I read an interesting article on Naked Security the other day about how Hamas had used Facebook and social engineering tactics to trick Israeli soldiers into installing surveillance malware. The malware allowed Hamas to track the soldiers using the phone’s GPS, and to turn on the microphone and video to actually listen in and and watch their targets. Hamas undoubtedly picked up the malware on the Dark Web. I guess this is a new tactic in cyber-warfare. You can read about this on Naked Security or the Israeli Defense Force (IDF) blog.
This got me thinking about how a cyber-criminal or cyber-stalker might use similar tools to find, track, and eavesdrop on their victims. It turns out it is quite simple, and in some cases the attacker does not even need access to your phone. They just need a ploy to get you to download and install the app for them.
In the case of the IDF, Hamas was using fake Facebook profiles of pretty young women to open a dialog with the soldiers. Once she had them chatting, she would send them pictures of her at the beach or other provocative selfies. With the hook set, she would convince them to download a video chat app so they could chat live. She sent them a link to a third party app store called “apkpkg.com” to download “Wowo Messenger.” The video chat app allowed Hamas to see everything stored on the phone, read and send emails from the soldier’s account, track them via GPS, and turn on the microphone and camera to listen and observe what was going on in the immediate proximity.
There are companies selling legitimate software application that do the same thing, and more. We have links to a couple of them below.
This method would work pretty well on the average smartphone owner, too. Using social engineering techniques to spark an online romance via Facebook or a dating website would be a pretty easy thing to accomplish. Besides stealing all the phone information and tracking and eavesdropping on the target, they could also be set up for a good old financial scam, where the victim is lured into sending or lending money to the perpetrator.
You can protect yourself from the app download by avoiding third party app stores. Sticking with the Apple Store or Google Play are the safe bet. And remember, anyone who has access to our phone could install one of the more powerful commercial apps. As far as the romantic social engineering approach, you just have to be on your guard. If your new romance is progressing rapidly, they profess immediate deep feelings of love, and then are asking for money, there is a safe bet this is a scam.
- Israeli Defense Forces Blog – Hamas uses fake FB profiles to target Israeli soldiers
- Naked Security – Hamas IDF story
- Naked Security – Smartphone Surveillance Tools
- Naked Security – Online Dating Fraud
- FBI – Online Dating Fraud
- Mashable – Turning a Smartphone into a Spyphone
- Best Cell Phone Apps – Spy on a Cellphone Article
- DDI Utilities Review
- DDI Utilities software
- Flexispy software
About the Author:I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at http://wyzguyscybersecurity.com