A new security one – sock puppets. No, not felt handhelds… instead, hackers set up elaborate phishing techniques where they use multiple personas and email accounts to lure targets into thinking it’s a realistic email conversation. Named ‘multi-persona impersonation’ (MPI) by researchers at Proofpoint who noticed it for the first time, the technique leverages the psychology principle of “social proof” to obscure logical thinking and add an element of trustworthiness to the phishing threads.
The new tactic requires far more effort from their side to carry out the phishing attacks, as each target needs to be entrapped in an elaborate realistic conversation held by fake personas or sock puppets. However, the extra effort pays off, as it creates a realistic-looking exchange of emails, which makes the conversation look legitimate.
Why do we care?
It’s the sophistication. Multiple levels of spoofing here and creating a series of fictional people to convince the target of the legitimacy of the attackers. Examples like this make me question the chorus of ‘education’ as the answer for protecting against social engineering attacks. I’ll offer my premise — maybe we, as a society, should only use systems with high levels of identity verification for transactions. Email was never built to identify identity, yet we continue to leverage it. In the previous story, the entire blockchain changed its underlying tech… yet we’re unwilling to do so for email? Someone tell me why.