F-Secure research

F-Secure Scam Kill Chain

Amit Tambe
Amit Tambe
|
Oct 21, 2024
|
8 min read

The F-Secure Scam Kill Chain is a break­down of how modern-day online scammers operate. According to the Global Anti-Scam Alliance’s Global State of Scams 2023 report, over $1 trillion was lost to scams in 2023. The internet, without clear-cut regional borders, has become a hot­bed for cyber crime that targets consumers almost every­where, every day.

The problem: the consumer cyber threat land­scape is fraught with the workings of online scammers. While several cyber security players attempt to analyze the scam land­scape to make sense of it, these efforts are at best ad-hoc. Until now, there has been no single systematic approach that can describe in detail all the techniques and methods used by scammers to conduct their exploits.

A systematic analysis of the scam landscape

At F‑Secure, we believe that the number one threat to consumer digital safety today is scams. We previously released the F‑Secure Scam Taxonomy — a comprehensive and methodical break­down of the different types of online scams impacting consumers today. Now, we have taken things a step further: rather than only looking at examples and instances of scams, we analyze the tactics and techniques adopted by scammers in a systematic and continuous way.

This is called the F‑Secure Scam Kill Chain — a rich and detailed know­ledge base about scams, breaking down both the high-level tactics and more detailed techniques, providing a formal foundation for researching and building defenses against scams. It’s designed to help protect consumers online against the ever-evolving scam land­scape.

This work has been inspired by the MITRE ATT&CK® framework, developed by the MITRE Corporation.

Introducing the F‑Secure Scam Kill Chain

The F-Secure Scam Kill Chain table of stages

Terminology

Tactics

Tactics are shown in the column header of the F‑Secure Scam Kill Chain. These are the individual steps scammers must take to achieve their goals and carry out a successful scam.

Techniques

These are detailed break­downs of the methods used by a scammer to achieve a particular goal during a tactic. For example, phishing is a technique used as a part of the Reconnaissance tactic to gain potentially private information. Techniques make up the rows of the matrix.

Scam tactics explained

Every scam is made up of a series of tactics, which we've coined as the F‑Secure Scam Kill Chain. Originating from the military, the term “Kill Chain” has been applied to cyber security for some time. Now, given the threat level scams pose to consumer safety, we’re extending it to cover scams targeting consumers too.

Flow diagram showing the 8 stages of the Scam Kill Chain: Reconnaissance, Development, Contact, Persistence, Access, Exfiltrate, Lateral movement, and Monetization
Flow diagram showing the 8 stages of the Scam Kill Chain: Reconnaissance, Development, Contact, Persistence, Access, Exfiltrate, Lateral movement, and Monetization

Stage 1: Reconnaissance

In the Reconnaissance tactic, the scammer gathers information about potential victims that they can use in the following tactics of the scam. Reconnaissance consists of both identifying potential victims as well as subsequently gathering their information for future use. Analogous to the “enterprise” or “mobile” context (in ATT&CK® frame­work), in F-Secure’s frame­work, we have the “scam” context. In this context, the “attack surface” is in fact the consumers who will be targeted by the scam.

The goal of the scammer is to identify as many victims as possible or a more targeted group of victims and gather as much information about them. The scammer may use several techniques for this purpose such as manually hunting for victim details from social media (name, address, interests, etc.), performing automatic data collection, phishing for information via SMS and phone calls, or purchasing personal data of victims from closed sources (i.e. illegal market­places) on the internet.

Stage 2: Development

For a scam to be successful, the scammer must carry out several steps, each building on the success of the last. In the Development tactic, the scammer establishes resources that eventually form the foundation of their entire scam.

These resources are used to support operations in later tactics of the F‑Secure Scam Kill Chain and include “creating, purchasing, or compromising/stealing resources that can be used to support targeting”. Such resources may include both physical (computing resources, human scammers, etc.) and virtual (web­sites, social media accounts, malware, etc.) infra­structure that is later used to scam victims.

Stage 3: Contact

Once potential victims are identified and their information is gathered, the scammer must leverage this information and contact them. In the Contact tactic, the scammer may use several manipulative techniques, including either inter­active contact (phone call), non-inter­active contact (online advertisements), or a mixture of both.

Popular channels used by scammers include email, SMS, direct messages on social media, etc. In some cases, the victims them­selves may even contact the scammers (albeit inadvertently) for example by searching for pirated soft­ware on the internet. The ultimate goal of the Contact tactic is to initiate a response, either by sending a URL leading to a malicious site or getting the victim to provide them with private and sensitive information.

Stage 4: Persistence

As a scam progresses, the chances of it being discovered increase. At this stage, the scammer has invested efforts in building and commencing the scam. The scammer now needs to prolong the scam by any means possible, in order to get to the monetization tactic. We call this the Persistence tactic.

The scammer may apply several techniques to do this, but the focus is still on cultivating trust. This could mean lying about the intent of the scam, lulling the victims into a false belief of earning benefits by making small payments, or moving conversations to different message platforms to avoid detection.

Stage 5: Access

In this tactic, the scammer attempts to access the victims’ devices (lap­tops or mobiles, for example). The goal is to steal a variety of private information with or without getting a foot­hold on the device. Scammers are typically interested in victim data that can be consumed directly or sold, rented, or ransomed later. This could include personally identifiable information, credit card details, bank account details, etc.

The victims’ information may be accessed in several ways, either by theft, being shared directly by the victims, or accessed using malware. Although similar to the Contact tactic, it differs as the goal of the Access tactic is to actively access and control the victims’ information.

Stage 6: Exfiltrate

Just having access to the data isn’t enough, as this could be denied or revoked at any time. Now, the scammer must take possession of it. This happens in the Exfiltrate tactic, where the scammer takes possession of the stolen data either by sending it out from the device from which it was captured, or by saving the data entered by the victims on the scammer’s hosted service.

Some exfiltration techniques may warrant an interaction with victims, where­as others can be conducted without the victims being aware of data theft. Some techniques might be automated, whereas some are manual.

Stage 7: Lateral Movement

Typically, the success of a scam increases in line with the number of victims it gathers, and scammers tend to act on this philosophy to increase their profits. In the Lateral Movement tactic, the scammer will attempt to spread the scam to as many people as possible using the initial victims’ current environments.

This can happen in several ways, for example the scammer may abuse the initial victims’ social media accounts to spread the scam to other contacts, post scam messages on the first victims’ groups or forums, leverage one social media account to get access to another, etc. An added benefit of this pro­liferation is that it allows the scammer to hide their tracks, as it becomes harder for sub­sequent victims to identify the true perpetrator.

Stage 8: Monetization

The last and most crucial step in the F‑Secure Scam Kill Chain is the Monetization tactic. Scamming is a business, making a profit is at the heart of almost every scammer’s motive, and all previous tactics lead up to this point. How­ever, the scammer must take steps to avoid being detected.

For example, direct money transfers might be traceable, and as the scammer and the victims may be in different geo­graphies, dealing in cash might be infeasible and attract unwanted attention. So, a scammer’s currency and means of monetization can be multi­fold, including actual money, crypto­currency leading to a plethora of investment schemes, sales of valuable data, identity of another person, benefits of utilizing premium member­ship of services (such as Steam) with­out paying, etc.

The official framework launches soon

We are excited to share a sneak preview of the F‑Secure Scam Kill Chain in this article, and we will be launching the official frame­work soon. Stay tuned.

In the meantime, if you want to learn more about how you can protect your customers against scams, you can contact us.

Copyright F-Secure Corporation 2024. All rights reserved.

Sections

In this article:

A systematic analysis of the scam landscapeIntroducing the F‑Secure Scam Kill ChainScam tactics explainedThe official framework launches soon

Get in touch

Interested in becoming a partner? Fill in your information below and we will be in touch shortly.

We process the personal data you share with us in accordance with our privacy statement.