Alluring social media profiles of a fake photographer are attracting and tricking employees in North African and Middle Eastern industries like oil and gas, government, telecommunications, defense, and financial services.
The spearphishing and social engineering attacks utilize a very well put together profile of one “Mia Ash” to deliver PupyRat – a remote access trojan virus.
According to a report by Dell Secureworks Counter Threat Unit (CTU), they observed the campaign beginning in January and February 2017. The attacks used multiple social media sites including Facebook and LinkedIn, as well as email and were highly successful. Many of the attacks lasted months, long after the employees were compromised with the victims engaged in online flirtation with a woman they believed was an attractive female photographer.
According to Secureworks:
“CTU researchers assess that COBALT GYPSY (formerly known as TG-2889), a threat group associated with Iranian government-directed cyber operations, is likely responsible for these campaigns and the Mia Ash persona. COBALT GYPSY has used spearphishing to target telecommunications, government, defense, oil, and financial services organizations based in or affiliated with the MENA region, identifying individual victims through social media sites.”