The Blind Request Clickbait Scam
How hackers use subtle social engineering techniques to bait you into clicking something you shouldn't click
This scam emerged from the pervasive use of banner advertising on commercial websites and has been around in various forms almost since the beginning of email and the internet way back in the America Online days. This would be the mid- to late-80s and the early 90's, when AOL was the #1 internet service provider in the US. Early pioneers of eCommerce like Amazon.com used clickbait banner advertising all over the burgeoning internet to generate traffic on their rapidly expanding online Book retail business. Banner ads would use hyperbole to entice a click. One might encounter a flashing .gif file running as a banner across the top of every page of the site. It may have had rotating text, or not, but the messages would all be similar to "100% Free Caribbean Cruise" or "Get Your FREE Email Account Now!"
They look very...quaint now. But this is how clickbait began. Of course, nothing is ever "100% free." But as the old saying goes, "Curiosity killed the cat." With this strategy businesses could drive visitors to their sites where some would eventually make purchases and become customers.
The Google definition for the word "clickbait" is:
(on the Internet) content whose main purpose is to attract attention and encourage visitors to click on a link to a particular web page.
Now that may not be the most precise definition, but it's close. Anything that tries to entice you into clicking a link of any kind can be considered clickbait. It's important to understand what clickbait is if you want to understand how hackers use it to gain access to your system and (potentially) your personal information. Hackers have developed extremely sophisticated methods of deploying clickbait in ways that are so subtle you may not notice them at first glance. Let's look at a recent b
Blind Request message (containing modern, weaponized clickbait) that came in to ENE. Here's a screenshot of the message:
The message has a professional appearance. It's well formatted, visually mundane (i.e. average, normal-looking) and the language in the message is clear and concise; obviously written by a native English speaker or someone extremely fluent. There are no signs of the telltale misspellings of common words, nonsensical statements and formatting errors common to most email scams. Who can forget the hundreds and hundreds of messages we all received on a daily basis imploring us to respond because (for example) "your uncle Joseph from Zimbabwe has just died and left you $30 million dollars which we'd love to put directly into your bank account if you'll just send us the account and routing numbers please?"
That's "old school" now. The long-lost, recently deceased, millionaire uncle scam has given way to more realistic and sophisticated schemes that are quite clever and difficult to detect. Like the message shown in the screenshot above.
We call these malicious messages “Blind Request” emails because they almost always come to you unexpectedly, from an email address you don't recognize and from a company you’ve never heard of. That may seem counter-intuitive but it is, in fact, intentional. The people writing and sending these messages are using very subtle social engineering techniques to generate just enough curiosity for some readers to click the link despite not knowing who sent them the message. Examples of these subtle social engineering techniques are in the details of the message. Here's another copy of the above message with certain words and phrases circled and numbered. Our analysis is below the screenshot.
The numbers in the image above correspond to the numbers below where each element is described in detail.
- The hackers have clearly identified the type of business ENE runs and have tailored the email to appeal to our desire to bring on new business. Having the email appear to be coming from a construction company makes it seem like a routine message since we deal with construction companies on a daily basis here at ENE.
- In the "From:" section of the message they used an email address with the word "purchase" implying that the request was coming from someone who might be preparing to spend money.
- All companies like a good referral and using this as the opening in the message has a disarming effect on the reader who now may be thinking that this looks like it might be a good opportunity.
- By mentioning the "secured link" the hackers are trying to suppress any alarms that may be going off in the back of some readers' minds.
- Asking for an estimate is almost as good as awarding the project. If someone is asking for an estimate, was recommended to them, apparently has the authority to purchase and is offering a way to check it all out securely.
- The legal confidentiality language at the bottom of the message projects credibility and authenticity.
Now, granted, none of this guarantees that everyone will click the link. But when they send messages like the one above to 10 million inboxes they’ll likely get hundreds, if not thousands of hits. There is no way we can possibly block them all as they come in. The best defense we have is each other. An educated staff who have been shown these techniques will be much more likely to recognize an attack in progress than to succumb to one. We all have a role to play in the battle against those who would destroy everything we're working for in an effort to steal our personal information which can lead to gigantic financial problems for anyone who falls victim to one of these scams.
You, me and everyone else around you who is using a computer to do their job are the first line of defense in the battle against internet criminals.
You are now armed with an understanding of how these “Blind Request" emails are constructed and what they’re trying to get you to do. You now have a much better chance of NOT becoming the next “hit” on their list.
The purpose of this post is to help prevent all of us becoming one of those hits. Knowledge is the key. Remember to share this article with your friends and business associates.