. This time, we’re dealing with a physical attack, and the fact that the hacker knows where you live is extremely dangerous.

The tag may contain a phone number or another contact method – don’t use them. Let your curiosity die down because it’s a scam.

But how do attackers construct their baiting attacks and how do they ensure their effectiveness? Let’s see below!

Anatomy of a Baiting Attack

Image showing a hacker standing in front of a cyber screen

Threat actors use certain techniques to ensure the efficiency of their baiting attack. Let’s see what these techniques are:

The Disguise

In baiting attacks that involve malicious files, hackers will make sure to disguise those files in innocent-looking formats.

They’ll use harmless extensions, legitimate-sounding names, and non-threatening icons that won’t raise red flags.

This is all a hoax to fool you into opening them. It’s all meant to create the illusion of innocence and hide the danger.

This also works on malicious links that the hacker tries to disguise by editing their URLs and make them non-threatening.

The Trust Relationship

Baiting attacks rely almost entirely on the first initial impression. Hackers know that they only have a few seconds to convince you to do something stupid.

So, they need you to trust them just enough to click a link or download a malicious software.

They’ll often pretend to represent legitimate companies that you’ve dealt with before. This is all to gain your trust and make you drop your defenses.

The hacker could also assume a sense of authority in a given domain – like a marketing specialist or secretary – to gain your trust.

The Emotional Amplification

All baiting attacks use emotions to make you do things you otherwise wouldn’t do. But why do they work?

That’s because of emotional amplification. These attacks work by amplifying certain emotions like greed, curiosity, scarcity, and urgency.

This increases the chance that you’ll fall for the trap because your emotions will get the better of you.

When we give in to curiosity, greed or urgency, our rational thought processes go to the back and make way for impulsive decision-making.

That’s what hackers are betting on – that by amplifying these emotions, you’ll make thoughtless decisions.

Case Studies

Image of a hacker sitting in front of two computers

To understand how baiting attacks function in the real world, and to send home the potential consequences, I’ve prepared 5 real-world case studies involving baiting attacks.

Analyzing them will shed light on how these attacks work. So, let’s begin!

1. Stuxnet Worm (2010)

Stuxnet is, perhaps, the most notorious baiting attack in history, one that led to severe geopolitical repercussions.

Here are the specifics of Stuxnet or Operation Olympic Games, as it came to be known:

Stuxnet was a worm (a self-replication malware) stored on a physical USB drive, that infected the Iranian nuclear program at the Natanz facility
Its purpose was to find PCLs (programmable logic controllers) manufactured by Siemens on a device and alter their programming
Altering the PLCs’ programming affected the nuclear centrifuges’ rotation speeds, either damaging or destroying them completely
At the same time, the PCLs would transmit (falsely) to the controller computer that everything is working fine

The Natanz nuclear facility was known to be infiltration-foolproof at the time, since its systems did not connect to the internet at any point.

The only way someone could infiltrate the facility was physically. And that’s exactly how Stuxnet made its way inside – a Natanz employee plugged in the USB drive on a work device.

Once the worm was out in the wild, it spread indiscriminately from device to device on Natanz’s internal network and found all the Siemens PLCs.

Interestingly enough, Stuxnet exploited five zero-day vulnerabilities and a backdoor to spread through the Windows PCs in the Natanz facility:

A bug with the print spooler
A Windows shortcut flaw
Two escalation of privilege vulnerabilities
A flaw with the Siemens PLCs
A backdoor that was used in the Conficker attack

If you know anything about cybersecurity, then you know that exploiting so many vulnerabilities simultaneously is extremely uncommon.

That’s because hackers don’t want to reveal all their cards at once. Typically, once a zero-day vulnerability is out in the wild, security companies will develop a patch and cut off the hacker’s access.

However, Stuxnet was a no-holds-barred cyberattack that needed just one opportunity to infiltrate the Natanz facility and ruin its nuclear program.

The worm was also written in multiple programming languages, including, C, C++, and other object-oriented languages.

Even to this day, it remains one of the most sophisticated pieces of malware ever written. Experts are dissecting it even today to learn from it.

Was Stuxnet successful, though? In a word, yes. It managed to decommission about 2,000 centrifuges in a year, where the typical number of decommissioned centrifuges was around 800.

Rumors have it that Stuxnet set Iran’s nuclear program back by at least two years. The only reason it was ever discovered was that a Natanz employee brought it out on a work device.

Security researches eventually found it and decoded it, for the most part. It had over 15,000 lines of code, which is miles ahead of what any other malware comprises.

And it all started from a single USB drive that a Natanz employee randomly found and plugged into a work device.

A baiting attack through and through!

2. Operation Aurora (2009)

Disclaimer – Operation Aurora only included baiting elements (spear phishing tactics) but was not a typical baiting attack. It focused on exploiting zero-day vulnerabilities and backdoors instead.

Operation Aurora was one of the most extensive cyberattacks in history conducted by the Elderwood Group (Chinese ties) against several high-profile American companies.

Confirmed targets include:

Google
Adobe Systems
Akamai Technologies
Juniper Networks
Rackspace

According to various reports, Symantec, Yahoo, Dow Chemical, Northrop Grumman, and Morgan Stanley were also targeted by Operation Aurora.

The main goal of the attack was to steal trade secrets from the American private sector – their source code repositories.

Here’s the order of events:

I. The Attack Begins

The anatomy of Operation Aurora is fascinating because of how sophisticated it was. According to McAfee, the attackers used several zero-day vulnerabilities in the Internet Explorer browser app and the Perforce revision software.

The hackers effectively sent baiting emails to employees working at these companies, trying to pass as colleagues or trusted sources. They lured the victims into clicking on malicious links that would install the infected malware on company devices.

Through spear-phishing tactics and zero-day exploitation, the attackers gained the elevated access they needed to access the companies’ computer systems.

They also used backdoor connections into Gmail accounts to gain access to the computer systems.

II. Google Announces the Attack

On January 12^th, 2010, Google announced on its blog that it had suffered a cyberattack in mid-December that came from China.

They also claimed that over 20 companies had been attacked in the same period by the same group.

For this reason, Google stated that it would consider ending its business relations in China. Several other political statements were released on the same day by various parties.

The Chinese government did not release a formal response to these allegations.

III. Symantec Starts Investigation the Attacks

Cybersecurity firms Symantec and McAfee offered to investigate the attack on behalf of Google and all the other affected companies.

After going through the evidence (domain names, malware signatures, IP addresses, etc.), they found that the Elderwood Group was responsible for Operation Aurora.

The hacker group is also known as the “Beijing Group”, and they got their hands on some of Google’s source code and information about several Chinese activists.

McAfee VP of Threat Research Dmitri Alperovitch identified the attack as “Operation Aurora” because “Aurora” was a file path included in two of the malwares used in the attacks.

IV. Aftermath

After the attacks became public knowledge, many countries temporarily stopped using Internet Explorer due to the zero-day vulnerabilities embedded in it.

Google also pulled out of China and only maintains a local version of the search engine from Hong Kong.

Operation Aurora proved to be more detrimental to China than to the US since the former lost more in the aftermath of the attack.

Recognizing and Preventing Baiting Attacks

Image showing a lock in a cybersecurity background

Baiting attacks aren’t hard to spot, for the most part. Fortunately, taking a few precautions and being aware of how baiting attacks trick you will go a long way in protecting you.

First, let me show you the most common red flags for baiting attacks!

1. Red Flags

Urgent Email Subject Line

From the get-go, if you see an alarmist email subject line, your scam-o-meter should already be beeping.

Such subject lines could read “Change Your Password Now” or “Get this Discount While It’s Still Here”.

If the other party creates a sense of urgency and wants to tap into your emotions and make you take impulsive decisions, you should start second guessing their intent.

It’s either a legit (?) marketing email or a baiting attack meant to con you. In many cases, the two aren’t as clear-cut as we’d hope they were.

Asking Personal/Sensitive Information

If the other party is asking for personal or sensitive information like your credit card number, do NOT provide it.

No legitimate company will ever request sensitive information via email or direct messages. That’s because sensitive information is just that – sensitive for your identity, and only you should know it.

99.99% of all emails asking for such information are baiting attacks. The rest 0.01% are either unprofessional companies or companies dealing with particularly severe security issues.

The Sender Address or Domain Are Fake

When you receive an odd email from someone you know (even your superior), have a look at their email address or domain.

Then compare it with the actual think from your contact list. Are they the same? Or is the one used in the email a bit different?

Perhaps it has one extra letter or it uses caps-lock, or one of the letters is doubled. That’s a phishing email address carefully (or not) crafted to fool you.

2. Educational Measures & Technological Safeguards

Since baiting attacks are a sub-category of phishing attacks, I’ll direct you to my guide on phishing attacks.

The prevention methods and red flags are the exact same for both:

Grammar mistakes
The presence of unexpected attachments
The presence of caps-lock in odd places
The urgent tone

A premium antimalware service provider will help you prevent infections in case you mistakenly fall for a baiting attack and download a malware.

You might also want to choose a more private and secure email provider like Proton. Their email filters are better-suited to identifying potential spam and phishing attacks (the emails will be sent to Spam automatically).

This will give you a better idea of what to expect from these emails. But take care – not all emails in your Spam folder are phishing emails.

Email filters are not 100% accurate all the time, so they might make a mistake.

Conclusion

Baiting attacks are the most common form of phishing attacks. They use psychology to trick you into accessing an infected link or downloading a malicious attachment.

But they’re also some of the easiest attacks to defend against. It only takes two things to render a baiting attack useless:

Cyber-awareness – If you know that a baiting attack is a baiting attack, you won’t fall for it
Self-control – Before realizing what you’re dealing with, don’t become impulsive. Baiting emails manufacture artificial urgency to make you take impulsive actions

In all seriousness, all you need is these two things to never fall for a baiting attack ever again.

Knowing how to identify a baiting attack is not always easy, though. So, let this guide (and the other one about phishing in general) to learn how to do it!

Sources

CRN – Pentagon Confirms 2008 Cyber Attack Against U.S. Military

CSO Online – Stuxnet Explained: The First Known Cyberweapon

Gizmodo – The Inside Story of How Stuxnet Was Discovered

JPost – “Stuxnet Virus Set Back Iran’s Nuclear Program by 2 Years”

CS Monitor – Stealing US Business Secrets: Experts ID Two Huge Cyber “Gangs” in China

Google Blog – A New Approach to China

Privacy Affairs – Why Is Phishing So Common & How to Protect Against It?

Technology Analyst & Data Privacy Journalist Alex is an avid proponent of informational security and data privacy. Given how easily online information disseminates and how cybercriminals are always stepping up their game, self-security becomes a necessity. Alex has direct experience with many tools of the trade like 1Password, YubiKey, Ledger, VPNs, and he has an evergreen interest in emerging security technologies. Which is to say he’s geeking out on them a lot. You’ll often find him reading up on cybersecurity stats or the latest ransomware attacks, staying up-to-date with the evolution of informational security and infiltration tactics. Alex is also an experienced journalist, which makes him great at putting tech-savvy and complex topics into easy-to-understand guides and reports.

Cookie	Duration	Description
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	1 year	The GDPR Cookie Consent plugin sets the cookie to store whether or not the user has consented to use cookies. It does not store any personal data.
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_gat_UA-*	1 minute	Google Analytics sets this cookie for user behaviour tracking.
_gid	1 day	Google Analytics sets this cookie to store information on how visitors use a website while also creating an analytics report of the website's performance. Some of the collected data includes the number of visitors, their source, and the pages they visit anonymously.
_omappvp	1 year 1 month 4 days	The _omappvp cookie is set to distinguish new and returning users and is used in conjunction with _omappvs cookie.
_omappvs	20 minutes	The _omappvs cookie, used in conjunction with the _omappvp cookies, is used to determine if the visitor has visited the website before, or if it is a new visitor.