Phishing attackers are now using multiple email accounts to start group conversations with you
No, nuclear scientists aren’t emailing you, they’re hackers
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Iranian state-sponsored hackers have come up with a new sleazy trick to get people into downloading malicious attachments, researchers are warning.
Cybersecurity experts from Proofpointfoundthe TA453 threat actor, allegedly linked to the Islamic Revolutionary Guard Corps (IRGC), is engaging in “multi-persona impersonation”, or “sock-puppeting”, to get victims into downloadingmalware.
In other words, they’re havingemailconversations with themselves, while letting the victims listen on the sides, before tricking them into downloading a file that wasn’t even necessarily sent to them.
Faking a conversation
Here’s how it works: the threat actors would create multiple fake email accounts, stealing theidentitiesof scientists, directors, and other high-profile individuals. Then, they’d send an email from one of the addresses to the other, CC-ing the victim in the process. A day or two later, they’d reply to that email, from the second address that also belongs to them.
That way the victim, essentially caught in the middle of an email thread, could lower their guard and get a fake sense of legitimacy about the whole thing. After a short back-and-forth, one of the participants would send an attachment to other participants, and should the victim download and run it on theirendpoints, they’d get a .DOCX file filled with dangerous macros.
What is phishing and how dangerous is it?>SaaS platforms are facing more phishing attacks than ever>This Facebook Messenger phishing scam may have trapped millions of users
The biggest red flag in this campaign is the fact that all of the emails used in the attack are created on major email providers, such as Gmail, Outlook, or Hotmail, instead of being on the domains of the impersonated institutions.
“The downloaded template, dubbed Korg by Proofpoint, has three macros: Module1.bas, Module2.bas, and ThisDocument.cls,” the researchers explained. “The macros collect information such as username, list of running processes along with the user’s public IP from my-ip.io and then exfiltrates that information using the Telegram API.”
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Although they couldn’t verify it, the researchers believe that the threat actors engage in additional exploitation further down the road.
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Owl Labs Meeting Owl 4+ review
