Iranian Hackers Catfish a Cybersecurity Employee

Iran Focus

London, 6 Oct - A team of Iranian hackers used Facebook to target Deloitte, one of the world’s biggest accounting firms, according to Forbes.

One Deloitte employee fell victim to the scam in late 2016 at roughly the same time as a separate hack which affected Deloitte data in Microsoft's Azure cloud-hosting service.

The hacking group known as OilRig, which as Forbes pointed out in July were believed to have been working for the Iranian Regime, created a fake Facebook profile for a beautiful, charming woman using the name Mia Ash.

In July 2016, the creators of the fictitious Mia began getting a Deloitte cybersecurity employee and engaging him in conversations about his job via the website’s chat function.

As their relationship grew, the unnamed employee offered to help set Mis up with a website for her alleged business and then eventually, she convinced him to open a document containing malware on his work computer.

Though this malware did not infect the wider company network, it shows how easily the hackers were able to manipulate a security worker, who helped clients to defend themselves against similar digital attacks, and how they could do it again.

James Lewis, a former U.S. diplomat and cybersecurity expert at the Center for Strategic and International Studies, said: "This kind of thing is effective because men can't help themselves apparently."

Lewis continued by saying that we should ask why the employee was targeted and whether it was because of his job role or the company, although either option is worrying.

Lewis said: "In a couple instances the Iranians have been really clever: they don't go after the primary target, they go after the secondary... the Deloitte guy might have been interesting only because of who he was connected to."

Although OilRig doesn't do a lot of hacking outside the Middle East, this latest breach is very worrying.

Lewis said: "It's been a steady upward path for [the Regime], starting a decade ago. They test on their citizens, they practise every week against Israel. They've relationships with the Russians, Chinese and North Koreans, and in at least two of those - Russia and North Korea - we know they've exchanged tactics tools and procedures for cyber."

Mia’s profile was creates using images and information stoled from a real-life photographer, Cristina Mattei, from Romania. The hackers also created multiple social media profiles for her so that a Google search wouldn’t show up anything suspicious.

Indeed, SecureWorks cybersecurity researcher Allison Wikoff said that this was one of the most developed fake personas she'd ever seen.

Mia was also used to befriend an Asia-based cybersecurity professional at Deloitte until February 2017, when she also sent him a file- supposedly of photos of her- to open on his work laptop. Thankfully, this was caught by a malware detector.