TA453, an Iran-linked Advanced Persistent Threats (APT) group, going to increasingly critical lengths to compromise its targets, is employing a technique known informally in the social engineering playbook as multi-persona impersonation (MPI) used to trick targets into opening their tainted emails.
That’s according to researchers at Proofpoint, who coined the term MPI as their spoofing technique Email Fraud Classification Framework. The technique is simply summarized as the use of multiple actor-controlled personas in a single email thread to better convey the goals of the message.
The technique represents the use of a psychological principle known as Social proof or informational social influence – defined by Wikipedia as a phenomenon whereby people copy the actions of others to try to behave appropriately in situations that may seem ambiguous, or where they are uncertain.
Social proof as a concept is widely used by sales and marketing professionals, but although the phenomenon was identified nearly 40 years ago by American psychologist Robert Cialdini as one of the “seven principles of influence”, its use in an effective phishing campaign is highly surprising, as research and Proofpoint Vice-President of Identification Sherrod DiRepo explained.
“MPI requires more resources to be used per target – potentially burning more personalities – and a coordinated approach between the different personalities used by TA453,” he said.
“Researchers involved in international security, especially those specializing in Middle East studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts contacted by journalists should check the publication’s website to see if the email address is a Whether belonging to a legitimate reporter.”
DeGrippo added: “State-linked threat actors are some of the best at creating well-thought-out social engineering campaigns to reach their intended victims.”
Which is the case with the TA453 Tracked by others as adorable kittensPhosphorus and APT42, MPI is proving highly effective against its targets, which, as noted, continue to be organizations of interest to Iran’s intelligence services.
In a typical campaign, TA453 acts as a person to cooperate with its target, initially through a benign conversation that eventually leads to the removal of malicious links, thereby collecting credentials.
It changes this in mid-2022, when it is observed under the guise of an existing researcher. Foreign Policy Research Institute (FRPI) think-tank with an email that asked its target a series of questions about Israel and US-brokered policy. Abraham Accords. However, while it previously appeared to the victim as a one-on-one conversation, it mentions and includes in the CC line of the email, a name PEW Research Center the analyst
The second person then responded to the email a day later, which was probably an attempt to convince the target that the first email was legitimate and to solicit a response. However, Proofpoint has not seen any malicious documents or links dropped by this email.
In a second email observed in June 2022, TA453 attempted to compromise a target specializing in genome research by impersonating three individuals, all of whom again exist in reality. In this case, they used a renowned cardiothoracic specialist in Boston Massachusetts General HospitalA Director of Universal Health Center Global Health Program of Chatham HouseAnd this is a journalist Nature Biotechnology.
This thread – to which the target responded – used the issue of organ regeneration as a lure, and resulted in the bogus doctor providing a OneDrive link containing a credible named Word document, which in reality was probably an attempt to deliver infostealing macros via remote. Template injection.
A third example of the tactic seen in June saw two targets at the same university, experts in nuclear arms limitation, contact four TA453 individuals about a potential conflict between the US and Russia over Ukraine.
One target responded, but later ghosted the real persona, at which point TA453 sent a follow-up email providing them with a password to access the document and informing them that it was “safe” to view. With no response, the original persona was then removed from the thread by another fake – a repeat appearance from TA453’s fake FRPI researcher – and the OneDrive link and password were sent again.
It is very important to note that there is absolutely no indication that any of the actual individuals identified by Proofpoint during the research had any link or association with the campaign or that any of them were ever victims themselves. By TA453. For this reason, Computer Weekly has elected to redact their name from this report.
Proofpoint said all ATPs are constantly iterating their tactics, strategies and procedures (TTPs), bringing some forward and undermining others, and the use of MPI – which others have used on a limited basis, notably the Russia-linked TA2520, AKA Cosmic Lynx – will continue to be repeated as the group conducts more intelligence gathering activities for Tehran.
DeGrippo suggested that TA453 has already taken its next step, noting an instance where it tried to send a blank email, then responded to the blank email while including many of its “friends” in the CC line. This may be an attempt to bypass email security services