In a recent post on their official blog, Israel Defense Force (IDF) detailed how Hamas operatives used social engineering to trick IDF soldiers into installing malicious apps on their phone that allowed for easy eavesdropping, all by using some of the oldest tricks in the book.
It all starts with a friend request
IDF soldiers on Facebook found themselves on the receiving end of flattering friend requests from pretty women who seemed really, really interested in them. The attractive women then send the soldiers many photos of herself to convince them that they are the real deal, and engages the soldiers in conversation to lure them in.
And yes, these photos are indeed real, but they’ve been stolen from real people’s Facebook accounts.
Once the Hamas operative has chatted with the soldier enough to convince them that “she” is real, it’s time for the next step: getting the soldier to download the malicious payload without realizing it.
The fake profile wants to keep talking to the soldier but wants to do it outside of Facebook, so “she” exhorts the soldier to download a specific messaging app to talk to her – otherwise, their conversations are over.
To keep talking, she tells the soldier that he first needs to use an app store called apkpk to download a video chat app called Wowo Messenge.
Hopefully you’ve spotted the glaring red flags here – using a third-party app store for one thing, and a specific (and dodgy-sounding) video-chatting app for another. Unfortunately, soldiers who were not quite as savvy later found out the app they thought was a video messenger was malware that turned their phones into powerful eavesdropping devices for Hamas.
According to the IDF’s blog post:
It can turn a mobile device into an open book – leaving contacts, location, apps, pictures, and files accessible to Hamas. What’s more, it can stream video from the camera and audio from the microphone.
Even the highly trained can make mistakes
The IDF caught on to this attack not long after it was deployed, but according to the IDF, Hamas did successfully infiltrate the phones of a few soldiers before the attack was uncovered. But as they say, if it ain’t broke don’t fix it – even though the social engineering methods in this attack were about as old-school as it gets, it ends up that flattery and pictures of a pretty woman can still motivate a lonely heart to do something they shouldn’t, even if they are highly trained to spot threats and malicious behavior.
We should use this incident as a reminder to be aware of what information we make public on Facebook: all the IDF soldiers targeted in this attack were found by Hamas through public photos, tags and posts that revealed they were actively in IDF military service. This made the soldiers prime targets for social engineering attacks via something as simple as a friend request and a few chat messages.
There’s a good lesson here for us all to stay alert, be mindful of what we make public, and not assume that security awareness is a one-and-done affair.