COBALT GYPSY: Spearphishing Corporate Employees on Social Media

Social media allows users to create and customize digital profiles in order to craft online identities and interactions. For example, LinkedIn job descriptions can help users build credibility and trust with their real-world peers. These fields are publicly-facing for the most part, and serve as one of the first things validated upon receipt of a friend request or incoming message. Are they in the same profession? Do I share a common experience or connection? Cybercriminals have caught on to these interactions, and in recent months, have built some of the most well-conceived, convincing social engineering accounts we’ve ever encountered.

Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets. Once socially engineered, a target’s trust can be leveraged to extract personal information or deliver malicious payloads. From reconnaissance to delivery to exploitation, a new cyber kill chain can be waged end-to-end over social media.

Late last week, researchers at SecureWorks reported a successful social engineering campaign that used fake LinkedIn profiles to spearphish targeted employees. The LinkedIn profiles displayed the name “Mia Ash,” a job description resembling a professional photographer, and an image of a young woman. The attackers, dubbed COBALT GYPSY, used this fake persona as a vector for attack. Mia Ash instructs victims to open a malicious attachment containing a fake survey that would download a remote access trojan and enable full access to the victim’s system.

ZeroFox’s Research team has corroborated these original research findings and identified indicators of compromise (IOCs) found on the Blogger site owned by the Mia Ash alias.

Figure 1: Mia’s Photography Blogger Site

Because the name of the website and the posted pictures matches the COBALT GYPSY actor, ZeroFox has HIGH confidence this is the same, previously reported blogger site.

Figure 2: Mia Ash Blogger Profile

ZeroFox extracted the following IOCs for incident response teams to check against their infrastructure:

• http://miaashphotography.blogspot.com/
• https://www.blogger.com/profile/16595924803332568052
• [email protected]
• [email protected]
• miaashphotography.blogspot.com/
• Images downloaded from miaashphotography.blogspot.com/ (see table below)

COBALT GYPSY’s targets on social media had job titles indicating privileged access within their organizations, such as technical support engineer, software developer, and systems support; they also belonged to highly profitable industries such as telecommunications, government, defense, oil and financial services. Such corporate breaches through social media are common and costly: around 20% of employees receive malware through social media, and organizations spend $3 to $6 million to remediate residual damaging effects once breached. Cisco now reports that Facebook is the most commonly used platform to distribute malware.

While this isn’t the first time that COBALT GYPSY has weaponized LinkedIn, this attack highlights a trend of the aggressive use of social media by nation state actors. Earlier this year, Russian operatives used social media to spearphish United States Department of Defense employees using over 10,000 malware-laced messages designed to control victims’ devices, and Hamas used fake social media profiles to persuade Israeli military members into downloading a malicious app that harvested sensitive military intel.

These examples collectively illustrate that targeted, social media-based attacks are extremely effective and on the rise. In contrast to last generation’s email-based attacks, social media provides public access to massive, searchable lists of targets and recipients, exists outside traditional perimeter and endpoint security defenses, and is culturally ingrained, meaning blocking employee access is often unviable. We recommend taking the following steps to avoid being targeted and victimized on social media:

• Limit your interactions on LinkedIn to users who you’re sure you can trust. Make sure that you’ve either met them in person or that you have mutual connections and their profile seems credible. Don’t interact with profiles if they don’t know you or are contacting you for suspicious reasons.
• Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. When in doubt, pass the link or attachment in question to an open source malware detector.

Prior to this blogpost, ZeroFox released a new FoxThreat rule in the ZeroFox Platform to protect our customers from all COBALT GYPSY IOCs in real time. The rule immediately triggers an alert when any post or profile with suspected ties to COBALT GYPSY engages with a protected entity on social and digital platforms.

ZeroFox Research is committed to uncovering malicious campaigns that weaponize social media and other digital channels, and to protecting against subsequent adversarial drift. Our goal is to raise security awareness and to share intelligence around new risks that businesses, their employees and their customers can expect to combat as the adversary continues to evolve. To learn more about protecting social media accounts — brand, executive, employees or otherwise — for only $20/month, talk to a security expert at ZeroFox now.