Researchers at FireEye have uncovered what they believe to be evidence of a co-ordinated attack against those fighting the forces of Syrian President Bashar el-Assad.
In a newly-released report, FireEye says it discovered PCs and Android smartphones owned by Syrian opposition forces were being hacked after being duped into entering Skype conversations with “sympathetic and attractive women”.
As conversations developed, the “women” would offer files posing as personal photographs – but really boobytrapped to infect the recipient’s device with spyware and steal critical documents and Skype chat conversations.
The hacking group’s tactics were hardly sophisticated – asking their intended victim if they were using Skype on a computer or Android phone to serve up the correct flavour of malware, but that didn’t mean they were unsuccessful.
In all, 7.7GB of data is said to have been stolen by hackers between November 2013 and January 2014, encompassing 64 Skype account databases, with 31,107 conversations, 12,356 contacts and 240,381 messages.
Here is an example conversation, as detailed by FireEye:
The target receives an initial contact request from the female avatar. He accepts the request. “She” then asks, “are you using Skype on your phone or your PC?”
“WOMAN”: Are you opening Skype on your mobile?
TARGET: Computer and mobile
How old are you?
The avatar responds with a request for a picture. The target then sends a picture, which the avatar compliments. “She” follows up with a request for his age and says her own birthdate. He replies with apparent surprise that they have identical birthdays, though one year off.
“WOMAN”: May 5 1986
May 5 1985…..
“WOMAN”: A sweet coincidence
Sent file New-Iman-Picture.pif
It probably wasn’t a coincidence. His birthday is on his Skype profile, which would have been visible to the threat actor.
After they chatted a bit more, she explained that she is a “computer engineer working at a programming company in Beirut” and sends a file that the avatar claims is a picture of her. The target becomes a victim when the picture is opened.
TARGET: You drive me crazy.
Facebook profiles corresponding to the attacking Skype accounts were uncovered using the same profile picture. These accounts were filled with content supportive of forces fighting the Syrian regime, and contained multiple posts with malicious links, such as bogus Flash Player updates.
FireEye says it has not been able to identify those behind the campaign, although it’s natural to assume that the perpetrators are at the very least supporters of President Assad’s forces as they claim the stolen data would benefit his military efforts.
“In the course of our threat research, we found the activity focused on the Syrian opposition that shows another innovative way threat groups have found to gain the advantage they seek,” said Nart Villeneuve, a senior threat intelligence researcher at FireEye. “While we cannot positively identify who is behind these attacks, we know that they used social media to infiltrate victims’ machines and steal military information that would provide an advantage to President Assad’s forces on the battlefield.”
Of course, the warning to be suspicious of strangers contacting you out of the blue on Skype and other chat services isn’t just relevant to military forces in Syria. It’s sensible advice for anybody on the internet.
If you ever approached – be it on Skype, email or Facebook – by a stranger who shows an odd interest in you, be on your guard. That next file or link they send you could be malicious.
For further information on FireEye’s findings, check out their technical paper “Behind the Syrian Conflict’s digital front lines”
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.