Who are you?
These days it depends on a number of factors, all of which a criminal can easily spoof. Where you are matters, both in terms of your geographic location and the kinds of personal information you place online.
Ten years ago, many consumers would have shuddered at the idea of putting personal and career information where anyone could see it, much less preferences and opinions. Now it’s commonplace.
The Internet being what it is – a decentralized network of networks – we take it largely on faith that the personas we choose to interact with online are mostly real people expressing themselves, by and large, honestly.
“By and large” doesn’t mean always. Cyber criminals have long understood the opportunity afforded by our hyper-networked world. Manipulating online personas with malicious intent is an art for them.
Two cases have recently come to light that demonstrate just how disruptive and damaging this specific kind of online fraud can be.
Had you looked up Mia Ash in 2015 or 2016, you would have found an attractive London-based photographer with two art degrees and a disproportionate number of Middle Eastern men among her several hundred Facebook friends and LinkedIn connections.
In reality, Mia Ash was a fictional character carefully built over a two-year period by an Iran-based hacker ring, known as “Cobalt Gypsy,” says Allison Wikoff, senior researcher and intelligence analyst for Dell SecureWorks Counter Threat Unit.
During the same time span as Mia Ash’s internet presence, Cobalt Gypsy targeted dozens of Middle Eastern and North African telecom, government, defense, oil and financial services organizations.
How it worked: The simulacrum sylph known as Mia Ash was constructed using images grabbed from the Instagram account of a Romanian woman, a real person. This was actually phase two of a multi-stage assault on these corporate targets, Wikoff says.
The long con
First, the hackers tried to get specific employees to click on a corrupted Word document arriving in a legitimate-sounding email. The attackers were fully aware that classic spear phishing ruses, even well-crafted ones, aren’t as effective as they have been in the past. So, if, or more often when, that tactic failed, Mia was deployed.
Using background gleaned from LinkedIn, Mia would approach a male employee on Facebook and “friend” him. She played coy, listing her relationship status as “complicated.” Her goal: to establish contact then move the conversation to WhatsApp and ultimately to email.
This demonstrates the lengths to which determined threat actors will go to leverage the intrinsic trust we tend to blindly place in LinkedIn, Facebook and other social media services.
Crane Hassold, a threat intelligence expert at PhishLabs, observes: “This implied trust can make social media phishing attacks more successful, particularly when coupled with a sophisticated actor using a ‘long con’ strategy of building a relationship with a victim before exploiting them.”
Mia would spend weeks ego-stroking a targeted employee.
“We saw them demonstrate a high degree of creativity and persistence,” Wikoff says. Finally, Mia would ask the target to respond to a photography survey, sent via email attachment. By clicking on the survey, the victim was actually downloading a remote access Trojan, or RAT.
Another digital nightmare
Jeremy and Sara Thompson and their two sons found out the hard way that another type of persona fraud can be devastating.
The Thompsons came forward with details of their digital nightmare and asked journalist Bob
Sullivan to write about it so that other families might be spared the agony they endured.
The seeds were innocently sewn a few years earlier when one of their sons became a finalist in a modeling contest for a national brand clothing company. A stranger at the time messaged the family saying he hoped the boy would win.
The Thompsons didn’t think that was appropriate, and blocked him, thinking nothing more of it.
Then last May a local sheriff’s deputy showed up on their doorstep, relaying an FBI accusation that their 17-year-old son was sexually abusing his 11-year-old brother, based on pornographic content found online.
It took determined sleuthing by Jeremy Thompson to flush out the truth. An alleged pedophile arrested by the FBI had been stalking the Thompsons online since the modeling contest, collecting family photos posted on social media. He appears to have used the Thompsons’ photos to manufacture a Facebook page using images of the older son that made him appear to be homosexual, hoping to engage the young man online.
There were more faked Facebook pages comprising an alternate universe, with online comments and reviews and references to email and videos, as well as an imposter purporting to be their son conversing with the alleged pedophile.
“This is the kind of crime that could only happen online,” Sullivan says. “The toxic mix of twisted minds, anonymity and social media can turn the innocent act of sharing a happy family moment into a knock on the door from the sheriff’s department.”
The Thompsons have since locked down every piece of their digital lives. A few of the companies targeted by Cobalt Gypsy have begun to expand social engineering training to include employees’ personal networks.
That’s the world we live in, friends. Social media is a two-edged sword.