Chatting with a Femme Fatale

“Its depressing how stupid people are and how easily they can be tricked into giving over their CC number or persuading them to join a site you get commission from… lonely guys are stupid and easily swindled out of money.”

Quote of a female-chatbot programmer

Yes, I agree that men can be easily conned by pleasant-sounding, enticing female chatbots, but could such bots trick someone into divulging government secrets? Apparently, yes. There now exist femme fatale bots that can trick men into giving up information about military operations and data that could compromise the lives of thousands of people, at least this is what FireEye discovered when they investigated the strange actions of a female Skype user in Syria.

I guess it would be more appropriate to call these carefully designed bots, avatars, as they came, not only with chatbot capabilities, but with complete Facebook profiles, including photos. In other words, they had a more developed personality than a simple chatbot.

In any event, the avatar would contact targeted individuals on Skype and, after a few preliminary questions, casually ask about what kind of device they were using Skype with. This simple question was the key to the whole operation. Once the attacker knew this information, they could send malware to target the victim’s specific OS. Of course, the attacker still needed to install this malware payload on the device, but that turned out to be pretty easy. The avatar, which appeared to be coming from an appropriate Middle East country, would also claim to have the same birthday as the victim, except she was a year younger. She clearly got his birth date from somewhere, probably from his Skype or other social media profile. In other words, ‘she’ did her research.  In the actual conversation that you can see below, it is the man who asks about the avatar’s age. The program, however, seems ready for this.

 femme fatale conversation

 She would then ask for a photo of the victim. He would, of course, ask for one back. She would send it. It came in the form of a .pif file that, unfortunately for the victim, was only a surface disguise for an underlying zip file. Once opened, he would get a nice picture of an attractive Middle Eastern woman. He would also get a nice batch of malware. This malware was the infamous DarkComet RAT, and it would take complete control of his device from this point on.

After the avatar got what she wanted, she would mysteriously disappear. FireEye gives the following example:

“We observed a female avatar engage one victim in lengthy chats about Syrian refugees in Beirut. After successfully compromising the target, the conversations stopped. Later ‘she’ briefly re-emerged to ask the victim if he had previously served in the Syrian Arab Army (Assad’s forces). After getting an affirmative answer, she again went silent.”

 This is when things get a bit more complicated. What if the victim became suspicious? After all, how often had he been contacted, out of the blue, by an attractive woman? Though attractiveness is a key factor in luring male victims in, too much attractiveness may make them suspicious. The victim may want to see if the chat partner actually exists. They may check to see if she has a Facebook profile, for example. And, of course, she has, with the same photo that she sent him. Not only that, but she appears to be a strong supporter of the Syrian opposition. At this point, the victim may truly believe that he has found his dream girl. Maybe she knew he was also part of the opposition and was reaching out to him? Sure, that makes sense, right?

Trust is the foundation needed for all successful social engineering attacks. If he trusts that she is who she claims to be, he is finished. On the Facebook page, the victim will see much content on the Assad opposition, complete with links that will lead him to malicious sites. He will be encouraged to download certain ‘security software’ which isn’t. In fact, all of the actions the page asks him to take and all the links available are there to get the duped victim to download malware onto his computer. He is also funneled onto a fake opposition website. Much of the content of this site is taken from the website of the Syrian American Council, a group which supports the Syrian opposition. On this fake site, the victim will find videos, but, in order to watch them, the victim will be told they must update their Flash Player. I think you can guess what happens when they do.

But wait. There’s more. That’s because, as an added bonus, the fake website seems to offer a matchmaking service; a good idea considering the men who got this far were probably looking to connect with an attractive woman. After all, they had already shown this inclination in their Skype behavior. However, to continue on to this matchmaking site, where beautiful women await, they must first login via a fake Facebook login page.

syria facebook

This page was a way to collect information on those opposition members using it. In fact, FireEye found that a lot of information was gathered from relatively few computers. This was because many of the opposition members were probably connected in some fashion and compromising one compromised all. In a country where internet service may be limited or disrupted by condflict, smartphones become a key way to communicate. As FireEye points out:

“Smart phones, in general, are valuable sources of data about individuals and their social networks, as they may contain address books, SMS messages, email, and other data (including data from mobile apps, such as Skype). Targeting Android may be particularly beneficial in the case of Syrian opposition members, where regular power blackouts in Syria may force people to rely more heavily on mobile devices for communications.”

The following chart from FireEye gives a summary of the information that was stolen from members of the Syrian opposition.

syria stoloen info

The type of data stolen can be broken down into military and political information, information on humanitarian activities and financing, the personal information of refugees, information on media investigations, and user account information that could be used at any time.

Military secrets stolen include military plans, documents, and participants. One example is given below.

stolen military plans

It became clear that one of the main goals was to identify individuals fighting for the opposition or those from the Syrian army that had defected. In any event, the avatar managed to secure a decided advantage for Assad’s army. After all, if the opposition’s plans were known in advance, as in the case above, it would be a simple matter to undermine them.

FireEye traced these attacks to Lebanon and, more specifically, to Hezbollah. Somewhat amazingly, back in 2012, this group offered pro-Assad individuals a “Training Course for Internet and Social Media Activists”. Among other skills offered in this three-day training program was a seminar in “The use of women to entrap opposition members and activists using social media sites such as Skype and Facebook”.

This femme fatale attack brings up a couple of key questions. Would it have succeeded if it was carried out by male avatars? Would it have succeeded if the women were not attractive? The answer is, probably not. Jon Millward found that physical attractiveness had a far more powerful effect on men than on women. In his experiment on an online dating site in which he tested the profile of 5 men and 5 women with varying degrees of attractiveness, he found that the two most attractive women received 581% more messages than the other three women combined and 17 times more responses than the most attractive man. In fact, only one man received any responses at all. Therefore, the designers of this attack took advantage of a common weakness in male human nature and exploited it to the maximum. (see my post on Phishing with Naked Women and Romantic Lures)  It seems that, in the final analysis, ideals are no match for millions of years of hardwired biology.


Inzero Systems’ Answer to Spear Phishing Attacks

Everyone, no matter how security-wary they are, can be a spear phishing victim. This has been proven over and over again. InZero Systems accepts this as fact, and it doesn’t worry them in the least. This is because, with their security architecture, it is impossible for malware on a compromised-user device to make any impact on a company’s network. Why? Because their architecture separates normal user behavior from the company network at the hardware level. Let the user take any risk he or she wants, whatever malware installs itself on the users side of the device cannot cross the hardware barrier to gain access to sensitive company data.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s