By Dylan Duncan
Threat actors are well known for developing campaigns based on world events; the Taliban takeover in Afghanistan is no exception. In the past two months, the Cofense Intelligence team has observed a steady stream of Afghanistan-themed phishing emails in the wild.
We are seeing an assortment of advance-fee and inheritance scams using the newsworthy events in Afghanistan as a means of targeting victims’ emotions and financial interests. Common themes include CEOs of Afghan companies needing to liquidate assets before funds are taken, emails attempting to exploit religious and humanitarian tendencies, and various other proposals. It is likely we will see changes in campaign volume and themes as the situation in Afghanistan changes.
Classic Scam Emails Capitalize on Afghanistan Crisis
Advance-fee scams are old tricks that are still used by threat actors and are often popular among business email compromise (BEC) operators. In this type of fraud, it is common practice to target a victim’s emotions in order to get a payment upfront in hopes of later receiving a much larger sum of money. As with various forms of BEC, the emails in these campaigns may have an easier time reaching end users because there is no malicious attachment or URL that delivers malware or attempts to harvest credentials. This technique relies heavily on the end user’s lack of understanding of the phishing threat landscape.
Within emails we saw, the Cofense Intelligence team recognized a significant increase in uses of recent events in Afghanistan as a theme. Figure 1 below shows the volume of relevant emails by month over the past year. Not every email in this data set is definitively an advance-fee scam (some may be inheritance or romance scams), and a miniscule percentage may be commercial or political spam. The chart shows how much the relevant email volume has increased during the latter part of the Taliban offensive in comparison to the rest of the year. There was a short-lived volume increase in February, but that increase was still modest compared to the much larger spike occurring in the last two months.
Figure 1: Volume by month of likely scam emails using Afghanistan themes
Phishing campaigns using the Taliban takeover in Afghanistan as a theme have taken a variety of styles. Two primary styles are represented by the emails in Figure 1 and Figure 2.
Figure 2 is a business-themed email claiming to be sent by a bank CEO who needs to liquidate assets before the Taliban siphon all their assets. This email appears to be targeting organizations as it mentions investing the funds into the target’s business. With large sums of money offered for transfer, the “transfer fees” threat actors are seeking would be substantial, even if only a small percentage of the total.
Figure 2: Business-themed advance-fee scam email targeting organizations
Figure 3 shows a more emotion-driven email, ostensibly sent by a woman who lost her husband during a “U.S. raid against terrorism” and needs help donating the husband’s large fortune to charity. This email is targeted more toward individuals. It seeks to get the recipient to engage the scammer in unsavory activity as well, as the money offered to them is supposedly intended to be donated to charity. This is a tactic used by threat actors to discourage the victim from admitting to falling for the scam, if successful.