Security News > 2022 > September > Hackers now use ‘sock puppets’ for more realistic phishing attacks
An Iranian-aligned hacking group uses a new, elaborate phishing technique where they use multiple personas and email accounts to lure targets into thinking its a realistic email conversation.
The attackers send an email to targets while CCing another email address under their control and then respond from that email, engaging in a fake conversation.
Named 'multi-persona impersonation' by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of "Social proof" to obscure logical thinking and add an element of trustworthiness to the phishing threads.
TA453's new tactic requires far more effort from their side to carry out the phishing attacks, as each target needs to be entrapped in an elaborate realistic conversation held by fake personas, or sock puppets.
In a third MPI phishing attack launched by TA453 against two academics specializing in nuclear arms control, the threat actors CCed three personas, going for an even more intricate attack.
In all cases, the threat actors used personal email addresses for both the senders and the CCed persons instead of addresses from the impersonated institutions, which is a clear sign of suspicious activity.
News URL
Related news
- North Korean Hackers Using New VeilShell Backdoor in Stealthy Cyber Attacks (source)
- DOJ, Microsoft seize 107 domains used in Russia's Star Blizzard phishing attacks (source)
- Microsoft and DOJ disrupt Russian FSB hackers' attack infrastructure (source)
- GitHub, Telegram Bots, and ASCII QR Codes Abused in New Wave of Phishing Attacks (source)
- Astaroth Banking Malware Resurfaces in Brazil via Spear-Phishing Attack (source)
- Notorious Hacker Group TeamTNT Launches New Cloud Attacks for Crypto Mining (source)
- North Korean govt hackers linked to Play ransomware attack (source)
- Midnight Blizzard Escalates Spear-Phishing Attacks On Over 100 Organizations (source)
- Windows infected with backdoored Linux VMs in new phishing attacks (source)
- Hackers increasingly use Winos4.0 post-exploitation kit in attacks (source)