When Targeted Attacks Aren’t Targeted: The Magic of Cold Reading

Mass-scale computer attacks are sometimes mistaken for campaigns that target the concerned organization, causing unnecessary stress and expenses. The reason for the confusion is similar to the reason why a fortune teller seems to know so much about the customer whom he just met for the first time.

Concerns Over Targeted Computer Attacks

People are more aware of targeted computer attacks now than a few years ago. This is, in part, the result of the publicity-disclosed data breaches associated with advanced adversaries pursuing nation-state and private interests.

Targeted computer attacks are scary. It's very difficult to resist such focused threats. Moreover, they feel very personal to people involved in responding to the incidents. Targeted attack scenarios pierce the shield of emotional detachment that security professionals develop after being exposed to numerous security incidents.

Examples of Faux-Targeted Attacks

Consider the following mass-scale attack campaign that affected many organizations and individuals. It often feels like a targeted attack, but it isn't. The recipient receives an email message that appears to come from UPS, and warns the person that the shipping company was unable to deliver the postal package. The message is crafted to social-engineer the victim into opening the email attachment, which may be malware in the form of a Windows executable or a PDF file.

How did the attacker know that I sent the package, the victim might wonder? I'm being targeted! The shipping notice might feel like a targeted attack, because there is a high likelihood that the victim actually sent a UPS package. Yet, that is the case for many office workers.

A similar incident might be an email message that claims to provide details regarding a recently-scheduled meeting, but carries a malicious attachment. How did the attacker know I just scheduled a meeting? Well, many people have recently scheduled meetings. The attack isn’t necessarily targeting a particular person or organization.

The Magic of Cold Reading

Fortune tellers practice the magic of cold reading, whereby they seem to know the person's history, worries and weaknesses by merely looking at him. They often accomplish this by making generalized statements that are true for most people, with the expectation that the subject will find a way to make the statement apply to himself.

This approach to cold reading relies on the Forer effect, which refers to people's tendency to accept vague "personality descriptions as uniquely applicable to themselves without realizing that the same description could be applied to just about anyone." Take the following reading:

You have a need for other people to like and admire you, and yet you tend to be critical of yourself. While you have some personality weaknesses you are generally able to compensate for them. You have considerable unused capacity that you have not turned to your advantage. Disciplined and self-controlled on the outside, you tend to be worrisome and insecure on the inside.

Is this an accurate description of you?

Computer attackers use a similar approach when social-engineering messages to make them feel personally-relevant to victims. A related phenomenon is people’s tendency to see patterns where none were intended; this is called illusory pattern perception.

Taken together, these psychological factors provide an explanation for why individuals believe they might be victims of targeted attacks, even when they are actually dealing with generic mass-scale incidents.

If you believe your organization is dealing with a targeted attack, you’re right to worry. But keep in mind that some attacks that feel targeted, aren't. Consider all perspectives on the incident before making the diagnosis.

Updated

About the Author

I transform ideas into successful outcomes, building on my 25 years of experience in cybersecurity. As the CISO at Axonius, I lead the security program to earn customers' trust. I'm also a Faculty Fellow at SANS Institute, where I author and deliver training for incident responders. The diversity of cybersecurity roles I've held over the years and the accumulated expertise, allow me to create practical solutions that drive business growth.

Learn more