Go inside the mind of a cyber criminal with F-Secure’s Scam Kill Chain framework: a new in-depth look at the playbook used by scammers around the world. Global cyber security leader F-Secure’s threat intelligence experts break down exactly how these digital con artists choose, approach, and ultimately attack their victims – information that only strengthens the fight against fraud for everyone.
“We’re essentially shining a huge spotlight on cyber criminals who have been operating in the shadows,” said Laura Kankaala, Head of Threat Intelligence at F-Secure. “While there’s no way to completely prevent this, the Scam Kill Chain is our best defense. We have to be one step ahead of how these scammers operate, so we as an industry can help prevent the crimes from happening in the first place.”
With the borderless nature of the internet, cyber crime is thriving, and consumers are losing more than $1 trillion per year to scams on average. It’s the single biggest threat facing consumers today. And while some efforts have been made in the industry to make sense of the scam ecosystem, they’re often disjointed. There hasn’t been any comprehensive framework detailing the full range of techniques scammers use – until now.
Introducing the F-Secure Scam Kill Chain
Every scam is made up of a series of tactics, known as F‑Secure’s Scam Kill Chain. Originating from the military, the term “Kill Chain” has been historically applied to cyber security. Now, given the threat level scams pose to consumer safety, it’s only fitting to extend it to cover scams targeting consumers too.
The framework is broken down methodically into eight stages:
Reconnaissance
Development
Contact
Persistence
Access
Exfiltrate
Lateral Movement
Monetization
Stage 1: Reconnaissance
In the Reconnaissance tactic, the scammer gathers information about potential victims that they can use in the following tactics of the scam. Reconnaissance consists of both identifying potential victims as well as subsequently gathering their information for future use. The “attack surface” of a scam are the consumers who will be targeted by the scam.
The goal of the scammer is to identify as many victims as possible or a more targeted group of victims and gather as much information about them. The scammer may use several techniques for this purpose such as manually hunting for victim details from social media (name, address, interests, etc.), performing automatic data collection, phishing for information via SMS and phone calls, or purchasing personal data of victims from closed sources (i.e. illegal marketplaces or the “dark web”) on the internet.
Stage 2: Development
For a scam to be successful, the scammer must carry out several steps, each building on the success of the last. In the Development tactic, the scammer establishes resources that eventually form the foundation of their entire scam.
These resources are used to support operations in later tactics of the F‑Secure Scam Kill Chain and include “creating, purchasing, or compromising/stealing resources that can be used to support targeting”. Such resources may include both physical (computing resources, human scammers, etc.) and virtual (websites, social media accounts, malware, etc.) infrastructure that is later used to scam victims.
Stage 3: Contact
Once potential victims are identified and their information is gathered, the scammer must leverage this information and contact them. In the Contact tactic, the scammer may use several manipulative techniques, including either interactive contact (phone call), non-interactive contact (online advertisements), or a mixture of both.
Popular channels used by scammers include email, SMS, posts and direct messages on social media, etc. In some cases, the victims themselves may even contact the scammers (albeit inadvertently) for example by searching for pirated software on the internet. The ultimate goal of the Contact tactic is to initiate a response, either by sending a URL leading to a malicious site or getting the victim to provide them with private and sensitive information.
Stage 4: Persistence
As a scam progresses, the chances of it being discovered increase. At this stage, the scammer has invested effort in building and commencing the scam. The scammer now needs to prolong the scam by any means possible, in order to get to the monetization tactic. We call this the Persistence tactic.
The scammer may apply several techniques to do this, but one of the focus areas is cultivating trust. This could mean lying about the intent of the scam, lulling the victims into a false belief of earning benefits by making small payments, or moving conversations to different message platforms to avoid detection.
Stage 5: Access
In this tactic, the scammer attempts to access the victims’ devices (laptops or mobiles, for example). The goal is to steal a variety of private information with or without getting a foothold on the device. Scammers are typically interested in victim data that can be consumed directly or sold, rented, or ransomed later. This could include personally identifiable information, credit card details, bank account details, etc.
The victims’ information may be accessed in several ways, either by theft, being shared directly by the victims, or accessed using malware. Although similar to the Contact tactic, it differs as the goal of the Access tactic is to actively access and control the victims’ information.
Stage 6: Exfiltrate
Just having access to the data isn’t enough, as this could be denied or revoked at any time. Now, the scammer must take possession of it. This happens in the Exfiltrate tactic, where the scammer takes possession of the stolen data either by sending it out from the device from which it was captured, or by saving the data entered by the victims on the scammer’s hosted service.
Some exfiltration techniques may warrant an interaction with victims, whereas others can be conducted without the victims being aware of data theft. Some techniques might be automated, whereas some are manual.
Stage 7: Lateral Movement
Typically, the success of a scam increases in line with the number of victims it gathers, and scammers tend to act on this philosophy to increase their profits. In the Lateral Movement tactic, the scammer will attempt to spread the scam to as many people as possible using the initial victims’ current environments.
This can happen in several ways, for example the scammer may abuse the initial victims’ social media accounts to spread the scam to other contacts, post scam messages on the first victims’ groups or forums, leverage one social media account to get access to another, etc. An added benefit of this proliferation is that it allows the scammer to hide their tracks, as it becomes harder for subsequent victims to identify the true perpetrator.
Stage 8: Monetization
The last and most crucial step in the F‑Secure Scam Kill Chain is the Monetization tactic. Scamming is a business, making a profit is at the heart of almost every scammer’s motive, and all previous tactics lead up to this point. However, the scammer must take steps to avoid being detected.
For example, direct money transfers might be traceable, and as the scammer and the victims may be in different geographies, dealing in cash might be infeasible and attract unwanted attention. So, a scammer’s currency and means of monetization can be multifold, including actual money, cryptocurrency leading to a plethora of investment schemes, sales of valuable data, identity of another person, benefits of utilizing premium membership of services without paying, gift cards etc.
By sharing the Scam Kill Chain widely, F-Secure is helping the anti-scam industry in their fight against digital fraud — detailed research is the best way to develop effective defenses against scams. Click here to view the entire Scam Kill Chain framework.
F-Secure: The Solution
F-Secure’s cutting-edge scam protection solutions identify and block digital threats as soon as they appear. Their flagship app Total gives millions of users comprehensive online security with a single subscription. This includes VPN, password management, ID monitoring, antivirus, Wi-Fi protection, and much more.
F-Secure’s anti-scam technology also features AI-driven tools like Shopping Protection, SMS Scam Protection, and Banking Protection. It’s no surprise that over 200 telecom providers, banks, insurance companies, and other key players in digital security partner with F-Secure to integrate its features into their apps, providing their customers with a complete, all-in-one security solution.
About F‑Secure
F‑Secure makes every digital moment more secure, for everyone. We deliver brilliantly simple, frictionless security experiences that make life easier for the tens of millions of people we protect and for our more than 200 service provider partners. For over 35 years, we’ve led the cyber security industry, inspired by a pioneering spirit born out of a shared commitment to do better by working together.
Comments