"Hackers Now Use 'Sock Puppets' for More Realistic Phishing Attacks"

An Iranian-aligned hacking group is using a new phishing technique involving multiple personas and email accounts to trick targets into thinking an email conversation is genuine. The attackers send an email to the targets while CCing another email address under their control, and then respond from that email, thus engaging in a fake conversation. The technique, dubbed Multi-Persona Impersonation (MPI) by Proofpoint researchers, uses the psychology principle of "social proof" to obscure logical thinking and add an element of trustworthiness to the phishing threads. TA453 is an Iranian threat group that has previously been seen impersonating journalists in order to target academics and policy experts in the Middle East. To carry out the phishing attacks, TA453's new tactic requires far more effort from their side, as each target must be entrapped in an elaborate realistic conversation held by fake personas, or sock puppets. However, the extra effort pays off because it results in a realistic-looking email exchange, making the conversation appear legitimate. Proofpoint's report includes an example from June 2022, with the sender posing as the Director of Research at FRPI and the email sent to the target and CCing a Director of Global Attitudes Research at the PEW Research Center. The malicious documents distributed through TA453's recent campaign tricked targets into downloading via OneDrive links are password-protected files that perform template injection. This article continues to discuss the MPI phishing attacks launched by TA453.

Bleeping Computer reports "Hackers Now Use 'Sock Puppets' for More Realistic Phishing Attacks"