Hackers use personal phishing emails to hook employees
Cyber criminals gain corporate access through use of social media
By Byron Acohido, ThirdCertainty
In the wake of phishing attacks involving Google Docs and DocuSign, corporate awareness of socially engineered cybersecurity threats is at an all-time high. Naturally, this has led to an increase in employee training and awareness.
This kind of action couldn’t be more necessary. According to Software Advice, 39 percent of employees admitted to opening emails they suspected might be fraudulent. And only 36 percent felt they were very confident in recognizing and resisting phishing attacks.
While increased awareness of corporate-based phishing attempts is vital, so, too, is awareness of phishing attempts that start in an employee’s personal environment before transitioning into the company. This is what happened in the curious case of Mia Ash.
I recently was joined by Allison Wikoff, senior researcher and intelligence analyst for Dell SecureWorks Counter Threat Unit, at Black Hat 2017 in Las Vegas. With the conference proceedings as a suitable backdrop, we discussed this recent social media-based phishing scam from Iranian hacker group Cobalt Gypsy. Here are the key takeaways from our discussion.
Who is Mia Ash? Mia Ash was a supposed London-based photographer with social media profiles on LinkedIn and Twitter. In reality, it was a fake persona created by Cobalt Gypsy, an Iran-based hacker group that largely focuses on the oil industry. Mia Ash was the second step of a two-step attack program. Cobalt Gypsy initially tried to phish via a Word document attached to an email. When this failed, Mia Ash reached out to individual employees.
Personal phishing in a corporate environment. Using Mia Ash’s profile on LinkedIn, Cobalt Gypsy was able to find key staffers who were likely to have elevated access to company data. By targeting them specifically and initiating “harmless” conversations, the hacker group eventually was able to persuade employees to take a photography survey and open it on the corporate server. Surprise, surprise, the survey contained a Pupy RAT (Pupy is an open-source remote administration tool) with a credential stealing aspect that targeted corporate data.
Broaden phishing training as a result. Many companies are doing a great job at training employees to recognize phishing attacks coming into the organization. In this case, however, the attack came from a personal environment, not a corporate environment. As a result, companies need to look at ways to expand social engineering training to include employees’ personal networks. Ultimately, employees (and everyone) need to validate online content with real world relationships.
More stories related to phishing and social media:
Attacks on social media, cloud apps exploit trust in popular free services
Look to human nature for continued success of phishing attacks
How organizations can avoid getting hooked by phishing scams