Mia Ash is young, attractive and popular, with hundreds of social media connections.
She shares your favorite hobbies, so when she adds you, you’re flattered and a little bit excited.
After exchanging messages on LinkedIn, you’re happy to continue the conversation on Facebook and WhatsApp.
There’s just one problem: Mia Ash does not exist.
You’ve been communicating with a mirage, and you’re about to fall into the hands of a team of hackers believed to be acting on behalf of a hostile foreign government.
Online “honey pot” attackers like Mia Ash represent a new front in a global espionage, with hackers targeting strategically important companies through their weakest line of defense: their hapless employees.
That’s according to cyber security expert Allison Wikoff from SecureWorks, whose counter threat unit has been fighting what has been dubbed the Cobalt Gypsy spy campaign.
Mia Ash is a sophisticated fake persona that the unit has identified as an agent of a hacker group called Cobalt Gypsy aka OilRig, which is understood to be backed by the Iranian Government.
With highly detailed social media profiles portraying her as a young English photographer, the group used real images believed to be stolen from an innocent woman in Romania.
The scam targeted mid-level staff at Middle Eastern telecommunication, technology, aerospace and oil and gas companies with access to sensitive parts of their company’s IT operations.
Mia Ash introduced herself as a wedding and portrait photographer reaching out to people around the world, saying she wanted to “learn more about your country.”
One worker fell for Mia Ash’s charm, striking up a friendship that lasted several weeks before the true nature of the situation was revealed when the hackers sent him a malware-infected email disguised as a “photography survey.”
The man, an amateur photographer who connected with the young woman believing they had a shared interest, unsuspectingly opened the attachment.
Wikoff said the aim was to steal login IDs and passwords when the document, once opened, would unleash a type of malware called PupyRAT, giving the hackers access to the organization’s computer systems.
“They’re really interested in information that aligns with the Iranian government’s objectives,”
she told news.com.au.
“SecureWorks firmly believes the Cobalt Gypsy group is associated with Iranian government-directed cyber operations, and that this Mia Ash campaign has been…