Femmes fatales steal Syrian opposition's Skype chats and military plans

Femme fataleDanger! Beware seductive women who contact you on Skype! Particularly, if you are working for opposition forces in Syria.

Researchers at FireEye have uncovered what they believe to be evidence of a co-ordinated attack against those fighting the forces of Syrian President Bashar el-Assad.

In a newly-released report, FireEye says it discovered PCs and Android smartphones owned by Syrian opposition forces were being hacked after being duped into entering Skype conversations with "sympathetic and attractive women".

As conversations developed, the "women" would offer files posing as personal photographs - but really boobytrapped to infect the recipient's device with spyware and steal critical documents and Skype chat conversations.

The hacking group's tactics were hardly sophisticated - asking their intended victim if they were using Skype on a computer or Android phone to serve up the correct flavour of malware, but that didn't mean they were unsuccessful.

In all, 7.7GB of data is said to have been stolen by hackers between November 2013 and January 2014, encompassing 64 Skype account databases, with 31,107 conversations, 12,356 contacts and 240,381 messages.

Reconstruction of Skype conversation

Here is an example conversation, as detailed by FireEye:

The target receives an initial contact request from the female avatar. He accepts the request. "She" then asks, "are you using Skype on your phone or your PC?"

"WOMAN": Are you opening Skype on your mobile?

TARGET: Computer and mobile
How old are you?

"WOMAN": 27
And you?

TARGET: 28

The avatar responds with a request for a picture. The target then sends a picture, which the avatar compliments. "She" follows up with a request for his age and says her own birthdate. He replies with apparent surprise that they have identical birthdays, though one year off.

"WOMAN": May 5 1986

TARGET: Lolololololol
May 5 1985.....

"WOMAN": A sweet coincidence
Sent file New-Iman-Picture.pif

It probably wasn’t a coincidence. His birthday is on his Skype profile, which would have been visible to the threat actor.

After they chatted a bit more, she explained that she is a “computer engineer working at a programming company in Beirut” and sends a file that the avatar claims is a picture of her. The target becomes a victim when the picture is opened.

TARGET: You drive me crazy.

Facebook profiles corresponding to the attacking Skype accounts were uncovered using the same profile picture. These accounts were filled with content supportive of forces fighting the Syrian regime, and contained multiple posts with malicious links, such as bogus Flash Player updates.

Facebook post

FireEye says it has not been able to identify those behind the campaign, although it's natural to assume that the perpetrators are at the very least supporters of President Assad's forces as they claim the stolen data would benefit his military efforts.

"In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek," said Nart Villeneuve, a senior threat intelligence researcher at FireEye. "While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims' machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield."

Of course, the warning to be suspicious of strangers contacting you out of the blue on Skype and other chat services isn't just relevant to military forces in Syria. It's sensible advice for anybody on the internet.

If you ever approached - be it on Skype, email or Facebook - by a stranger who shows an odd interest in you, be on your guard. That next file or link they send you could be malicious.

For further information on FireEye's findings, check out their technical paper "Behind the Syrian Conflict's digital front lines"

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

3 Responses

  1. David

    February 2, 2015 at 3:43 pm #

    Mata Hari for the 21st century. Like I always say, machines may get faster, have more memory, or faster connections – but the fundamentals never change.

  2. Coyote

    February 2, 2015 at 6:23 pm #

    If you ever approached – be it on Skype, email or Facebook – by a stranger who shows an odd interest in you, be on your guard. That next file or link they send you could be malicious.

    Or phone. Or doorstep. Or in a shopping centre. List goes on. (Of course, file link or some such might not apply here but the rest does) If they're offering you some service and even worse is if they're insisting it is for your own good, then they have nothing of good intentions. If they are insisting that you need this or you have this problem, they are hoping you're gullible enough (and/or vulnerable due to damage in the past or even just ignorant of what is possible, plausible and otherwise) to fall to their tricks. If you are, you'll then be their prey and they'll be an attacker rather than a saviour. In person in a shopping centre is maybe the exception but that depends on the actual situation: if they're insisting you have to do something or there is going to be a problem, or if they're insisting you follow them (or whatever), then there is likely much more to it (and the latter one is even worse). That's the sad reality here: it is something that has so many variables and depending on other variables or circumstances, that if you're not always careful (and know that even with being careful there might be something that can still get you) then you're bound to be in trouble if you're at the wrong place at the right (right for the attacker, wrong for you) time.

  3. Brian

    February 4, 2015 at 12:50 pm #

    This is like the oldest social engineering attack ever.

Leave a Reply