COBALT GYPSY: Spearphishing Corporate Employees on Social Media

COBALT GYPSY: Spearphishing Corporate Employees on Social Media
5 minute read

Social media allows users to create and customize digital profiles in order to craft online identities and interactions. For example, LinkedIn job descriptions can help users build credibility and trust with their real-world peers. These fields are publicly-facing for the most part, and serve as one of the first things validated upon receipt of a friend request or incoming message. Are they in the same profession? Do I share a common experience or connection? Cybercriminals have caught on to these interactions, and in recent months, have built some of the most well-conceived, convincing social engineering accounts we’ve ever encountered.

Attackers maximize opportunities for engagement by impersonating legitimate users or by fine-tuning profile fields and interactions to lure targets. Once socially engineered, a target’s trust can be leveraged to extract personal information or deliver malicious payloads. From reconnaissance to delivery to exploitation, a new cyber kill chain can be waged end-to-end over social media.

Late last week, researchers at SecureWorks reported a successful social engineering campaign that used fake LinkedIn profiles to spearphish targeted employees. The LinkedIn profiles displayed the name “Mia Ash,” a job description resembling a professional photographer, and an image of a young woman. The attackers, dubbed COBALT GYPSY, used this fake persona as a vector for attack. Mia Ash instructs victims to open a malicious attachment containing a fake survey that would download a remote access trojan and enable full access to the victim’s system.

ZeroFox’s Research team has corroborated these original research findings and identified indicators of compromise (IOCs) found on the Blogger site owned by the Mia Ash alias.

Figure 1: Mia’s Photography Blogger Site

Because the name of the website and the posted pictures matches the COBALT GYPSY actor, ZeroFox has HIGH confidence this is the same, previously reported blogger site.

Figure 2: Mia Ash Blogger Profile

ZeroFox extracted the following IOCs for incident response teams to check against their infrastructure:

  • [email protected]
  • [email protected]
  • Images downloaded from (see table below)
ed (4).jpg84ecd7f69b3f24c1b13c98cb91704cedc49465fd61b6ab3b7f0e6f61100528a1
et (13).jpg44475cc9787c653fbc427ca176442741dd9a7cefec403868bf03557e4210916c
et (138).jpg7b9106caf4e8bc6c74539763197d8acc8fad76e6bf168bf2e40d3163b3e0123f
et (139).jpg0d2e81e97943590c806fec3bfa36be02ef8d167f720bc8a99b40a437e6113b4b
et (24).jpg395274d0a63c569100f1593c4d4cc08356c11621e6411115e7b03ae05fb1adec
et (35).jpga261428c6d46c3a0e5899e083be2d6d3213c53c4559e9351e953ef4a2d726023
et (43).jpg78b6df38b2b33243a34a3cddcb9806687cec6150c73652a69b06fb53adf3dd70
et (51).jpgb723d79b6718584681f4e898b3e5c7fba6f122b57630c175615752947402b513
et (55).jpge5c4736cf6085d3636f81a846dbd839606553ff7ade8b672468d9f07f1bf6ee9
et (65).jpg37e7759ab03ad52f145b48c9b51dda7ef235731862a0c93ef0d76c4479a3c465
et (78).jpg33b6dffb55f606fbff3b6e6ae70e14fdab7475b4b9cda2ab305509a8afcb1694

COBALT GYPSY’s targets on social media had job titles indicating privileged access within their organizations, such as technical support engineer, software developer, and systems support; they also belonged to highly profitable industries such as telecommunications, government, defense, oil and financial services. Such corporate breaches through social media are common and costly: around 20% of employees receive malware through social media, and organizations spend $3 to $6 million to remediate residual damaging effects once breached. Cisco now reports that Facebook is the most commonly used platform to distribute malware.

While this isn’t the first time that COBALT GYPSY has weaponized LinkedIn, this attack highlights a trend of the aggressive use of social media by nation state actors. Earlier this year, Russian operatives used social media to spearphish United States Department of Defense employees using over 10,000 malware-laced messages designed to control victims’ devices, and Hamas used fake social media profiles to persuade Israeli military members into downloading a malicious app that harvested sensitive military intel.

These examples collectively illustrate that targeted, social media-based attacks are extremely effective and on the rise. In contrast to last generation’s email-based attacks, social media provides public access to massive, searchable lists of targets and recipients, exists outside traditional perimeter and endpoint security defenses, and is culturally ingrained, meaning blocking employee access is often unviable. We recommend taking the following steps to avoid being targeted and victimized on social media:

  • Limit your interactions on LinkedIn to users who you’re sure you can trust. Make sure that you’ve either met them in person or that you have mutual connections and their profile seems credible. Don’t interact with profiles if they don’t know you or are contacting you for suspicious reasons.
  • Avoid clicking on links or downloading file attachments sent to you through social media, especially if the links seem suspicious or if the users seem unfamiliar. When in doubt, pass the link or attachment in question to an open source malware detector.

Prior to this blogpost, ZeroFox released a new FoxThreat rule in the ZeroFox Platform to protect our customers from all COBALT GYPSY IOCs in real time. The rule immediately triggers an alert when any post or profile with suspected ties to COBALT GYPSY engages with a protected entity on social and digital platforms.

ZeroFox Research is committed to uncovering malicious campaigns that weaponize social media and other digital channels, and to protecting against subsequent adversarial drift. Our goal is to raise security awareness and to share intelligence around new risks that businesses, their employees and their customers can expect to combat as the adversary continues to evolve. To learn more about protecting social media accounts — brand, executive, employees or otherwise — for only $20/month, talk to a security expert at ZeroFox now.

Tags: Breaches

See ZeroFox in action