Hackers are seen as stubborn, passionate, clever, adaptable, furtive and merciless: no catastrophe is deterrent enough not to benefit from it in an unfair, technological way – as the corona crisis clearly shows.
The hacker attacks can be extremely complex and sophisticated – but most cybercriminals also like to rely on the path of least resistance and rely primarily on phishing, inadequate password security, unpatched systems and social engineering to achieve their goals. But there are also cases of compromises that are anything but conventional, as the following examples show.
In 2017, security provider Darktrace caused waves of disbelief: the company uncovered a hack in which the criminals used an Internet-connected aquarium to make a US casino easier to retrieve its data. The aquarium was equipped with IoT sensors and connected to a computer that could be used to control the water temperature and quality.
The aquarium served as a gateway for the attackers: after they were “inside”, they found further security gaps and could move laterally through the network. The tapped data was sent to a device abroad.
Most business users now have phishing emails on their screens – the situation is different when the boss reports directly by phone. In such a case, very few people assume that they may be the victim of a voice phishing (vishing) attack.
The first known AI-based vishing attack occurred in England in 2019: the attackers used commercial AI language software to imitate the voice of the German boss of a British energy provider. Using the software, they called the company’s English CEO and convinced him to transfer $ 243,000 to a supplier in Hungary. Thanks to the slight German accent and the imitator’s typical language patterns, the CEO was not suspicious – until the criminal hackers became too greedy and wanted to use the same scheme a second time, which finally got the whole thing going.
The law enforcement agencies were still unable to identify the cybercriminals or get the money back. It could be the beginning of a creepy era of AI-based deepfake attacks.
When it comes to loot, cybercriminals generally only count for cash or cryptocurrency. In 2019, the authorities in France got hold of a gang of five people who had tapped a total of almost 120,000 liters of petrol from petrol stations around Paris. The criminals gained access via a special device with which they could hack the petrol pumps of a certain manufacturer. The hack was made possible by the fact that the petrol station employees did not change the standard password of the pumps – the code “0000” was no longer a great challenge for the attackers. As a result, the criminal hackers were able to reduce gasoline prices and any limits for filling quantities override.
The gang relied on the division of labor in their machinations: one hacker activated the pump remotely, while the others only had to drive up to the corresponding petrol pump with a large van (including an extra tank in the rear) and free up to 2,800 liters of fuel in one “operation” tap. The cyber gang then sold the captured fuel at bargain prices via social media – and even placed advertisements for it. The police believe the gang has “earned” about $ 170,000 this way.
Weak login data is an overarching security problem. This can be seen again and again when electronically controlled street signs and traffic signs are hacked.
In Auburn Hills, Michigan, USA, two unknown perpetrators seized a giant street display at night with the aim of transforming the underlying highway into a hardcore porn cinema. According to the police, the two hackers only needed 15 minutes for the entire operation – so the password should not have been particularly difficult to guess in this case either.
A 24-year-old IT specialist in Jakarta, Indonesia, stiffened to a similar, albeit much more spontaneous, porn craze. While bored in the rush hour traffic jam, he recognized login information on a scoreboard for a brief moment. Of course, he hacked the huge display immediately and streamed pornographic content of an explicit nature on the expansive screen. Since Indonesia is a conservative, Muslim country, the campaign met with very little love from the authorities: the IT professional who is obsessed with coitus can expect to be sentenced to six years in prison.
The reality show “Die Höhle der Löwen” has also been successful on German TV for years. Barbara Corcoran is an entrepreneur and a member of the jury for the US original “Shark Tank” and was recently the victim of an email fraud in which she had to cope with the loss of just under $ 400,000.
A cybercriminal pretended to be Corcoran’s assistant and sent an email with a fake invoice to Corcoran’s company’s accounting department, who overlooked the fact that the email address was incorrect. Therefore, questions about the transfer to a German bank account also ended up directly with the criminals – who of course approved the process. Only after the accounting department inquired via email (to the correct address) whether the transfer had arrived, did everything blow up.
The person in charge in the finance department was allowed to keep his job, although the almost 400,000 dollars initially seemed lost. However, the amount has since been recovered. For Corcoran, it was probably just “peanuts” anyway: “I lost $ 388,700 through a fake email campaign. At first I was annoyed, but then I realized that it was just money,” the bouncer said An entrepreneur when she thought she could write off the money.
Criminal hackers can act incredibly clever. Sometimes, however, it works less well, as the example of Keith Cosbey shows. He was CFO of Choicelunch – a company that provides meals to various schools in California.
The CFO apparently entered the network of its main competitor LunchMaster and gained access to students’ personal data. He then anonymously sent the captured data to the California Department of Education – with the hint that LunchMaster obviously doesn’t take data protection very seriously.
Ultimately, the hacking CFO was doomed to the following FBI investigation, in the course of which the events could be uncovered. Cosbey has been arrested and will probably be able to deal with ready meals for the next few years, but at a completely different level.
March 12, 2019 was a quiet night in DeSoto and Lancaster, suburbs of Dallas, Texas. Until suddenly at half past two the tornado warning sirens started and turned the night into a noise inferno for an hour and a half. Without a real tornado ever.
Since the area in Texas is also known as “Tornado Alley” and the period between March and May is the high season for cyclones, many residents understandably panicked. After the incident, the authorities reported that unauthorized persons had accessed the network with malicious intent. A similar incident had already occurred in April 2017, when 156 tornado warning sirens started around Dallas – also in the middle of the night and for no reason. The authorities also attributed this incident to criminal hackers. There is no evidence of the identity of the potential siren serial hackers.
Serious security gaps in home security and baby monitoring devices are nothing new: With techniques such as credential stuffing and driven by lax password security, cybercriminals can use such devices to spy on private individuals or companies.
A hacker who was obviously bored with the sight of a sleeping baby kept shouting “Wake up baby!” into the microphone, which prompted the concerned parents, who were amazed at the voice from the children’s room. When the hacker saw them, he called out numerous profanities to them via the baby monitor. Such and other incidents have meanwhile made IoT-based “jokes” much less common.
This article is based on an article from our US sister publication CSO Online.