The Israel Defense Force (IDF) has detailed an espionage campaign by Hamas operatives, who used social engineering to trick IDF soldiers into installing eavesdropping apps on their phones.
The gambit used one of the more classic social engineering techniques: Pretty ladies. IDF soldiers were targeted by Facebook friend requests purporting to be from attractive women. To sweeten the pot, these “ladies” sent multiple messages expressing their interest, along with photos—though the photos were cribbed from other, legitimate Facebook profiles.
After chatting enough to convince the soldier that she’s real, the person on the other end asks the soldier to video chat.
“But all the [existing video] apps he has won’t work for her—she needs him to download another one,” the IDF described in a blog. “She sends him a link to an app [in a third-party app] store called ‘apkpk.’ He downloads the app she requested. The app isn’t working, not for the soldier, at least. He tries to tell the pretty girl on the other end, but she won’t respond.”
The app is of course malware, which then sets about listening to phone conversations and more, sending them directly to Hamas.
“It can turn a mobile device into an open book—leaving contacts, location, apps, pictures, and files accessible to Hamas,” the IDF said. “What’s more, it can stream video from the camera and audio from the microphone.”
Hamas successfully infiltrated only a handful of phones before the attack was uncovered, but it’s worth noting that Facebook users—especially those that occupy sensitive positions or are in the armed forces—should be careful of what they allow to be shown publicly. Hamas found and targeted soldiers via public photos, tags and posts that revealed they were actively in IDF military service.
Other common sense protections work too:
“Turning off the GPS on your phone when it’s not in use can make yourself harder to track, and only clicking links from people you trust can help, too,” IDF said. “If anything looks fishy—like an email with an uncharacteristic subject line and an attachment you’re not expecting to receive—don’t download or click it. Don’t accept friend requests on social media from people you haven’t met, and don’t download any apps from sources you’re unfamiliar with.”