You’ve heard or read about some variant of this story before: Girl meets Boy on a dating website. Girl falls in love. Boy claims he does, too. Girl is excited to meet Boy soon. But at the last minute, Girl finds out that Boy (1) had an accident and broke a hip; (2) has a very sick relative he needs to look after; (3) is going away to a secluded place to “find himself”—you’re not the problem, he is, right?; or (4) (through a helpful and mournful friend) is dead.
Suddenly suspect, Girl digs a little deeper. Girl finds out that Boy isn’t the dreamboat he portrays himself to be. Boy is, in fact, her female colleague’s timid 13-year old son whom she met once at a work function.
Bummer, right? Here’s another one:
Two months ago, Deloitte revealed that it was breached by hackers, who most likely already had access to compromised servers since November 2016. Around the same time, a cybersecurity staffer at Deloitte was convinced to open a booby-trapped Excel file from a female friend he met on Facebook months before. Her name was “Mia Ash,” a London-based photographer. She was described as lovely and disarming.
She was also 100 percent fake.
Mia Ash is the latest in a lengthening line of online femme fatales who successfully infiltrated corporate systems by targeting and successfully duping smart men working in IT and cybersecurity—people who everyone expects to practice what they preach. Her equally fake predecessors went by the names of Robin Sage and Emily Williams. Although all three were created as social engineering lures, one significant difference stood out: Sage and Williams were the brainchildren of cybersecurity experts who wanted to expose the human weakness in the national defense and intelligence communities. Ash, on the other hand, was the product of a known Iranian APT group who deliberately took advantage of that weakness to achieve their nation-state goals.
Two very different stories, one common theme: romantic deception.
What is catphishing?
Catfishing (spelled with an “f”) is a kind of online deception wherein a person creates a presence in social networks as a sock puppet or a fictional online persona for the purpose of luring someone into a relationship—usually a romantic one—in order to get money, gifts, or attention. Catphishing (spelled with a “ph”) is similar, but with the intent of gaining rapport and (consequently) access to information and/or resources that the unknowing target has rights to.
Simply put, the former is out to break hearts (and bank accounts), while the latter is out to compromise individuals, organizations, and quite possibly even countries.
Can we say that catphishing has gone beyond bad romancing for money? Absolutely.
What motivates catphishers to do what they do?
The motivations behind the act are likely similar to why spies steal secrets: to make use of the stolen information to gain the upper hand against the target or organization they belong to. As we all know, stolen information in the hands of criminals can be used in many ways—for extortion, for sale on the black market. However, in the end, the organization that was compromised loses integrity, clients, business opportunities, and gets fined if they were found to be non-compliant with security and privacy regulations.
Catphishing is dangerous enough that most companies consider it a business threat.
On the other hand, those catphishing individuals might also use the information they gather from individuals to create even more social media profiles. Sometimes, catphishers mislead simply to bully people online.
Blimey. Those catphishers ought to pay for what they’ve done!
Unfortunately, in many countries, catphishing (and catfishing) isn’t illegal. In the UK, “catfishing” is not even a legally-defined term. Although at present, the practice is pretty much legal, active campaigns are aiming to change this.
In the US, Oklahoma is the only state that made catfishing illegal.
Although one cannot lawfully pin catfishing/catphishing against someone, there are other legal areas that those affected by the practice can look into and decide whether they want to pursue these instead. They are (but are not limited to) the following:
- Copyright violation (for photos stolen and used in the deception)
- Criminal impersonation
- Identity fraud
How can we protect ourselves from this?
Start by familiarizing yourselves with the following red flags, which indicate that you may be dealing with a catphisher online:
- Everything that they claim to be seems too good to be true.
- If you meet them on a dating website, and they suggest getting in touch with you via other means, such as email and other chat services.
- They show no interest in a face-to-face meeting or even in using voice chat services.
- Most (if not all) photos they use don’t include other people.
- Quite a number of their social media followers appear to be sockpuppet accounts.
- They ask a lot of information about you early on in the relationship like how much you earn, what kind of home you live in, and where your parents are (to name a few).
Stay safe out there!
Recommended reading for parents:
*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Malwarebytes Labs. Read the original post at: https://blog.malwarebytes.com/cybercrime/2017/11/bad-romance-catphishing-explained/