How Threat Actors Weaponize Your Trust

Trust is central to human relationships and we instinctively make trust evaluations all day, every day. Processed in a heartbeat, often subconsciously, these decisions guide the way we behave, the people we vote for, the businesses we deal with and the confidence we have in outcomes. Unfortunately, for all these reasons, trust is also one of the preferred weapons of any criminal. From house burglars who know villagers trust their community enough to leave windows open on hot days to confidence tricksters conning old ladies out of their life savings, trust is the weapon of choice.

Just like their analog criminal cousins, cyber-criminals abuse trust, using tactics often called ‘social engineering’ to access our digital systems and steal data in many ways. But social engineering is not the only way to abuse trust. Understanding how they capitalize on our erroneous trust decisions is the first step to defense.  

The abuse of (implicit) digital trust often involves exploiting an application or tool we use in our daily digital life to perform our business or personal tasks. It is a technique increasingly used by the bad guys to carry out malicious actions such as the delivery of malware or links to phishing pages.

One of the concepts behind phishing is the weaponization of digital trust: the attackers exploit well-known brands that their victims trust and are familiar with. A tool, an application or an online service of any kind can be imitated for malicious purposes. This explains why the list of the most impersonated brands is normally led by companies that play an important role in our digital life, such as LinkedIn, Google, Amazon and Microsoft. Of course, the other concept behind phishing is the exploitation of human nature; for example, teasing the victim’s curiosity or creating a sense of urgency (like a shipping invoice that needs to be paid). This second aspect explains why brands like DHL regularly rank in the first positions of this chart: the invite to track an unexpected package from a trusted brand is really a deadly combination. The combination of trust and curiosity (or urgency) is lethal from an attacker’s perspective.

Similarly, exploiting a legitimate cloud service to distribute malicious content, such as malware or a phishing page, is a phishing technique that has become increasingly common over the past few years, fueled by the distribution of the workforce and the consequent growing adoption (and trust) of cloud services. In this case, the attackers not only leverage the digital trust in a cloud application by individuals (who see a familiar brand and a legitimate certificate) but also by organizations (who consider the cloud providers trusted so they do not enforce the same security controls applied to non-cloud web traffic). Attackers also rely on some additional elements that make the attack more likely to succeed; for example, they don’t need to worry about the preparation of the infrastructure and, at the same time, launch the attack from an infrastructure that is always ready, available and resilient. According to the latest Netskope Cloud and Threat Report, 47% of malware was distributed by a cloud application over the last 12 months.

"Exploiting a legitimate cloud service to distribute malicious content, such as malware or a phishing page, is a phishing technique that has become increasingly common over the past few years"

The same Netskope report also found that Search Engine Optimization (SEO) is an increasingly common technique used to weaponize digital trust. To confirm this trend, phishing downloads have been rising over the last 12 months, fueled by attackers using SEO techniques to get malicious PDF files ranked highly on popular search engines, including Google and Bing. The abuse of SEO is certainly not a novelty, but it is now more effective than ever because too many people trust Google (and search engines in general) as modern oracles. This means they ignore the fact that even if a link ranks on top of the search engines, it does not mean that it is legit and benign. One of the consequences of the pandemic is that we moved our trust from real life to the digital world, offering new possibilities to the threat actors.

A look at the top referrer categories for malware downloads over the past 12 months confirms the extension of this trend: the chart is led by ‘Technology’ (27%), ahead of ‘Search Engines’ (15%), ‘News and Media’ (11%), ‘Streaming and Downloadable Video’ (11%) and ‘Shareware/Freeware’ (8%). The attackers turn the trust in professional tools (Technology) or personal habits (News and Media or Streaming and Downloadable video) into a threat to the Internet’s citizens.

In fact, the presence of ‘Shareware/Freeware’ in the list of top malware referrers raises another important question, and it is related to the need for individuals and organizations to embrace a new security culture. Again, the exploitation of this category to deliver malicious content is not a novelty; however, this is an epoch where the line between personal and business-related use of corporate devices is blurred, and ignoring the consequences of superficial behaviors (such as downloading a freeware in a corporate device ignoring the corporate policies) might have bitter consequences for the individual and the organization itself. This bad habit is particularly dangerous when you consider that ‘Shareware/Freeware’ is also one of the top categories for direct malware distribution (ranking at place number five with 5%), behind content server and technology (both at 23%), uncategorized (14%), and business (6%).

Building a security culture means educating people about the extent to which they can have digital trust. The equivalent concept from a technology standpoint, applied to organizations, is, of course, the zero trust principle, which denies the concept of implicit trust and shifts the access model from a ‘trust, but verify’ paradigm to ‘verify, then trust.’ Users should adopt the same approach when invited to open a link or download an artifact from a trusted source, whether for personal or professional purposes, replacing the implicit trust with an explicit, continuously adaptive trust. But since erring is human, organizations should also put in place technological countermeasures, adopting a zero trust approach to ensure that only users with the right security posture can access internal resources.

What’s Hot on Infosecurity Magazine?