You are here

Threat Awareness – BEC and VEC and MPI (Multi-Persona Impersonation), Oh My!

Threat Awareness – BEC and VEC and MPI (Multi-Persona Impersonation), Oh My!

Created: Thursday, September 15, 2022 - 14:28
Categories:
Cybersecurity

Business email compromise (BEC) and vendor email compromise (VEC) are accurately and often discussed as impersonation-style cyber attacks where threat actors purport to be someone we have an existing trust relationship with. The intent of this ruse is to give phishing ploys a level of credibility to increase the chance of success. Some impersonation-style attacks are little more than amateurs attempting to spoof a trusted sender. However, many sophisticated threat actors compromise and takeover email accounts of privileged users and leverage existing communications to trick unsuspecting employees into things like sending a large invoice payment to a bank account controlled by the attacker or entering credentials into a harvesting page. This technique has been used for years and is successful across countless targets every day. Despite its success, threat actors continue investing resources to “improve” its effectiveness.

One of the more notorious groups to make continuous improvements and use this technique in sophisticated phishing campaigns is the Iranian-aligned threat group known as TA453 (a.k.a., Charming Kitten, PHOSPHORUS, etc.) Most recently, in mid-2022 Proofpoint observed a social engineering impersonation technique they are informally calling Multi-Persona Impersonation (MPI) in which the threat actor uses at least two actor-controlled personas on a single email thread to convince targets of the legitimacy of the campaign. This behavior highlights the threat actors’ dedication and innovation to impersonation-style attacks as MPI requires more resources be expended per target.

While TA453 (and associated threat activity groups) is most notable for targeting organizations with interests in Western Foreign Policy and Middle Eastern government, cyber threat groups and actors often borrow techniques from one another and this technique is likely to be observed in campaigns targeting any type of organization. Members are encouraged to make users aware of this new technique through regular awareness and reminders to remain email vigilant! Visit Proofpoint or BleepingComputer for more.