Honey-trappers are posing as beautiful women online to talk to vulnerable men
- In Mia Ash’s situation, the profile was used to steal corporate and strategic plans
- The internet appears to offer a new level of persuasion to honey-trappers
- The techniques bear close similarities to those used by spies trawling for secrets
One can understand how he fell for her. Dark-eyed and alluring, with glossy hair worn in a sexy, tousled style, Mia Ash was 30 years old, a well-educated, successful photographer based in London, independent-minded and looking for love.
The middle-aged executive she approached online was captivated.
He, too, had an interest in photography and they fell into regular conversation via social media, first exchanging views on her portfolio of work, then broadening it to his job, their hobbies, travel experiences and their hopes for the future.
Before long, their chats were highly flirtatious, bordering on intimate.
And if the executive had any suspicions about Mia, they would soon have been allayed by her extensive profile on Facebook, where she had more than 500 ‘friends’, plus hundreds more on LinkedIn, the business social networking site she’d used to contact him, and numerous posts on Instagram.
Mia was clearly a well-connected, sophisticated woman — a friend of several well-known photographers — who had set up her own business in 2014 and was going places.
If he’d wanted to know more, he could have discovered she came from Great Wyrley in Staffordshire and had attended the Royal Academy of Arts, where she obtained a BA in fine art, followed by Goldsmiths, University of London, where she studied for an MA.
She had started her career as an assistant at the trendy Clapham Picturehouse in south-west London, before staff jobs at various photographic studios.
She was into indie music and conservation issues and her relationship status was ‘It’s complicated’, a social media phrase that signals availability.
So all in all it was a potential match made, if not in heaven, then in cyberspace.
But sadly there was one big problem: Mia Ash didn’t exist.
Instead, she is the incarnation of a modern honey trap.
Using beautiful women to lever secrets from vain, sexually adventurous men is the oldest trick in the espionage book. Now, though, honey-trappers stalk the internet, trawling for gullible males with powerful information to steal.
A photograph chosen to represent her, as well as numerous selfies, were lifted from the social media accounts of an innocent Romanian student and blogger. Before Ms Ash ‘disappeared’ from the internet in February, she is reported to have lured senior figures in sensitive industries in the U.S., Israel, India and Saudi Arabia into revealing confidential data that would be dynamite for a rival nation such as Iran — the chief suspect in this case
And the femmes fatales? They are fake, existing only in pixels.
Ms Ash’s identity had been meticulously constructed over more than a year by an international hacking gang. A photograph chosen to represent her, as well as numerous selfies, were lifted from the social media accounts of an innocent Romanian student and blogger.
Ms Ash’s starry CV and status updates were carefully crafted to mimic those of genuine creative professionals on LinkedIn.
Before Ms Ash ‘disappeared’ from the internet in February, she is reported to have lured senior figures in sensitive industries in the U.S., Israel, India and Saudi Arabia into revealing confidential data that would be dynamite for a rival nation such as Iran — the chief suspect in this case.
It wasn’t intelligence agencies who caught her out, though. It was a computer.
Ms Ash had been getting on so well with her latest conquest — an executive in the Middle East — she had asked for a little favour.
It sounded so innocent: she needed to collate feedback for a photography survey. Would he mind completing an Excel program spreadsheet she’d send to him as an email attachment? He’d have to do this on his office computer, otherwise the technology might play up, she said.
In truth, of course, the reason was so she could get access to his company’s IT system. Gulled by a month of internet footsie-playing, Ms Ash’s latest conquest did just as instructed.
But the email attachment her controllers sent was a ‘Trojan horse’ which smuggled spyware or malware into the company’s main system. There, the program, called PupyRAT, was poised to steal corporate and strategic plans.
It was then the sting began to unravel, though, as the company’s sophisticated cyber-defences identified the rogue program and blocked it, ringing alarm bells.
The Middle Eastern company immediately called on SecureWorks, a U.S. cyber-security firm, to probe the spyware attack.
Its analysts, who have just made the case public, soon discovered one of that company’s employees had been communicating with ‘Mia Ash’ for more than a month.
According to the analysts, the technical tools used suggest she was the creation of a group known as Cobalt Gypsy, which specialises in stealing industrial secrets in line with Iranian political and economic interests (Iran denies involvement in cyber-espionage).
They suspect the scheme had already worked successfully around the world, with Ms Ash planting snooping software on companies’ computer networks to harvest vital data, having first used exactly the same technique to lure in employees.
The internet appears to offer a new level of persuasion to honey-trappers. Studies show that when we share personal details with strangers over the internet, our brains quickly become addled into thinking we have built a real intimacy and trust with them
‘This is one of the most well-built fake personas I’ve seen,’ says Allison Wikoff, a researcher with SecureWorks. ‘It definitely worked, and did so for well over a year.’
But if the technology used was cutting-edge, this type of seductive snare has a long history.
The first recorded honey traps are the Biblical stories of Judith and Delilah. Judith seduced the enemy commander Holofernes and beheaded him; Delilah seduced Samson and got him to reveal the secret of his strength.
In World War I, the Dutch dancer Mata Hari was executed for feeding to the Germans secrets she had gleaned by bedding Allied politicians in Paris.
More recently, in 2006, a senior Scottish Army officer was sent home from Islamabad in disgrace after being caught by MI6 in an ‘inappropriate relationship’ with a Pakistani intelligence agent.
Nowadays, however, webchat is increasingly the new pillow talk, according to Edward Lucas, an expert on cyber-security and author of a forthcoming book on the new technology of espionage.
‘This is now a major part of the espionage game,’ he says. ‘All spy agencies will be doing this.’
He adds: ‘A digital world means you can get alongside someone without having to go to the other side of the world to meet them. Instead, you can go on LinkedIn or social media.’
The old rules remain, however.
Mr Lucas says: ‘Most people who are espionage targets are males, and males who like pretty women. Before the internet, if you wanted to use a pretty woman, you had to get a real woman in real physical proximity to the man, and you had to run a real risk of her being caught. Now you can just disappear into cyberspace.’
Less sophisticated virtual honey traps have also paid off.
In 2015, hackers posing as beautiful females stole a trove of detailed battle-plans from rebel groups fighting the Syrian government, according to the U.S.-based cyber-security firm FireEye.
The company found hackers had created fake Skype accounts with profile photos of attractive women to target opposition groups.
The hackers contacted their victims, flirted with them and asked to share photos. When the hacker’s photo arrived, it concealed a spy program.
The internet appears to offer a new level of persuasion to honey-trappers. Studies show that when we share personal details with strangers over the internet, our brains quickly become addled into thinking we have built a real intimacy and trust with them.
Professor Monica Whitty, a cyber-psychologist at the University of Warwick, says it can be easier to fall in love with a stranger over the internet than with someone you meet in real life.
The techniques used in honey-trapping men for cash bear close similarities to those used by spies who trawl for secrets.
Professor Whitty, who is the author of Cyberspace Romance: The Psychology Of Online Relationships, and has studied online dating fraud, says: ‘When you are communicating with someone online morning, noon and night, and disclosing precious information about yourself, it’s hard to think that this is not real.’
Even people who accept they have been conned by criminals still say they crave the relationship. Some even try to go back to it, says Prof Whitty: ‘If a criminal is saying everything about you is wonderful, it’s very hard to detach from that grooming process.’
As, no doubt, the victims of Mia Ash will know.