Multi-persona impersonation adds new dimension to phishing

TA453, an Iran-aligned advanced persistent threat (APT) group, is going to increasingly complex lengths to compromise its targets, adopting a technique informally known as multi-persona impersonation (MPI) in the social engineering playbook that is used to convince targets to open their tainted emails.

That is according to researchers at Proofpoint, who have coined the term MPI as an impersonation tactic in their Email Fraud Taxonomy Framework. The technique is simply summarised as the use of more than one actor-controlled personas on a single email thread to better convince targets of the message.

The technique represents the use of a psychological principle known as social proof or informational social influence  – defined by Wikipedia as a phenomenon whereby people copy the actions of others to attempt to behave appropriately in a situation that may seem ambiguous, or in which they are unsure.

Social proof as a concept is widely used by sales and marketing professionals, but although the phenomenon was first identified nearly 40 years ago by US psychologist Robert Cialdini as one of “Seven principles of influence”, its use in an effective phishing campaign is highly intriguing, as Sherrod DeGrippo, Proofpoint vice-president of research and detection, explained.

“MPI requires more resources to be used per target – potentially burning more personas – and a coordinated approach among the various personalities in use by TA453,” she said.

“Researchers involved in international security, particularly those specialising in Middle Eastern studies or nuclear security, should maintain a heightened sense of awareness when receiving unsolicited emails. For example, experts that are approached by journalists should check the publication’s website to see if the email address belongs to a legitimate reporter.”

DeGrippo added: “State-aligned threat actors are some of the best at crafting well-thought-out social engineering campaigns to reach their intended victims.”

In the case of TA453, which is tracked by others as Charming Kitten, Phosphorus and APT42, MPI is proving highly effective against its targets, which, as noted, tend to be organisations of interest to Iran’s intelligence services.

In a typical campaign, TA453 masquerades as an individual working to collaborate with its target, initially through a benign conversation that eventually leads to the dropping of malicious links, leading to credential harvesting.

It changed this up in mid-2022, when it was observed impersonating an existing researcher at the Foreign Policy Research Institute (FRPI) think-tank with an email that asked its target a number of questions on policy regarding Israel and the US-brokered Abraham Accords. However, whereas previously this would have appeared to the victim as a one-on-one conversation, it referred to, and included in the email’s CC line, the name of a PEW Research Center analyst.

The second persona then responded to the email a day later, which was likely an attempt to establish in the target’s mind that the first email had been legitimate, and to solicit a response. However, Proofpoint observed no malicious documents or links being dropped via this email.

In a second email observed in June 2022, TA453 attempted to compromise a target specialising in genome research by impersonating three people, again all of whom exist in reality. In this case, they used a renowned cardiothoracic specialist working at Boston’s Massachusetts General Hospital, a director at the Centre for Universal Health at Chatham House’s Global Health Programme, and a journalist at Nature Biotechnology.  

This thread – to which the target did respond – used the topic of organ regeneration as a lure, and resulted in the fake doctor delivering a OneDrive link containing a convincingly named Word document, which in reality was most likely an attempt to deliver infostealing macros via remote template injection.

A third example of the technique seen in June saw two targets at the same university, specialising in nuclear arms limitation, contacted by four TA453 personas with regard to a potential clash between the US and Russia over Ukraine.

One target did respond, but subsequently ghosted the original persona, at which point TA453 sent a follow-up email to provide them with a password to access the document and let them know it was “safe” to view. On receiving no response, the original persona was then removed from the thread by one of the other fakes – a repeat appearance from TA453’s fake FRPI researcher – and the OneDrive link and password were sent again.

It is extremely important to note that there is absolutely no indication that any of the real individuals identified by Proofpoint in the course of its research have any link to or association with the campaign, nor is there any evidence that any of them were ever themselves victimised by TA453. For this reason, Computer Weekly has elected to redact their names from this report.

Proofpoint said all ATPs are constantly iterating their tactics, techniques and procedures (TTPs), bringing some to the fore and deprecating others, and its use of MPI – which has been used by others on a limited basis, most notably Russia-linked TA2520, aka Cosmic Lynx – would continue to be iterated as the group conducts further intelligence-gathering activities for Tehran.

DeGrippo suggested that TA453 may already have taken its next step, noting an instance in which it attempted to send a blank email, then responded to the blank email while including its many “friends” in the CC line. This could be an attempt to bypass email security services.