'Don't talk to strangers' is something we say to our children all too often, especially in the age of social media. It seems some grown men might need the same advice.
On Wednesday, researchers from Avast detailed a relatively simple but extremely clever cyberattack on young men from several Middle Eastern countries which goes to show that even the grownups need to be careful when they make friends online. The hacking group behind it has operated for several years now, and its goal is to exfiltrate potentially sensitive information with the help of a piece of Android spyware. Because of this, the experts reckon that they're dealing with an Advanced Persistent Threat (APT) group which they've named Tempting Cedar. The name will make more sense once you see the details.
The attack starts with a few fake Facebook profiles. The hackers apparently stole pictures of several attractive young ladies and created fictitious accounts which interacted with each other to make the story a bit more believable. Then, the "young ladies" would connect to their targets and would start communicating with them over Facebook Messenger. The conversations would gradually become flirtier, and the non-existent women would suggest moving to another instant messaging app called Kik with the pretext of keeping the communication private.
Kik is a real application with around 300 million users, and it does promise more privacy. It's available on Google Play, but as you'd imagine, the Tempting Cedar gang would urge their victims to download it from a website controlled by them. As you'd also imagine, the Kik messenger that the targets downloaded was infected with spyware. Before installing it, the victims would need to modify Android's security settings and allow installations from third-party websites which should have tipped them off. Apparently, however, some of them were too preoccupied thinking about what their new lady friends had to tell them over the private chat. This classic social engineering trick is where the "tempting" in Tempting Cedar comes from.
The spyware would register itself as a service and would run at every boot. It would then contact the Command & Control (C&C) servers and would deploy an arsenal of modules that could do anything from harvesting device information (OS version, geolocation, network operator, etc.) and personal data (call and SMS logs, contacts) to recording sound through the microphone and tampering with the files on the device.
After analyzing the active hours and the IP and whois data associated with the C&C infrastructure, Avast's experts said that while they can't be certain, they're relatively confident that the hackers are based in Lebanon. This is where the "cedar" part of the name comes from (a cedar tree takes a prominent place on the Lebanese national flag).
Avast found at least three fake accounts linked to the attack which have now been closed. The Tempting Cedar hackers are unlikely to be stopped by this, though.
In January 2017, the Israeli Defense Forces said that the same type of attack had been launched on some of their soldiers. Without saying how they made the attribution, Israel's officials pointed their fingers at Hamas and mentioned nothing about Lebanon. Whoever is responsible, the modus operandi is so similar that we can't help but think that the two attacks are linked in some way. The brutal efficiency combined with the lack of technical sophistication means that we won't be too surprised if we see more of them in the future.