Social engineering cyberattacks target people. The objective of these cyberattacks is to trick people into compromising their systems. In a recent webinar (registration required), Proofpoint demonstrated how the Dridex attackers modified their malicious attachment to improve its performance. For this attack to work, the user must activate scripts. The user interaction process evades malware detection over 99% of the time — but it depends upon the user taking the required steps. How can the attacker convince the victim to enable scripts in the face of the system generated warning?

The first generation attack in October 2014 presented only the system generated warning. Why would a user enable content when the call to action is part of a warning?

dridex 10-14

In March of 2015, an improved attack document was released with messaging that attempted to leverage the warning into a call to action. In this attack, the attacker exploited users’ document compatibility experiences to create a more compelling call to action.

Dridex 3-15

 

July of 2015 saw further improvement of the attack document with the call to action that played off of users’ security concerns.

dridex 7-15Attackers understand that users are trained to avoid suspicious content. Thus, a requirement of evil content is that it not appear to be suspicious. Just like an interactive marketing campaign, attackers take their user experiences to improve the quality of their work.