Watch out for weird phishing promises like free transit to Elon Musk’s off-world colonies

What kind of convincing does it take to dupe your average email sender to engage in risky download behavior? Some scammers’ lists of lures include opportunities to profit off war, angry customer complaints, and even a free trip to the Red Planet.

In a recent blog post, Proofpoint’s threat research team highlighted three phishing emails relying on lures that went “way beyond the usual level of bizarre.”

One threat actor attempted to use the chaos of Russia’s invasion of Ukraine, posing as a partner in an unidentified project in Uzbekistan looking for European clients who could step up to replace beleaguered Ukrainian suppliers. Another campaign involved emails supposedly from an irate customer who wanted to lodge a complaint against the recipients’ customer support staff.

“I am compelled to write about the unacceptable and rude behavior I experienced with your customer service representative,” the email began. “The attached report provides a full account of the incident.”

An .svg file attached to the email didn’t detail any customer support fiasco when clicked, but it did attempt to open a browser window that would initiate an attack chain for Phemedrome stealer.

Proofpoint’s oddest discovery was an email with the subject line “You win a trip to Mars,” to which the attacker attached a PDF file with an image of Elon Musk and a fake Adobe Reader update dialog. The link on the fake update message triggered download of a tar.gz archive—a file format Windows 11 has only natively supported since October 2023—containing an executable which, if run, would install the RedLine stealer malware.

Musk is a “magnet for attention in general,” Selena Larson, senior threat intelligence researcher at Proofpoint, told IT Brew. “Bad actors are good at following the same trends as any person that lives on the internet.”

“It’s difficult to say for sure what the percentage is of customized, weird lures versus the kind of invoice, business-relevant content, or thread hijacking,” Larson said. Promises of a Musk-funded trip to Mars were new to her, though.

“It’s not necessarily unusual for threat actors to use social engineering themes that people would be likely to click on,” Larson added.

The customer service lure is a good example because a customer angry enough to file a written complaint might worry virtually any business, Larson said.

Larson said that because Proofpoint intercepted the emails in question, the company couldn’t provide stats on how effective they were. That said, previous Proofpoint research has shown threat actors who used Covid-19 lures in 2020 found more success than with mundane themes, and cybercriminals exploited the high-profile news event of the death of Queen Elizabeth II in 2022.

Phishers have had to evolve due to improvements in email security, such as Microsoft’s decision in 2022 to block macros by default, increased use of multi-factor authentication, and automated spam and virus scanning by webmail and email client providers.

According to Larson, attackers increasingly have to find ways to trick users into engaging with roundabout attack chains—like the Musk scam, which would require the target to download a suspicious PDF, then a suspicious archive, and then run a suspicious executable. Inventive phishing lures may be one way of shuttling users down those convoluted routes, Larson said.

“A lot of times, what we’ve seen—actually, in a lot of different attack chains—is compressed executables or files, even compressed ISOs that then contain an executable, so you’re clicking three times, right?” Larson said. “Same thing with JavaScript.”

“That’s where the improved social engineering has to come into play, because you want people to take those chances.”