How Hackers Are Using Sock Puppets To Carry Out Convincing Phishing Attacks

hackers using sock puppets phishing attacks news
Cybersecurity researchers at Proofpoint have been keeping tabs on an Advanced Persistent Threat (APT) known as TA453 and recently found the threat actor employing a phishing technique that makes use of sock puppet email accounts. Sock puppets are alternate accounts or personas used in a deceptive manner by a single actor. Proofpoint has observed instances of threat actors leveraging multiple email personas in a single email chain to carry out phishing attacks, prompting the cybersecurity firm to name this technique “multi-persona impersonation” (MPI).

The most recent threat actor to make use of this technique is TA453, an Iranian threat group also known as “Charming Kitten.” Proofpoint’s research indicates that this group works to support the interests of the Islamic Revolutionary Guard Corps (IRGC). TA453 largely targets academics, policymakers, diplomats, journalists, and human rights advocates. The threat actor conducts phishing attacks by corresponding with its targets under the guise of a journalist, academic, or other individual interested in the work of the targets.

phishing email chain with multiple personas news
A persona replying to an email chain started by a different persona (click to enlarge) (source: Proofpoint)

TA453 has recently changed its tactics slightly by pretending to be multiple individuals at once in its email correspondence. Presumably, the idea behind this change in technique is that an email chain with multiple active participants is more likely to appear legitimate than an email sent by a single individual. The image above shows an email sent in a chain of emails sent by multiple personas as part of a phishing attack.

The attack began with an email sent by “Harald Ott” asking for feedback on a project related to the target’s field of research. This first email identified and cc’d two other personas by the names of “Clair Parry” and “Andrew Marshall.” “Andrew” then followed up the first email by preemptively thanking the target for his time and expressing eagerness to hear back from the target. “Harald,” “Andrew,” and “Claire” are all personas controlled by the threat actor, but their manufactured correspondence lends the appearance of legitimacy to the email chain.

The target eventually replied to the email chain, prompting “Harald” to send a further email linking to a Word document titled “Ott-Lab 371.docx. This word document downloads a macro enabled template containing three different macros. These macros collect and exfiltrate user and device information, including the user’s IP address and a list of running processes. These macros don’t appear to perform any additional malicious actions, so they may be intended for reconnaissance, with the threat actor planning to conduct further attacks later based on the software identified on victims’ machines. The malicious payload aside, this attack demonstrates that phishing attacks can come in the form of an active email chain containing multiple correspondents, making it more difficult for users to identify attacks as such before it’s too late.

Top image courtesy of Alex Brown