Fake hot-babe spears businessmen on LinkedIn

Throw all the social engineering awareness training at employees you got: they’re still mammals, and that means that fake profiles of hot chicks could drug them into pheromone-fueled click-happiness.

We saw it with the fake femme fatale whose LinkedIn profile was patently fake (a 28-year-old MIT grad with 10 years of experience? Oh, puh-leez!) yet who still duped IT guys at a US government agency that specializes in offensive cybersecurity.

Duped, as in, “Need a laptop, you cute new hire? Network access? All courtesy of a shortcut around channels set up for new hires? I’m your guy!!!”

That fake LinkedIn hottie, “Emily Williams,” was created by penetration testing team World Wide Technology in 2012. In other words, it was inflicted, along with invitations to click on boobytrapped birthday or holiday cards, without malicious intent.

The same cannot be said about “Emily’s” counterpart, “Mia Ash.”

Mia, apparently another cardboard cutout profile posted onto LinkedIn, is purportedly a London-based photographer. But according to SecureWorks’ Counter Threat Unit (CTU), she’s as fake as a $3 bill, and her creators had intentions as malicious as a RAT (Remote Access Trojan).

The CTU first got wind of Mia earlier this year when researchers spotted phishing campaigns targeting high-value marks in the Middle East and North Africa, specifically focused on Saudi Arabian organizations. The phishing campaigns didn’t work, so the malicious actors – likely a threat group associated with Iranian government-directed cyber operations, the CTU says – moved on to “highly targeted” spearphishing and social engineering attacks.

They used the name Mia Ash, but “she” was only one of a collection of fake social media profiles they used, researchers said. Judging by the connections established by the Mia persona, the Mia campaign started around April 2016.

The images in the social media profiles of “Mia Ash” were likely taken from an apparently legitimate photographer and student in Romania. The photos are identical to those used in the Instagram account of “bittersweetvenom24.” That photographer is a prolific poster of what CTU researchers assume are self portraits, hundreds of which have been uploaded to social media sites such as DeviantArt, Instagram, and Facebook.

“Mia” cozied up to connections in industries such as telecommunications, government, defense, oil and financial services. The researchers found several connections on the Mia Ash Facebook page whose names were the same as those in the LinkedIn profile. The modus operandi was to connect on LinkedIn, then suggest shifting to Facebook for a more intimate platform to communicate. Going by their job titles, those contacts had elevated access privileges in their organizations, such as technical support engineer, software developer, and system support.

Given who was targeted, CTU researchers think it’s likely that a threat group called COBALT GYPSY is managing the Mia Ash persona. The unit has been tracking COBALT GYPSY campaigns since 2015, during which time the group has launched espionage campaigns against organizations that CTU says are of “strategic, political, or economic importance to Iranian interests.”

Phishing messages observed between 28 December 2016 and 1 January 2017 all contained shortened URLs that led to a Word document rigged with a macro. That’s the same method that was used to break into Gmail accounts of John Podesta and the Democratic National Committee (DNC). In those attacks, Bit.ly shortened URLs were used to redirect victims to a URL made to look like a legitimate Gmail login page but which was actually a grab for victims’ account credentials.

For its part, the COBALT GYPSY group used a macro that ran a PowerShell command that attempted to download additional PowerShell loader scripts for PupyRAT, an open-source RAT that works cross-platform (on Windows, Linux, OSX or Android). If PupyRAT managed to launch on a targeted system, it was game over: the attackers gained full access to a victim’s system.

CTU researchers detail how one victim was pwned: “Mia Ash” reached out to an employee at a targeted organization via LinkedIn on 13 January 2017. “Mia” said that she was contacting people around the world. After chatting for a few days, Mia shifted the conversation to Facebook, then on to email and WhatsApp. Then, Mia sent him a boobytrapped Microsoft Excel document disguised as a “photography survey.” That was how PupyRAT got him.

From what the researchers can determine, creating a young, attractive, fake female photographer or other social media babe and using the persona to flirt with lonely guys in the Middle East is working out well for the attackers, who’ve managed to get unauthorized access to multiple targeted computer networks. A 2015 COBALT GYPSY phishing campaign used 25 fake LinkedIn profiles for employees of prominent companies in the Middle East and elsewhere. They were fully fleshed-out fakes: some of them had 500 or more connections.

According to the Security Ledger, the targets SecureWorks has identified have all been male, between the ages of 20 and 40. Allison Wikoff, a SecureWorks security analyst, noted that this is one shtick that’s as old as dirt:

This is an age-old trick. You have an attractive and young woman reach out and strike up a conversation.

How do you throw targeted employees into a cold shower so they don’t fall for this?

  • Constant social engineering awareness training. Doing it annually won’t stick. Employees have to develop instincts, which entails repetition.
  • Teach them not to share so much on social media. Work-related details are a goldmine for phishers.
  • Teach them not to friend strangers. If you haven’t met someone in person, don’t accept their friend request.
  • Strong, separate passwords for different types of data.
  • Segment the network. If attackers compromise an employee with access to one network segment, this can stop the attack from spreading.
  • Set up a point person to report phishing attacks to. If the attacker fails to trick the first user they call, you’ll want the next user to have been alerted in advance that an attack is going on.

This all should be incorporated into a strategy of defense in depth. To plan out that type of security strategy, which will include defending against social engineering, check out Sophos’s Practical IT guide to planning against threats to your business.

All well and good. But will this advice save our bacon, given that we are, in fact, mere mortals, and as such, we have the drive to be social creatures?

A quote from a commenter on the “Emily Williams” story:

[This] goes much deeper than just sex appeal. Much of the [standard security] advice … goes deeply against our social nature.

We are expected to live our (professional at least) lives in a state of constant distrust, being coldly skeptical of friendliness. Trust no one, view everyone as a potential threat, either now or in the future. Remain aloof, even cold.