Hackers use personal phishing emails to hook employees

Cyber criminals gain corporate access through use of social media

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

In the wake of phish­ing attacks involv­ing Google Docs and DocuSign, cor­po­rate aware­ness of social­ly engi­neered cyber­se­cu­ri­ty threats is at an all-time high. Nat­u­ral­ly, this has led to an increase in employ­ee train­ing and awareness.

This kind of action couldn’t be more nec­es­sary. Accord­ing to Soft­ware Advice, 39 per­cent of employ­ees admit­ted to open­ing emails they sus­pect­ed might be fraud­u­lent. And only 36 per­cent felt they were very con­fi­dent in rec­og­niz­ing and resist­ing phish­ing attacks.

Relat­ed arti­cle: How crim­i­nals lever­age social media con­tent to accel­er­ate account takeovers

While increased aware­ness of cor­po­rate-based phish­ing attempts is vital, so, too, is aware­ness of phish­ing attempts that start in an employee’s per­son­al envi­ron­ment before tran­si­tion­ing into the com­pa­ny. This is what hap­pened in the curi­ous case of Mia Ash.

I recent­ly was joined by Alli­son Wikoff, senior researcher and intel­li­gence ana­lyst for Dell Secure­Works Counter Threat Unit, at Black Hat 2017 in Las Vegas. With the con­fer­ence pro­ceed­ings as a suit­able back­drop, we dis­cussed this recent social media-based phish­ing scam from Iran­ian hack­er group Cobalt Gyp­sy. Here are the key take­aways from our discussion.

Who is Mia Ash? Mia Ash was a sup­posed Lon­don-based pho­tog­ra­ph­er with social media pro­files on LinkedIn and Twit­ter. In real­i­ty, it was a fake per­sona cre­at­ed by Cobalt Gyp­sy, an Iran-based hack­er group that large­ly focus­es on the oil indus­try. Mia Ash was the sec­ond step of a two-step attack pro­gram. Cobalt Gyp­sy ini­tial­ly tried to phish via a Word doc­u­ment attached to an email. When this failed, Mia Ash reached out to indi­vid­ual employees.

Per­son­al phish­ing in a cor­po­rate envi­ron­ment. Using Mia Ash’s pro­file on LinkedIn, Cobalt Gyp­sy was able to find key staffers who were like­ly to have ele­vat­ed access to com­pa­ny data. By tar­get­ing them specif­i­cal­ly and ini­ti­at­ing “harm­less” con­ver­sa­tions, the hack­er group even­tu­al­ly was able to per­suade employ­ees to take a pho­tog­ra­phy sur­vey and open it on the cor­po­rate serv­er. Sur­prise, sur­prise, the sur­vey con­tained a Pupy RAT (Pupy is an open-source remote admin­is­tra­tion tool) with a cre­den­tial steal­ing aspect that tar­get­ed cor­po­rate data.

Broad­en phish­ing train­ing as a result. Many com­pa­nies are doing a great job at train­ing employ­ees to rec­og­nize phish­ing attacks com­ing into the orga­ni­za­tion. In this case, how­ev­er, the attack came from a per­son­al envi­ron­ment, not a cor­po­rate envi­ron­ment. As a result, com­pa­nies need to look at ways to expand social engi­neer­ing train­ing to include employ­ees’ per­son­al net­works. Ulti­mate­ly, employ­ees (and every­one) need to val­i­date online con­tent with real world relationships.

More sto­ries relat­ed to phish­ing and social media:
Attacks on social media, cloud apps exploit trust in pop­u­lar free services
Look to human nature for con­tin­ued suc­cess of phish­ing attacks
How orga­ni­za­tions can avoid get­ting hooked by phish­ing scams