A ROSE is a Rose…Or, a Fresh Way to Launch Phishing Attacks
BY SHAWNA McLEARNEY
The next generation of phishing attacks is very complex, involving a number of fake personas across a range of social media platforms to entice your employees to circumvent your organization’s security. Are you ready?
Increasing awareness of social engineering and phishing attacks has limited their effectiveness as easy attack vectors. In response, attackers have upped the ante. The method, dubbed ROSE (remote online social engineering), was discovered by Matt Wixey, a cybersecurity research lead at PwC U.K. It uses progressively more sophisticated and longer-term efforts, including self-referencing synthetic networks, multiple credible false personas and highly targeted and detailed reconnaissance.
“This approach is a variant of catfishing (phishing via long-term, customized and highly interactive false personae focused on business-related platforms and targets) and is performed with the specific aim of compromising an organization’s network,” says Wixey. “By building rapport with targeted victims, attackers are able to elicit sensitive information, gather material for extortion and persuade users to take action leading to compromises.”
Wixey says ROSE attacks take place over several months, even years, and typically involve a relatively long period of establishing contact and trust through one or more very realistic and highly targeted social media profiles before eventually attempting to achieve some sort of compromise.
While it may appear to be too much effort for the payoff, Wixey says there are documented recent attacks.
Finding a ROSE in the wild
One such campaign was perpetrated last year against several targets in the Middle East. Dell SecureWorks reported that the attack began with a phishing campaign that used various-themed emails containing shortened URLs linked to a macro-enabled Word document. The macro attempted to download PupyRAT, a research and penetration testing tool that allows full access to the victim’s system.
As part of the greater ploy, a purported London-based photographer named “Mia Ash” used LinkedIn to contact an employee at one of the targeted organizations. As chronicled in SecureWorks’ The Curious Case of Mia Ash: Fake Persona Lures Middle Eastern Targets, social media conversations were exchanged, talking about professions, hobbies and travels. Ultimately, “‘Mia’ sent a Microsoft Excel document, ‘Copy of Photography Survey.xlsm,’ to the employee’s personal email account and encouraged the victim to open the email at work using his corporate email account so the survey would function properly,” the web article reports. “The survey contained macros that, once enabled, downloaded PupyRAT.”
SecureWorks also says a group called Cobalt Gypsy orchestrated the attack and has “repeatedly used social media, particularly LinkedIn, to identify and interact with employees at targeted organizations, and then used weaponized Excel documents to deliver remote access trojans (RAT) such as PupyRAT.”
SecureWorks says its “researchers have observed multiple Cobalt Gypsy campaigns since 2015 and considers it highly likely that the group is associated with Iranian government-directed cyber operations. This threat group has launched espionage campaigns against organizations that are of strategic, political or economic importance to Iranian interests.”
Building awareness is the best defense
Many employees will be aware of phishing attacks and perhaps even some of the common methods used in such attacks, says PwC’s Wixey. “But dedicated, long-term social engineering attacks like ROSE are rarer and often more sophisticated, meaning they can be more difficult to detect—so making staff aware that threat actors are using these techniques is a really important first step.”
Wixey suggests teaching employees to:
- Be aware that new social media connections can pose a threat
- Think about new connections and consider their motives in connecting with you
- Examine their profiles—are there inconsistencies or anything that makes you suspicious?
- Consider a marked interest in your job, company or personal life to be an early warning sign
- Share your concerns. Make colleagues aware and ensure that you report the contact to the appropriate people/department at your organization.
“While ROSE attacks are time-consuming, they’re not necessarily difficult—especially not in a technical sense—to implement,” says Wixey. “Ultimately, as with any threat actor, it will depend on the circumstances and their acceptable cost-benefit ratio. Certainly, a threat actor might find it worthwhile to invest considerable time in executing a ROSE attack if it means they were able to compromise a particularly attractive target.”
SHAWNA McALEARNEY is a regular contributor to INSIGHTS and INFOSECURITY PROFESSIONAL MAGAZINE.