[BreachExchange] Hackers impersonate women online to get into target corporate networks

Destry Winant destry at riskbasedsecurity.com
Thu Aug 3 07:28:13 EDT 2017


https://www.helpnetsecurity.com/2017/08/02/hackers-impersonate-women-online/

By all (online) accounts, Mia Ash was a pretty and successful
photographer based in London, and she was looking for friendship and
love on the Internet.

Her LinkedIn account told a story of a dedicated and knowledgeable
professional with over 500 connections (many from well known
photographers), her Instagram and Blogger accounts showed a myriad of
great photos, and her Facebook account painted a picture of a popular
young woman.

But unfortunately for those who believed her to be a real person, she
does not actually exist – the illusion that she does was meticulously
created by hackers.

The APT group behind Mia Ash

These hackers were not after money, but secrets, and the victims that
“Mia” so easily befriended were mostly mid-level employees in
technical (mechanical and computer) or project management roles in
companies in the Middle East and North Africa.

SecureWorks researchers believe that the “Mia Ash” persona was used by
a group they nicknamed Cobalt Gypsy, associated with Iranian
government-directed cyber operations, for the express purpose to
exploit those contacts to breach their employer’s networks.

“Mia” would reach out to the victims via LinkedIn, asking a question
or two about photography, and would keep talking to them via Facebook,
WhatsApp and email about all sorts of subjects, slowly creating a
rapport that bred familiarity and trust.

After a month or so of everyday exchanges, “Mia” would ask for a
favor: “Can you open this file I sent you on your work computer?” The
pretext was, of course, less suspicious, as Mia asked the victim to
participate in an photography survey by filling out an Excel sheet
containing the questions.

“Mia encouraged the victim to open the email at work using their
corporate email account so the survey would function properly,” the
researchers explained. And the victims complied: they opened the file,
enabled macros in order to view the content, and let the hackers in,
as the macros downloaded PupyRAT, an open source cross-platform remote
access trojan.

Most of the victims should have known better than to open such a file
and enable macros on a computer on the corporate network, but the fact
that they did demonstrates how effective many social engineering
tactics are.

To be fair, the attackers did a good job in creating extremely
convincing online accounts, populated with content stolen from
legitimate photographers and professionals, and by choosing to make
the fake persona a young, attractive woman.

SecureWorks says Mia’s accounts were online for roughly a year, but
have disappeared in early 2017. In that year, “she” had successfully
tricked many a victim.

Social engineering is a good bet for hackers

The researchers have been tracking multiple Cobalt Gypsy campaigns
since 2015, and have witnessed the group launching espionage campaigns
against organizations that are of strategic, political, or economic
importance to Iranian interests.

“The use of the Mia Ash persona demonstrates the creativity and
persistence that threat actors employ to compromise targets,” they
noted, and added that Mia Ash is likely one of many personas managed
by the threat actor.

“Cobalt Gypsy’s continued social media use reinforces the importance
of recurring social engineering training,” they also pointed out.

“Organizations must provide employees with clear social media guidance
and instructions for reporting potential phishing messages received
through corporate email, personal email, and social media platforms.
Guidance should include recommendations for reporting inquiries by an
unknown third party about an employer, business systems, or the
corporate network, or requests to perform actions such as opening a
document or visiting a website.”


More information about the BreachExchange mailing list