Hackers pose as 'attractive women' and send Syrian rebels selfies to steal battlefield plans

Photos sent contain malware that give hackers access to computers

Click to follow

Hackers have been targeting Syrian opposition fighters by posing as women to steal valuable personal information and gain a battlefield advantage, a US security firm has claimed.

Fire Eye followed the activity of hackers targeting men fighting against the Syrian President Bashar al-Assad’s forces, media activists, humanitarian aid workers, defectors and others between November 2013 and January 2014.

It found that hackers would use female Skype avatars to chat with targeted individuals and infect their computers or devices with malware.

This ‘honey trap’ would involve hackers posing as pro-opposition women who would ask questions about their birthdate, or what device they were using in order to send "tailored" viruses.

Hacking victims were mainly located in Turkey, Ukraine and Jordan.  The cybersecurity firm was unable to pinpoint the location of the hackers, although it did note that their servers were located outside of Syria.

Details on military hardware and positions of fighting groups, names of fighters, political strategy discussions, humanitarian needs assessments, information about rights abuses were included among stolen data. 

An example of a conversation between a fake profile and a target

The hackers employed a familiar tactic, according to Fire Eye: "Ensnaring its victims through conversations with seemingly sympathetic and attractive women".

The company said the avatar would request a photo of the target via Skype and send a photo of a woman in return. When they opened the photo, which was loaded with malware, it ultimately installed DarkComet RAT software, a customised keylogger, in the background. The computer would then be under the hacker’s control from this point on.

The Skype avatars would also have a corresponding Facebook profile filled with pro-opposition content and posts with malicious links.

“The threat group primarily compromised its victims using female avatars to strike up conversations on Skype and connect on Facebook. They also used a fake, pro-opposition website seeded with malicious content,” the report said.

The report found hackers would sometimes strike up chat sessions with the victim later on to collect more details.

Citing one example of this, the report said: “We observed a female avatar engage one victim in lengthy chats about Syrian refugees in Beirut. After successfully compromising the target, the conversations stopped. Later “she” briefly re-emerged to ask the victim if he had previously served in the Syrian Arab Army (Assad’s forces). After getting an affirmative answer, she again went silent.”

Because the hackers focused much their efforts on Skype databases, Fire Eye says it was likely they would have found their next target from within the victim's own contacts.

An example of profiles used by hackers

 Nart Villeneuve, senior threat intelligence researcher at FireEye, said: “In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek.

"While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”