The concept of a honey pot scheme is nothing new to security clearance holders. It all starts with an attractive man or woman with a friendly disposition. It ends with you oversharing something you shouldn’t, or more likely clicking on something you shouldn’t.
Prime online location for scammers and spies? LinkedIn. Seventy percent of LinkedIn users are located overseas. And some of them happen to be spies from Iran. A recent report from SecureWorks found a hacking group linked to Iran was targeting male employees of U.S. oil and technology firms. Call it Iran’s Robin Sage – a photographer named ‘Mia Ash’ started out as a well-built LinkedIn profile. ‘She’ connected with other photographers and built a believable online persona – through Facebook, WhatsApp and other social networking sites.
Feigning an interest in travel and photography, she started her relationships with a professional connection – through the innocuous LinkedIn request – and then continued it via Messenger and other chat tools. If you think security professionals are too savvy to be duped by a fake social media profile, think again – several security professionals clicked on the malicious links ‘Mia’ sent. SecureWorks studied on attempt where the link was clicked, and the firm’s security software prevented the attack. The firm isn’t sure other attempts were thwarted by security software, however.
The Iranian hackers behind the attack are OilRig and Cobalt Gypsy. The key to their success? Not just creating a profile, but creating a narrative. LinkedIn correlates well with that purpose. Individuals too easily connect with someone with whom they find a shared interest. ‘Mia’ started by connecting with other photographers, to build her credibility. Then she expanded her network to the security professionals she really wanted to target.
The honeypot scheme is a new variation on Iran’s new LinkedIn spy scenario – in 2015 the same firm reported Iranian hackers using recruiter profiles used to target security professionals.