Sex is, and frankly always was, a weapon of great influence. In the old days of espionage, spy agencies would utilize seduction to lure their target into giving sensitive information or place themselves into a compromising position for extortion purposes. The name for this activity is generally referred to as a “honey trap” exploit. Historical examples include Mata Hari, a Dutch operative of Germany in World War II with conquests spreading across numerous French and German officials, or Ellen Rometsch, a suspected East German spy at the Quorum Club in Washington, D.C. Lest you think seduction in spy-craft was limited to the ladies, the former head of East German Intelligence, Markus Wolf, used “Romeos” to cozy up to female secretaries of high ranking officials to withdraw classified information.
The use of traditional spies to seduce a target bears considerable financial expense, risks physical safety of the operative, and may result in political embarrassment should the spy be exposed. As such, seductive measures have evolved with the times. Instead of pillow talk to entice a target into divulging company secrets, drugging a drink and then compromising mobile phones or laptops while the target slept was en vogue a few years back. The current trend takes a large virtual step away from physical contact by exploiting everyone’s favorite intimate pastime – social media. Dell SecureWorks Counter Threat Unit (CTU) reported such a plot last month targeting mid-level energy sector employees in the Middle East and North Africa; in particular Saudi Arabia.
Enter Mia Ash, an alluring young London-based student photographer and amateur model. Mia is working on an exercise which requires her to reach out to people around the globe. She instinctively uses her LinkedIn account to initiate these queries and establish contact. Mia and her new acquaintance engage in professional chats that slowly evolve into personal interests like photography and traveling. Over the course of several weeks, Mia extends the relationship through a Facebook friend request, then email, and finally WhatsApp. Mia asks for help completing another assignment by sending a Microsoft Excel document, “Copy of Photography Survey.xlsm” to her new friend. The document is sent via his personal email address, but Mia explains the survey should be opened while at work so that it functions correctly.
If you haven’t already figured it out, Mia Ash is a fake persona created by an Advanced Persistent Threat assessed by SecureWorks CAT as COBALT GYPSY. The Excel document installs a remote access Trojan called PupyRAT which creates a backdoor into the company computer network to steal information. The use of a fake social media profile is known as cat-phishing and blends quite effectively with a honey trap exploit. Mia Ash’s social media profile was carefully crafted over the course of a year with routine updates on Facebook and blog posts. Photos were taken from a talented Romanian photographer without her knowledge.
With little financial investment and political risk, the misuse of social media as a cyber weapon is likely to increase. Protecting yourself from such attacks involves careful screening of prospective friend requests. It’s always safer to know someone outside of social media before connecting virtually. Regardless, don’t ever mix business with pleasure. Keep your organization’s inner-workings outside of chat and never use company resources to engage in social media for personal reasons. Be especially suspicious of odd requests and never forget the persona on the other end may not be who they claim to be.
So who is the next Mia Ash persona to weaponize Facebook? Open your friend requests and find out.