Nonexistent ‘Women’ Chat Up Syrian Rebels on Skype

A hacker posing as an attractive female extracted detailed documents on Syrian rebel strategies by tricking a fighter into downloading infected photos of the female on Skype.

The New York Times reports: “To the young Syrian rebel fighter, the Skype message in early December 2013 appeared to come from a woman in Lebanon, named Iman Almasri, interested in his cause. Her picture, in a small icon alongside her name, showed a fair-skinned 20-something in a black head covering, wearing sunglasses.. . .He sent her a photo of himself and asked for another of her in return. She sent one immediately, apologizing that it was a few years old.

“Angel like,” he responded. “You drive me crazy.”

“What the fighter did not know was that buried in the code of the second photo was a particularly potent piece of malware that copied files from his computer, including tactical battle plans and troves of information about him, his friends and fellow fighters. The woman was not a friendly chat partner, but a pro-Assad hacker — the photos all appear to have been plucked from the web.”

The technique is described in a new study by the intelligence-gathering division of FireEye.

Apparently even the Luddite pro-Assad forces have figured out cyberespionage.

FireEye uncovered the attack while researching malware hidden in PDF documents, which are commonly used to share letters, books or other images. That quickly took the researchers to the servers where the stolen data was stored.

The imposter or imposters purloined large caches of documents revealing the Syrian opposition’s tactical battle plans, supply requirements and data about the forces themselves — which could be used to track them down.

It is unclear whether the attackers ever took advantage of this intelligence.

The rebels had been storing their game plans on phones and laptops, and they were vulnerable to slightly customized versions of commercially available malware.

This was no Syrian Electronic Army hacktivist campaign. That pro-regime group, which American intelligence officials suspect is actually Iranian, has vandalized many media websites across the globe. Shutting down or defacing websites typically does not help adversaries gain a battlefield advantage.  

Exactly who conducted the hacking on behalf of Assad’s forces remains a mystery,

It is thought that the hackers were based in Lebanon. They used a computer server in Germany, where FireEye found many of their communications in insecure directories.