The F-Secure Scam Tactics & Techniques Framework is a breakdown of how modern-day online scammers operate. According to the Global Anti-Scam Alliance’s Global State of Scams 2023 Report, over $1 trillion was lost to scams in 2023. The internet, without clear-cut regional borders, has become a hotbed for cyber crime that targets consumers almost everywhere, every day.
The problem: the consumer cyber threat landscape is fraught with the workings of online scammers. While several cyber security players attempt to analyze the scam landscape to make sense of it, these efforts are at best ad-hoc. Until now, there has been no single systematic approach that can describe in detail all the techniques and methods used by scammers to conduct their exploits.
A systematic analysis of the scam landscape
At F-Secure, we believe that the number one threat to consumer digital safety today is scams. We previously released the F‑Secure Scam Taxonomy – a comprehensive and methodical breakdown of the different types of online scams impacting consumers today. Now, we have taken things a step further: rather than only looking at examples and instances of scams, we analyze the tactics and techniques adopted by scammers in a systematic and continuous way.
This is called the F‑Secure Scam Tactics & Techniques Framework – a rich and detailed knowledge database about scams, breaking down both the high-level tactics and more detailed techniques, providing a formal foundation for researching and building defenses against scams. It’s designed to help protect consumers online against the ever-evolving scam landscape.
This work has been inspired by the MITRE ATT&CK® framework, developed by the MITRE Corporation.
Introducing the F-Secure Scam Tactics & Techniques Framework
Terminology
Tactics
Tactics are shown in the column header of the F‑Secure Scam Tactics & Techniques Framework. These are the individual steps scammers must take to achieve their goals and carry out a successful scam.
Techniques
These are detailed breakdowns of the methods used by a scammer to achieve a particular goal during a tactic. For example, phishing is a technique used as a part of the Reconnaissance tactic to gain potentially private information. Techniques make up the rows of the matrix.
Tactics explained: the F‑Secure Scam Kill Chain
Every scam is made up of a series of tactics which we have coined as the F‑Secure Scam Kill Chain. Originating from the military, the term ‘Kill Chain’ has been applied to cyber security for some time. Now, given the threat level scams pose to consumer safety, we’re extending it to cover scams targeting consumers too.
Stage 1: Reconnaissance
In the Reconnaissance tactic, the scammer gathers information about potential victims that they can use in the following tactics of the scam. Reconnaissance consists of both identifying potential victims as well as subsequently gathering their information for future use. Analogous to the ‘enterprise’ or ‘mobile’ context (in ATT&CK® framework), in F-Secure’s framework, we have the ‘scam’ context. In this context, the ‘attack surface’ is in fact the consumers who will be targeted by the scam.
The goal of the scammer is to identify as many victims as possible or a more targeted group of victims and gather as much information about them. The scammer may use several techniques for this purpose such as manually hunting for victim details from social media (name, address, interests, etc.), performing automatic data collection, phishing for information via SMS and phone calls, or purchasing personal data of victims from closed sources (i.e. illegal marketplaces) on the internet.
Stage 2: Resource Development
For a scam to be successful, the scammer must carry out several steps, each building on the success of the last. In the Resource Development tactic, the scammer establishes resources that eventually form the foundation of their entire scam.
These resources are used to support operations in later tactics of the F‑Secure Scam Kill Chain and include “creating, purchasing, or compromising/stealing resources that can be used to support targeting”. Such resources may include both physical (computing resources, human scammers, etc.) and virtual (websites, social media accounts, malware, etc.) infrastructure that is later used to scam victims.
Stage 3: Initial Contact
Once potential victims are identified and their information is gathered, the scammer must leverage this information and contact them. In the Initial Contact tactic, the scammer may use several manipulative techniques, including either interactive contact (phone call), non-interactive contact (online advertisements), or a mixture of both.
Popular channels used by scammers include email, SMS, direct messages on social media, etc. In some cases, the victims themselves may even contact the scammers (albeit inadvertently) for example by searching for pirated software on the internet. The ultimate goal of the Initial Contact tactic is to initiate a response, either by sending a URL leading to a malicious site or getting the victim to provide them with private and sensitive information.
Stage 4: Scam(mer) Persistence
As a scam progresses, the chances of it being discovered increase. At this stage, the scammer has invested efforts in building and commencing the scam. The scammer now needs to prolong the scam by any means possible, in order to get to the monetization tactic. We call this the Scam(mer) Persistence tactic.
The scammer may apply several techniques to do this, but the focus is still on cultivating trust. This could mean lying about the intent of the scam, lulling the victims into a false belief of earning benefits by making small payments, or moving conversations to different message platforms to avoid detection.
Stage 5: Access Information
In this tactic, the scammer attempts to access the victims’ devices (laptops or mobiles, for example). The goal is to steal a variety of private information with or without getting a foothold on the device. Scammers are typically interested in victim data that can be consumed directly or sold, rented, or ransomed later. This could include personally identifiable information, credit card details, bank account details, etc.
The victims’ information may be accessed in several ways, either by theft, being shared directly by the victims, or accessed using malware. Although similar to the Initial Contact tactic, it differs as the goal of the Access Information tactic is to actively access and control the victims’ information.
Stage 6: Exfiltrate Information
Just having access to the data isn’t enough, as this could be denied or revoked at any time. Now, the scammer must take possession of it. This happens in the Exfiltrate Information tactic, where the scammer takes possession of the stolen data either by sending it out from the device from which it was captured, or by saving the data entered by the victims on the scammer’s hosted service.
Some exfiltration techniques may warrant an interaction with victims, whereas others can be conducted without the victims being aware of data theft. Some techniques might be automated, whereas some are manual.
Stage 7: Lateral Movement
Typically, the success of a scam increases in line with the number of victims it gathers, and scammers tend to act on this philosophy to increase their profits. In the Lateral Movement tactic, the scammer will attempt to spread the scam to as many people as possible using the initial victims’ current environments.
This can happen in several ways, for example the scammer may abuse the initial victims’ social media accounts to spread the scam to other contacts, post scam messages on the first victims’ groups or forums, leverage one social media account to get access to another, etc. An added benefit of this proliferation is that it allows the scammer to hide their tracks, as it becomes harder for subsequent victims to identify the true perpetrator.
Stage 8: Monetization
The last and most crucial step in the F-Secure Scam Kill Chain is the Monetization tactic. Scamming is a business, making a profit is at the heart of almost every scammer’s motive, and all previous tactics lead up to this point. However, the scammer must take steps to avoid being detected.
For example, direct money transfers might be traceable, and as the scammer and the victims may be in different geographies, dealing in cash might be infeasible and attract unwanted attention. So, a scammer’s currency and means of monetization can be multifold, including actual money, cryptocurrency leading to a plethora of investment schemes, sales of valuable data, identity of another person, benefits of utilizing premium membership of services (such as Steam) without paying, etc.
The official framework launches soon
We are excited to share a sneak preview of the F‑Secure Scam Tactics & Techniques Framework in this article, and we will be launching the official framework soon. Stay tuned.
In the meantime, if you want to learn more about how you can protect your customers against scams, you can contact us.
Copyright F-Secure Corporation 2024. All rights reserved.