Regardless of all the schooling and social engineering awareness training an individual may go through in life, they will still react to someone's online interest in them the same way that any one of us would. Attractive individual sends a contact... contact is accepted.
Recently, a London-based photographer, Mia Ash, has been posting beautiful photos online, and sending out contact requests via LinkedIn, especially to businessmen in the Middle East and North Africa specifically focused on Saudi Arabian organizations..
But according to SecureWorks’ Counter Threat Unit (CTU), she’s as fake as a $3 bill, and her creators had intentions as malicious as a RAT (Remote Access Trojan).
The CTU first got wind of Mia earlier this year when researchers spotted phishing campaigns targeting high-value marks in the region. The phishing campaigns didn’t work, so the malicious actors – likely a threat group associated with Iranian government-directed cyber operations, the CTU says – moved on to “highly targeted” spearphishing and social engineering attacks.
They used the name Mia Ash, but “she” was only one of a collection of fake social media profiles they used, researchers said. Judging by the connections established by the Mia persona, the Mia campaign started around April 2016.
The images in the social media profiles of “Mia Ash” were likely taken from an apparently legitimate photographer and student in Romania. The photos are identical to those used in the Instagram account of “bittersweetvenom24.”
“Mia” cozied up to connections in industries such as telecommunications, government, defense, oil and financial services. The researchers found several connections on the Mia Ash Facebook page whose names were the same as those in the LinkedIn profile. The modus operandi was to connect on LinkedIn, then suggest shifting to Facebook for a more intimate platform to communicate. Going by their job titles, those contacts had elevated access privileges in their organizations, such as technical support engineer, software developer, and system support.
Given who was targeted, CTU researchers think it’s likely that a threat group called COBALT GYPSY is managing the Mia Ash persona. The unit has been tracking COBALT GYPSY campaigns since 2015, during which time the group has launched espionage campaigns against organizations that CTU says are of “strategic, political, or economic importance to Iranian interests.”
Phishing messages observed between 28 December 2016 and 1 January 2017 all contained shortened URLs that led to a Word document rigged with a macro. That’s the same method that was used to break into Gmail accounts of John Podesta and the Democratic National Committee (DNC).
CTU researchers detail how one victim was pwned: “Mia Ash” reached out to an employee at a targeted organization via LinkedIn on 13 January 2017. “Mia” said that she was contacting people around the world. After chatting for a few days, Mia shifted the conversation to Facebook, then on to email and WhatsApp. Then, Mia sent him a boobytrapped Microsoft Excel document disguised as a “photography survey.” That was how PupyRAT got him.
From what the researchers can determine, creating a young, attractive albeit fake social media babe and using the persona to establish contact with lonely guys in the Middle East is working out well for the attackers, who have gained unauthorized access to multiple targeted computer networks.
The above article was sourced from Sophos and can be read in its entirety here.