Social media handles are the primary target for cybercriminals to impersonate high-rated profiles for malicious activities. Recently, Facebook disrupted several fake accounts operated by an Iranian threat actors group targeting military personnel.
As per Facebook’s threat intelligence analysts, the cybercriminal group, dubbed Tortoiseshell, created bogus online identities to connect with individuals working in the defense and aerospace organizations across the U.S., the U.K., and Europe. After building the trust, the attackers distributed malicious URLs and tricked users into clicking them and infecting their devices with information-stealing spyware.
As per reports, Tortoiseshell’s malware was developed by Mahak Rayan Afraz (MRA), an IT firm in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC).
The social media giant claimed that the group created several fictitious profiles on multiple social media platforms, impersonating employees or recruiters from aerospace and defense enterprises. They even spoofed the legitimate U.S. Department of Labor job portal to lure the victims.
The attackers used persistent security measures to hide their cyberespionage campaign. In addition to leveraging email, messaging, and websites, they also used various tactics, techniques, and procedures (TTPs) including social engineering, phishing, and credential theft attacks to deploy malware.
“This group created a set of tailored domains designed to attract particular targets within the aerospace and defense industries. Among them were fake recruiting websites for particular defense companies. These domains appeared to have been used for stealing login credentials to the victims’ online accounts. They also appeared to be used to profile their targets’ digital systems to obtain information about people’s devices, networks they connected to and the software they installed to ultimately deliver target-tailored malware,” Facebook said.
Attackers leveraged advanced malware tools and even continued to update their malware Syskit, distributed the malicious links via Microsoft Excel spreadsheets.
The suspension of fake Facebook accounts comes days after cybercriminals recently targeted Facebook users using malicious URLs and spamming them with copyright complaint notifications. Claiming to be from the Facebook security team, the attackers sent warning notices to users citing policy violations and re-verification requirements.