720-891-1663

Return to list of client alerts

The Spy Who Loved You (Or Claimed to)

Using sex to lure victims is certainly not a new thing, probably dating back to the Roman Empire or before, but the tools are new.

And, while you might not fall for this, are you sure that none of your people will?

North Korea, Iran and China, in particular, have been caught using fake social media profiles to gather information. While the platforms make a somewhat anemic effort to weed these out (because number of accounts is a metric that investors care about and they are too dumb to realize, apparently (other than Elon Musk), most of the numbers are a work of fiction).

The attack works like this.

THERE IS NOTHING immediately suspicious about Camille Lons’ LinkedIn page. The politics and security researcher’s profile photo is of her giving a talk. Her professional network is made up of almost 400 people; she has a detailed career history and biography. Lons has also shared a link to a recent podcast appearance—“always enjoying these conversations”—and liked posts from diplomats across the Middle East.

https://www.wired.com/story/linkedin-fake-profiles-state-actors-scams/

Only problem is the account was hijacked.

So when Lons got in touch with freelance journalist Anahita Saymidinova last fall, her offer of work appeared genuine. They swapped messages on LinkedIn before Lons asked to share more details of a project she was working on via email. “I just shoot an email to your inbox,” she wrote.

https://www.wired.com/story/linkedin-fake-profiles-state-actors-scams/

Once they have the mark hooked, they send them a malicious email, maybe an infected PDF or a link to a web site with malware.

This was a real case. Luckily the potential victim was suspicious enough to report it to her security team and that game was over.

In the love scam, after they get the mark hooked, they start squeezing the mark for information about his/her job. Initially, benign, but after a while, it gets more sensitive. If the mark goes for it, then the hacker ups the game and tries to get very sensitive information.

But it could be love instead of a job offer. Or, it could be a deal too good to pass up. There is a high profile attack going on right now, nicknamed pig butchering. You can Google it if you are curious and it is safe for work – just not for your wallet.

While I know that if some very attractive young woman starts coming on to me that it is a scam, some people are still hopeful.

In any case, your staff needs to be trained not to fall for these sort of schemes. If you don’t do frequent phishing email tests (such as weekly) followed by training for those who fall for it, you need to. If you need assistance with this, please contact us.

Credit: Wired