TA453, an Iranian-based threat group, is spotted using a new and elaborate phishing technique dubbed ‘multi-persona impersonation’ (MPI). In this technique, the hackers use different personas and email accounts that seem to communicate realistically on email to trick victims into believing their legitimacy.
The TA453 gang is reportedly working for the IRGC (Islamic Revolutionary Guard Corps), which has previously been detected imitating journalists to victimise policy experts, scholars, and other critical entities in the Middle East.
The fake email conversation involves hackers sending an email to their target, with another email address included in the CC also responding to the thread to make it look like a legitimate interaction.
According to experts, the MPI phishing technique leverages the “social proof” psychology principle, incorporating a false element of trust for the victims through fake conversations during a phishing attempt.
This new phishing technique requires extra effort for the threat actors since they need to enact a fake conversation using multiple fake personas, imposing an element of trust toward the target as they try to phish on their information.
As observed by the analysts, this extra effort somehow results in favour of the hackers because the victims would believe that the interaction is real and secure.
For instance, in June 2022, cybersecurity researchers found a phishing incident involving a TA453 hacker impersonating a Director of Research at FRPI while a purported Director of Global Attitudes Research at the PEW Research Center was included in the email’s CC sent to the target.
The CC-ed hacker sometimes takes time before responding to the email to make it seem like the other persona is an important individual. The actors would also attach malware-infected files in the replies to attract the victim’s interest in downloading.
Once the victim downloads the file, it will run three macros that will collect the victim’s sensitive information, such as their public IP address, username, and more, and will use a Telegram API to exfiltrate them.
Further details during the attack are still unknown to researchers, including the reconnaissance information beaconing stage. However, they believe that more exploitations transpire during the process, allowing the remote hackers to deploy code execution on the victim’s systems.
