Throw all the social engineering awareness training at employees you got: they’re still mammals, and that means that fake profiles of hot chicks could drug them into pheromone-fueled click-happiness.
We saw it with the fake femme fatale whose LinkedIn profile was patently fake (a 28-year-old MIT grad with 10 years of experience? Oh, puh-leez!) yet who still duped IT guys at a US government agency that specializes in offensive cybersecurity.
Duped, as in, “Need a laptop, you cute new hire? Network access? All courtesy of a shortcut around channels set up for new hires? I’m your guy!!!”
That fake LinkedIn hottie, “Emily Williams,” was created by penetration testing team World Wide Technology in 2012. In other words, it was inflicted, along with invitations to click on boobytrapped birthday or holiday cards, without malicious intent.
The same cannot be said about “Emily’s” counterpart, “Mia Ash.”
Mia, apparently another cardboard cutout profile posted onto LinkedIn, is purportedly a London-based photographer. But according to SecureWorks’ Counter Threat Unit (CTU), she’s as fake as a $3 bill, and her creators had intentions as malicious as a RAT (Remote Access Trojan).
The CTU first got wind of Mia earlier this year when researchers spotted phishing campaigns targeting high-value marks in the Middle East and North Africa, specifically focused on Saudi Arabian organizations. The phishing campaigns didn’t work, so the malicious actors – likely a threat group associated with Iranian government-directed cyber operations, the CTU says – moved on to “highly targeted” spearphishing and social engineering attacks.
They used the name Mia Ash, but “she” was only one of a collection of fake social media profiles they used, researchers said. Judging by the connections established by the Mia persona, the Mia campaign started around April 2016.
The images in the social media profiles of “Mia Ash” were likely taken from an apparently legitimate photographer and student in Romania. The photos are identical to those used in the Instagram account of “bittersweetvenom24.” That photographer is a prolific poster of what CTU researchers assume are self portraits, hundreds of which have been uploaded to social media sites such as DeviantArt, Instagram, and Facebook.
“Mia” cozied up to connections in industries such as telecommunications, government, defense, oil and financial services. The researchers found several connections on the Mia Ash Facebook page whose names were the same as those in the LinkedIn profile. The modus operandi was to connect on LinkedIn, then suggest shifting to Facebook for a more intimate platform to communicate. Going by their job titles, those contacts had elevated access privileges in their organizations, such as technical support engineer, software developer, and system support.
Given who was targeted, CTU researchers think it’s likely that a threat group called COBALT GYPSY is managing the Mia Ash persona. The unit has been tracking COBALT GYPSY campaigns since 2015, during which time the group has launched espionage campaigns against organizations that CTU says are of “strategic, political, or economic importance to Iranian interests.”
Phishing messages observed between 28 December 2016 and 1 January 2017 all contained shortened URLs that led to a Word document rigged with a macro. That’s the same method that was used to break into Gmail accounts of John Podesta and the Democratic National Committee (DNC). In those attacks, Bit.ly shortened URLs were used to redirect victims to a URL made to look like a legitimate Gmail login page but which was actually a grab for victims’ account credentials.
For its part, the COBALT GYPSY group used a macro that ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT, an open-source RAT that works cross-platform (on Windows, Linux, OSX or Android). If PupyRAT managed to launch on a targeted system, it was game over: the attackers gained full access to a victim’s system.
CTU researchers detail how one victim was pwned: “Mia Ash” reached out to an employee at a targeted organization via LinkedIn on 13 January 2017. “Mia” said that she was contacting people around the world. After chatting for a few days, Mia shifted the conversation to Facebook, then on to email and WhatsApp. Then, Mia sent him a boobytrapped Microsoft Excel document disguised as a “photography survey.” That was how PupyRAT got him.
From what the researchers can determine, creating a young, attractive, fake female photographer or other social media babe and using the persona to flirt with lonely guys in the Middle East is working out well for the attackers, who’ve managed to get unauthorized access to multiple targeted computer networks. A 2015 COBALT GYPSY phishing campaign used 25 fake LinkedIn profiles for employees of prominent companies in the Middle East and elsewhere. They were fully fleshed-out fakes: some of them had 500 or more connections.
According to the Security Ledger, the targets SecureWorks has identified have all been male, between the ages of 20 and 40. Allison Wikoff, a SecureWorks security analyst, noted that this is one shtick that’s as old as dirt:
This is an age-old trick. You have an attractive and young woman reach out and strike up a conversation.
How do you throw targeted employees into a cold shower so they don’t fall for this?
- Constant social engineering awareness training. Doing it annually won’t stick. Employees have to develop instincts, which entails repetition.
- Teach them not to share so much on social media. Work-related details are a goldmine for phishers.
- Teach them not to friend strangers. If you haven’t met someone in person, don’t accept their friend request.
- Strong, separate passwords for different types of data.
- Segment the network. If attackers compromise an employee with access to one network segment, this can stop the attack from spreading.
- Set up a point person to report phishing attacks to. If the attacker fails to trick the first user they call, you’ll want the next user to have been alerted in advance that an attack is going on.
This all should be incorporated into a strategy of defense in depth. To plan out that type of security strategy, which will include defending against social engineering, check out Sophos’s Practical IT guide to planning against threats to your business.
All well and good. But will this advice save our bacon, given that we are, in fact, mere mortals, and as such, we have the drive to be social creatures?
A quote from a commenter on the “Emily Williams” story:
[This] goes much deeper than just sex appeal. Much of the [standard security] advice … goes deeply against our social nature.
We are expected to live our (professional at least) lives in a state of constant distrust, being coldly skeptical of friendliness. Trust no one, view everyone as a potential threat, either now or in the future. Remain aloof, even cold.
Bryan
I clicked the title and was already thinking a paraphrase of your first paragraph. We fellas are a rather predictable lot–guilty. Good info here; thanks Lisa.
Funny how you postulate whether awareness can save our “bacon,” yet another siren’s call.
Steve
Why is it that when you write a story like this one, female victims are poor innocent lonely hearts, but male victims are just dumb horny animals? How about some even treatment?
Paul Ducklin
As far as I can see, the reason is this: that’s how the crooks play it.
The romance scanners seem to target female lonely hearts because that’s what gives the best results. For example, they don’t concentrate so much on what the fake persona looks like, but on their background and life history – where they grew up, how they got on at school, what trials and tribulations they have gone through in their life. They aren’t aiming at a one-shot attack where they drop malware on your computer and take the loot – they are aiming at keeping the “romance” going for as long as possible and milking the victim for money over and over. It’s a long-distance romance, not a fling.
Their scams work against that sort of victim because that’s the crime that these crooks have become good at.
On the other hand, the honeypot scammers seem to target exactly sort of victim you describe: blokes who are doing a bit of short-term thinking with their, ahem, other brain.
In short: it’s the crooks who are handing out the uneven treatment, because they are aligning the technique with the target.
(Crooks go equipped with different tools – I am speculating here! – if they set out to steal a bicycle than if they set out to burgle an office.)
Joe
I keep finding in my RSS feed messages from someone who says:
I respond to cash and spicy sites, so don’t be shy.
How should I respond?
Paul Ducklin
Hahahahaha. Well, Lisa is a freelancer (though she has written for us both regularly and frequently for years), so she’s entitled to say that she’s available for hire…
I think we’re all happy that this is a lighthearted way of saying that she will do an honest day’s work for cool people in return for money, not of implying that she is easily bribed or led astray :-)