Hackers are launching more sophisticated phishing attacks. This time it’s not just posing as your IT guy sending you suspicious links through email. This new scam involves using fake ‘sock puppet’ email accounts to trick you into thinking you are part of conservation among colleagues.
Researchers at Proofpoint (opens in new tab) (via Bleeping Computer (opens in new tab)) call the technique “multi-persona impersonation,” or MPI. The technique involves looping the target into a fake email exchange between multiple scammer personas in an attempt to convince them that it’s a legitimate conversation. Once trust is gained, sometimes after engaging in “benign conversations with targets for weeks,” according to Proofpoint, the hackers deliver a malicious link.
The email exchange will be related to the target’s industry or field of research so that being included in the chain won’t necessarily seem out of the ordinary.
The group responsible is designated TA453, which Proofpoint believes works for Iran’s Islamic Revolutionary Guard Corps. The group’s tactics have evolved over time. Previously, TA453 attackers would pose as individual journalists or researchers covering Middle East policies, targeting “academics, policymakers, diplomats, journalists, and human rights workers,” says Proofpoint. They’d try to engage the targets in one-on-one conversations but started using this group email sock puppet strategy earlier this year.
One example shows an email sent to two actual US/Russia relations experts from a “Carrol” and three more personas with email accounts run by the hackers. Others include pitches for research collaboration from the “director of research” of a university. In each case, the sock puppet accounts would reply to each other in an effort to lend the conversation legitimacy.
The initial emails and fake responses usually don’t have any links, says Proofpoint. It’s generally around the fourth or fifth message where a link gets shared, then a follow-up message asking the target to read the file coming days later.
Sometimes it’s a Zoom call link, a password-protected ‘research’ file, or a straightforward article link. The link is loaded with malware that scrapes your PC for personal information and sends those details back to the attackers.
The tactic capitalizes on the victim’s FOMO, as Proofpoint puts it. The researchers point to a study that showed that people tend to “copy the actions of others,” according to a description of the “social proof” principle in Psychology Today (opens in new tab).
These hackers seem to have a specific group of targets in mind, so unless you’re a Middle East or US-Russia policy expert, you’re probably in the clear. Be cautious anyway, though: Scammers will use whatever blueprints work, so this one could spread. Another recently spotted new phishing technique (opens in new tab)uses a fake pop-up window to convincingly simulate a Steam login form.