Mia Ash is a fake persona used to target people in a hacker scam using stolen images.
By Dana McCauley
Mia Ash is young, attractive and popular, with hundreds of social media connections.
She shares your favourite hobbies, so when she adds you, you're flattered and a little bit excited.
After exchanging messages on LinkedIn, you're happy to continue the conversation on Facebook and WhatsApp.
There's just one problem: Mia Ash does not exist.
You've been communicating with a mirage, and you're about to fall into the hands of a team of hackers believed to be acting on behalf of a hostile foreign government.
Online "honey pot" attackers like Mia Ash represent a new front in a global espionage, with hackers targeting strategically important companies through their weakest line of defence: their hapless employees.
That's according to cyber security expert Allison Wikoff from SecureWorks, whose counter threat unit has been fighting what has been dubbed the Cobalt Gypsy spy campaign.
Mia Ash is a sophisticated fake persona that the unit has identified as an agent of a hacker group called Cobalt Gypsy aka OilRig, which is understood to be backed by the Iranian Government.
With highly detailed social media profiles portraying her as a young English photographer, the group used real images believed to be stolen from an innocent woman in Romania.
The scam targeted mid-level staff at Middle Eastern telecommunication, technology, aerospace and oil and gas companies with access to sensitive parts of their company's IT operations.
Mia Ash introduced herself as a wedding and portrait photographer reaching out to people around the world, saying she wanted to "learn more about your country".
One worker fell for Mia Ash's charm, striking up a friendship that lasted several weeks before the true nature of the situation was revealed when the hackers sent him a malware-infected email disguised as a "photography survey".
The man, an amateur photographer who connected with the young woman believing they had a shared interest, unsuspectingly opened the attachment.
Ms Wikoff said the aim was to steal login IDs and passwords when the document, once opened, would unleash a type of malware called PupyRAT, giving the hackers access to the organisation's computer systems.
"They're really interested in information that aligns with the Iranian government's objectives," she told news.com.au.
"SecureWorks firmly believes the Cobalt Gypsy group is associated with Iranian government-directed cyber operations, and that this Mia Ash campaign has been designed to obtain the high- level network credentials of male employees of specific target organisations in Israel, Saudi Arabia, India, US and Iraq."
Luckily, the photography buff's computer was protected by anti-malware software and the hackers did not succeed.
While Mia Ash had not been caught targeting Australians, Ms Wikoff said, the method of attack could be employed anywhere in the world by foreign government hacker spies - with the risk to Australia coming from China, Indonesia and Russia.
In January, the vulnerability of Australia's government and corporate spheres to foreign cyber spies was highlighted by the massive global data break affecting Yahoo.
Social Services Minister Christian Porter, shadow treasurer Chris Bowen and Liberal senator Cory Bernardi were among 3000 users affected by the breach, prompting Prime Minister Malcolm Turnbull to order a cyber security investigation.
Ms Wikoff and her team spent two months observing "Mia Ash" interact with her victims online, only to disappear without a trace when she was exposed.
Chillingly, she said, half of the fake persona's social media contacts appeared to be real photographers chosen to bolster its legitimacy, while the other half were made up of "potential victims".
Mia Ash's profile appeared to have been set up after a campaign of traditional "phishing" emails targeting the company's employees had failed, she said.
Organisations were increasingly shutting down such attempts by educating staff on how to spot a fake email address, with savvy workers much less likely to click on malicious links or attachments.
"So they are using other ways to get into the organisation," Ms Wikoff said.
She said hackers spent weeks building trust with victims before launching their attack by sending a document made to look legitimate and relevant to their discussions.
"We train employees to recognise and report phishing emails, but do we talk to people about this sort of social engineering? With LinkedIn and Facebook, the employer can't control what is going on, but it's about how to train people to detect this sort of thing."
Ms Wikoff said warning signs included profiles that used stock images or photographs bearing watermarks, indicating that they may belong to someone else.
And she recommended having "end point protection" software in place to ensure that, if staff unwittingly fell for a profile like Mia Ash, the malware would not get through - even if the employee clicked and opened the malicious email.
'It allows me to focus on myself and the kids and figure out life without Allan.'