Iranian Hackers Used a FAKE Female Profile To Lure Targets
Iranian hackers have been blamed for impersonating a young photographer to contact researchers on social media. And what was their purpose in this endeavor? Extorting those researchers into working for the Iranian government.
Researchers at Dell SecureWorks explained, “The online persona—an attractive woman in her 30s who became known as Mia Ash—was active on sites including LinkedIn, Facebook Inc, WhatsApp and Blogger since at least April of last year.”
The hacker, posing as the attractive Ash, contacted professionals and befriended them, only to infect their system with a virus. Once trapped, the victim had no choice but to surrender to the demands of the hacker. Slaves, trapped by their misplaced desire, these people were forced to work as administrators in oil and gas companies, software developers in IT, and aerospace scientists, all in Iran.
The hackers worked closely with Tehran’s central government against their geopolitical enemies, as reported last Thursday.
In cybersecurity circles, this plot is known as a “honeypot,” a surveillance trap that typically employs temptation—and in this case, seduction. It is mostly used by canny cybercriminals on unsuspecting, hot-under-the-collar marks.
Dell SecureWorks noticed that Mia Ash’s email “photography survey” concealed a specific malware that matched the malware sent by Iranian hacking group Cobalt Gypsy. The malware, known as PupyRAT, gives complete control of the victim’s computer to the hackers.
Allison Wikoff, a senior security researcher at Dell SecureWorks who tracked the fabricated femme fatale’s activity, said “Mia Ash’s victims failed to notice that none of her proifiles included a way to contact her for photography services.” Wikoff further said that “these guys aren’t hiring her for photography, their main thing is, ‘Wow, she’s young, she’s cute, she likes to travel, she’s whimsical.’” Embarrasing.
LinkedIn removed the Mia Ash profile before Dell SecureWorks finished its research, Wikoff said.
Facebook, where Mia Ash listed her relationship status as ‘it’s complicated,’ which signals a tempestuous romantic life, took down the profile last week after being contacted by Dell SecureWorks.
Goodbye Mia Ash, goodbye Iranian malware.
APT39 Iranian Cyber Espionage Team, Active In The Wild Again