Taliban Takeover in Afghanistan Provides Fodder for Advance-Fee Phishing Lures
By Dylan Duncan
Threat actors are well known for developing campaigns based on world events; the Taliban takeover in Afghanistan is no exception. In the past two months, the Cofense Intelligence team has observed a steady stream of Afghanistan-themed phishing emails in the wild.
We are seeing an assortment of advance-fee and inheritance scams using the newsworthy events in Afghanistan as a means of targeting victims’ emotions and financial interests. Common themes include CEOs of Afghan companies needing to liquidate assets before funds are taken, emails attempting to exploit religious and humanitarian tendencies, and various other proposals. It is likely we will see changes in campaign volume and themes as the situation in Afghanistan changes.
Classic Scam Emails Capitalize on Afghanistan Crisis
Advance-fee scams are old tricks that are still used by threat actors and are often popular among business email compromise (BEC) operators. In this type of fraud, it is common practice to target a victim’s emotions in order to get a payment upfront in hopes of later receiving a much larger sum of money. As with various forms of BEC, the emails in these campaigns may have an easier time reaching end users because there is no malicious attachment or URL that delivers malware or attempts to harvest credentials. This technique relies heavily on the end user’s lack of understanding of the phishing threat landscape.
Within emails we saw, the Cofense Intelligence team recognized a significant increase in uses of recent events in Afghanistan as a theme. Figure 1 below shows the volume of relevant emails by month over the past year. Not every email in this data set is definitively an advance-fee scam (some may be inheritance or romance scams), and a miniscule percentage may be commercial or political spam. The chart shows how much the relevant email volume has increased during the latter part of the Taliban offensive in comparison to the rest of the year. There was a short-lived volume increase in February, but that increase was still modest compared to the much larger spike occurring in the last two months.
Figure 1: Volume by month of likely scam emails using Afghanistan themes
Phishing campaigns using the Taliban takeover in Afghanistan as a theme have taken a variety of styles. Two primary styles are represented by the emails in Figure 1 and Figure 2.
Figure 2 is a business-themed email claiming to be sent by a bank CEO who needs to liquidate assets before the Taliban siphon all their assets. This email appears to be targeting organizations as it mentions investing the funds into the target’s business. With large sums of money offered for transfer, the “transfer fees” threat actors are seeking would be substantial, even if only a small percentage of the total.
Figure 2: Business-themed advance-fee scam email targeting organizations
Figure 3 shows a more emotion-driven email, ostensibly sent by a woman who lost her husband during a “U.S. raid against terrorism” and needs help donating the husband’s large fortune to charity. This email is targeted more toward individuals. It seeks to get the recipient to engage the scammer in unsavory activity as well, as the money offered to them is supposedly intended to be donated to charity. This is a tactic used by threat actors to discourage the victim from admitting to falling for the scam, if successful.
Figure 3: Emotion-driven advance-fee scam email targeting individuals
Impact and Aftermath
It is important for security teams and other employees to be aware of phishing trends related to topics of significant interest in the workplace and society. Victims of advance-fee fraud can be at risk of financial and emotional harm. The false promises presented by threat actors within the emails present victims with supposed opportunities for major financial gain. When attacks like these are successful, the victim almost always loses some form of wealth. In some cases, a victim may even take out loans to meet the payment since they believe they will be reimbursed with a significantly higher sum. Depending on the impact of the financial loss, victims can also lose loved ones, face marital problems, and potentially commit crimes themselves, depending on the process of fulfilling the obligations within the scam.
In these scams, organizations can be at risk of a substantially higher financial loss than an individual. Comparing the two examples shown earlier, victims of the first scam were shown a larger sum of money to be paid to them, which, in a number of cases, means a higher loss if the attack is successful. Organizations also face some impact in the aftermath of an employee individually falling victim to one of these attacks. A successful attack of any kind can leave the victim feeling embarrassed and not wanting to admit to their mistakes. It can also result in negative publicity for the organization. The psychological toll on individual victims from the financial loss may also impact the organization. While some victims may learn from the experience, others can be left discouraged, leaving a negative impact on performance.
Because IOCs associated with advance-fee scams are often tailored to individual campaigns, easily changed, and short-lived, relying fully on automated protection by secure email gateways does not work for defending against these types of campaigns. Table 1 shows the top five email subjects and senders of advance-fee scams that referenced the situation in Afghanistan, reached enterprise email inboxes, and were reported directly to the Cofense Phishing Defense Center (PDC).
Table 1: The top Afghanistan-themed scam email subjects and senders reported to the Cofense PDC.
Human intelligence is crucial for success in stopping these types of campaigns. Education and training against this threat should not be limited to finance employees since the campaigns also target individual rather than just organizational funds. In phishing operations using the Covid-19 pandemic as a theme, new campaigns and tactics emerged as more news on the world event reached the public. Similarly, the situation in Afghanistan is unpredictable, and associated phishing tactics, themes and volume may change as the situation advances.
Phishing tactics are always evolving and becoming more complex. With Cofense Intelligence, it is easy to track emerging phishing trends, research active threats and supplement your active investigations. Sign up for 3 FREE months of Cofense Intelligence to proactively defend your organization against phishing attacks and learn what you can do about the attacks that are likely in your inbox right now.