Hackers are improving phishing attacks by having you chat with 'sock puppets'

Man talking on phone and to his sock puppet — (Image credit: Getty Images - Brand X Pictures)

Hackers are launching more sophisticated phishing attacks. This time it's not just posing as your IT guy sending you suspicious links through email. This new scam involves using fake 'sock puppet' email accounts to trick you into thinking you are part of conservation among colleagues.

Researchers at Proofpoint (via Bleeping Computer) call the technique "multi-persona impersonation," or MPI. The technique involves looping the target into a fake email exchange between multiple scammer personas in an attempt to convince them that it's a legitimate conversation. Once trust is gained, sometimes after engaging in "benign conversations with targets for weeks," according to Proofpoint, the hackers deliver a malicious link.

The email exchange will be related to the target's industry or field of research so that being included in the chain won't necessarily seem out of the ordinary.

The group responsible is designated TA453, which Proofpoint believes works for Iran's Islamic Revolutionary Guard Corps. The group's tactics have evolved over time. Previously, TA453 attackers would pose as individual journalists or researchers covering Middle East policies, targeting "academics, policymakers, diplomats, journalists, and human rights workers," says Proofpoint. They'd try to engage the targets in one-on-one conversations but started using this group email sock puppet strategy earlier this year.

Steam in your hands

Steam Deck with an image from Elden Ring overlayed on the screen — (Image credit: Future, FromSoftware)

Steam Deck review: Our verdict on Valve's handheld PC.
Steam Deck availability: How to get one.
Steam Deck battery life: What's the real battery life of the new device?
How loud is the Steam Deck? And will it pass the Significant Other test?
Steam Deck - The emulation dream machine: Using Valve's handheld hardware as the ultimate emulator.

One example shows an email sent to two actual US/Russia relations experts from a "Carrol" and three more personas with email accounts run by the hackers. Others include pitches for research collaboration from the "director of research" of a university. In each case, the sock puppet accounts would reply to each other in an effort to lend the conversation legitimacy.

The initial emails and fake responses usually don't have any links, says Proofpoint. It's generally around the fourth or fifth message where a link gets shared, then a follow-up message asking the target to read the file coming days later.

Sometimes it's a Zoom call link, a password-protected 'research' file, or a straightforward article link. The link is loaded with malware that scrapes your PC for personal information and sends those details back to the attackers.

The tactic capitalizes on the victim's FOMO, as Proofpoint puts it. The researchers point to a study that showed that people tend to "copy the actions of others," according to a description of the "social proof" principle in Psychology Today.

These hackers seem to have a specific group of targets in mind, so unless you're a Middle East or US-Russia policy expert, you're probably in the clear. Be cautious anyway, though: Scammers will use whatever blueprints work, so this one could spread. Another recently spotted new phishing technique uses a fake pop-up window to convincingly simulate a Steam login form.

Jorge is a hardware writer from the enchanted lands of New Jersey. When he's not filling the office with the smell of Pop-Tarts, he's reviewing all sorts of gaming hardware, from laptops with the latest mobile GPUs to gaming chairs with built-in back massagers. He's been covering games and tech for over ten years and has written for Dualshockers, WCCFtech, Tom's Guide, and a bunch of other places on the world wide web.