Malwarebytes researchers are warning IT workers seeking love online to beware “CatPhishing” scams which can leave entire companies devastated.
A play on the term catfishing, in which scammers dupe people into falling in love with false online personas for various reason, in catphishing beautiful women personas target IT and cyber-security professionals to infiltrate corporate systems for their own gain.
Researcher's note the people who've have fallen for the attacks have in some cased been security professionals who should have known better meaning potentially anyone could be a victim, according to a 15 November post.
This was the case in the Deloitte breach when a cyber-security staffer at the company was convinced to open a bobby trapped Excel file from who he thought was from a female friend he met on Facebook. The “female friend” was actually a false persona designed by created by the Iranian hacking group OilRig and the file gave the threat actors access to sensitive client data and internal documentation.
Similar to preventing phishing attacks, researchers recommend users look for red flags of phishing attacks and beware of online daters who claim things which seem too good to be true. Indications of a potential catphisher are people who meet on dating sites and then suggest getting in touch with you via other means, show no interest in face-to-face meetings, and people who most if all of their photos don't include other people.
Other indicators include having several social media followers appearing to be sockpuppet accounts and them asking for a lot of information early on in the relationship like earnings amount, type of home lived in, and where parents are.