Social Engineering, Catfishing: Deception Through Impersonation
The internet possess as a fantastic doorway to many opportunities. We can use it to learn, to communicate and to meet new people.
While it may appear like a marvelous place, if you actually venture further down the rabbit hole, you may find everything is not quite as it seems. At least that is what one employee at a Middle Eastern company found out.
According to a recent article from Wired, a 30-year-old British woman, named Mia Ash, with two art school degrees and a successful career as a photographer is actually the “face” of Iranian state-sponsored hackers. It is believed they have been targeting organizations around the Middle East for years with the intent of committing espionage and possibly data destruction.
Despite her biography and track record, she is not the dream woman or Bond girl she appears to be. According to researchers at the security firm SecureWorks, this is because she is fictitious. Her biography fabricated and her photos stolen from another woman’s online profiles, she is, what the internet calls, a classic Catfish.
In February, while trying to identify an attempted spyware infection, a SecureWorks employee found that one of the company’s workers had been in communication with “Mia” for more than a month. What started on Linkedin regarding a simple conversation about photography then escalated to more in depth and meaningful conversations.
After roughly a month of communication, this Mia persona sent the worker an Excel attachment which contained malicious malware. Once the worker opened the document on their work PC, believing it was a photography survey, the malware went to work attempting to infect his computer. The company’s malware defenses prevented the installation, however this is not the first time a company has been hacked using these methods.
For anyone that isn’t familiar with Social Engineering, it is the use of deception to manipulate an individual into divulging confidential or personal information which can be used for fraudulent purposes. To get a better understanding, the video below perfectly highlights how easy it is to pose as someone else, in order to obtain confidential information.
Catfishing and Social Engineering are two of the most common methods used by hackers when they want information, as employees often have very little training to counteract or even expect these attacks. As a result it can be incredibly easy for a hacker to lull an individual into a false sense of security resulting in leaked information or the individual giving away access to their network.
This is not only applicable within the business world but is also very relevant in everyday life. An article in The Verge reported that one hacker named “Patrick” tweaked Tinder’s API to dupe men who thought they were chatting with women into messaging each other. While another hacker ran a similar operation with up to 10,000 men falling for this trick. This phenomenon of individual talking with Catfish using stolen pictures and fake accounts is also the premise for the incredibly popular TV show by the same name, Catfish.
For this reason, many online dating apps, such as Hookd, have taken Catfishing seriously, and have developed clever ways to curb it.
While the internet has the potential to bring us closer together, it can also bring us closer to those we would usually steer clear from in real life. Unfortunately, due to the convincing mask the internet provides for hackers and social engineers it is easy for some people to be tricked into believe the untrue. As someone who was the target for a failed social engineering attack, it is easy to understand the dangers that are out there.
For anyone that is concerned about these threats, there are many websites which provide information to help you spot a catfish or social engineer. And just remember, that beautiful blonde model you’re chatting with now may seem hot now, but she will probably seem less appealing when you find out it’s a greasy middle aged man with a ponytail. Be smart, and if it seems too good to be true, unfortunately it’s probably because it is.