The Darwin Awards in Information Security World
09.09.2020Back to blog list
The digest is created to see if one can find any familiar case among these stories or to use it as a case-study. Some of these do steal the show. The most gripping fraudulent schemes and fascinating in their simplicity inadvertencies have been collected to make their own Darwin Awards in a cybersecurity world.
1. Nominated for Hospitality
This story took place in 2014, when a charming old woman named Rita Strand came to one of the prisons in South Dakota, USA. Introducing herself as a medical inspector she told the staff that her purpose here is to conduct a surprise health inspection and check the conditions of detention of prisoners and compliance with sanitary and hygienic standards in the office premises.
The prison personnel greeted the woman cordially and led her to all offices, to which she demanded access. Surprisingly, the security did not have a slightest concern, which already poses some questions — to let a stranger into the prison’s network operations center and even the server room for “just for a little mold check”. Moreover, she was allowed to keep her phone to make photographs (couple it with the fact that she was often left unsupervised).
As a result, the so-called health-inspector Rita Strand freely collected information about the entire infrastructure of the prison: access points, PCs, physical security measures. Then she hacked all the computers that got in the way, connecting them to the USB Rubber Duckies, malicious USB sticks that aimed at intercepting data. Once again: an old lady with no IT hacking experience managed to do it alone with a help of fake badge, a business card and the right patter. She even plant her Rubber Ducky into the prison director’s PC. It all took her just 45 minutes.
The juiciest part of the story is that Rita Strand had no hacker skills. She devoted her life to the food service industry. Being a mother of a penetration tester, she volunteered to hack the security system of the prison. In fact, it was her son John Strand, who was to arrange a pentest for the institution. It was him, who had provided her with the USB Duckies and all the instructions, but he hadn’t expected it to be that easy. He shared the story at a conference six years later, without revealing the name and location of the prison.
We have to assume the jailers are still embarrassed.
2. Nominated for Avid Stepping on the Same Rake
Here we can tell you one more as old as time urban myth about an Elastic or MongoDB with no password. Or in fact any other Database with sensitive data left for public access. This is indeed one of the most common channels to leak data. Thus, in 2018 540 million Facebook accounts were hacked (that happened because of Facebook relying on analysts from Cultura Colectiva, and the contractor did not show a smallest concern to protect the server). In a similar way in 2016, the information about 80% of Americans who were to vote was leaked (and this is the private data of 198 million people!)
However, this year, the award in this very nomination goes to Whisper app. It was promoted as the super safe space, where users could anonymously share their innermost secrets. And then the developers accidentally disclosed the data of 30 million people. It turned out that Whisper has been storing information for all users since 2012.
The contents of “secret” posts leaked from the unprotected database to the network. Stories about fears, secret desires, confessions of immoral and criminal acts and intimate secrets were available to anyone interested. But the main thing here is that users’ credentials (nicknames with email addresses and phone numbers linked to them), their age, nationality, and the location, when they were last logged in, were publicly available. Sometimes it was enough to look at the geodata to establish a specific residential area and workplace. It was revealed that about 1.3 million compromised accounts belonged to teenagers under 15 years old.
3. Nominated for Because I Said So
The story happened in Kazakhstan. At the beginning of the year CARKA (Center for analysis and investigation of cyber attacks), an information security company, reported finding a major data leakage from the information system of the Prosecutor General’s office. The personal data of all citizens and some foreigners, who have ever had any type of crime records, was at the Internet users’ disposal. All their fines, warnings, residential addresses, photos of violators, their vehicle license and car registration numbers. If that was not enough — any could volunteer to edit, delete and add new cases since the information system is integrated with all e-government services, internal data of any state institution could be compromised.
The CARKA researchers attempted to reach out to people in charge several times, but did not get a response. Even after the public disclosure of the vulnerability, the Prosecutor’s office keep insisting that sensitive data is not in the public domain. Pig-headed as it is.
4. Nominated for Information Flasher
A bank employee in North Carolina, USA, stole more than $88K from customers’ cash deposits out of the bank vault. The man withdrew funds from deposits and forged documents to cover his tracks. He managed to seize the fraudulent scheme at least 18 times, which drastically changed his financial opportunities. And it was totally fine, until he decided to share his success on Facebook and Instagram.
He regularly posted photos with large stacks of cash, expensive alcohol, jewelry and cars, which pulled public attention. One day there appeared the police among interested users.
Finally, the man has been charged with financial institution fraud, got 19 charges for theft, embezzlement, and misapplication, along with 12 charges for making false entries, which carried a maximum penalty of 30 years and a $1 million fine. Ironically, his numerous Facebook and Instagram photos were the main evidence. For example, his posts from September showed him posing with a brand-new Mercedes-Benz in Hollywood, California. It was revealed that he used the stolen money to make a $20,000 down payment on this Mercedes. He was arrested about three months later on December 4.
A similar story took place in Colombia. The head of the internal service for the control of marine cargo Omar Ambuila earned a modest monthly salary of $3,000. Meantime his beloved daughter lived a lavish lifestyle in Miami that included frequent trips to designer stores, luxury vacations in Europe and jaunts around town in a red Lamborghini. She regularly shared photos of her extravagant lifestyle on Instagram and Facebook.
Her spending was so excessive that investigators started to pay attention. Looking closely into her social media profiles, they began to investigate some of Ambuila’s purchases. The girl claimed financing her luxury purchases by developing businesses that included an ice cream shop and a forex trading service. However, it was not true.
Ambuila’s penchant for showing off her lifestyle led to her family’s troubles. Investigators used her photos and posts to build a case against her entire family for corruption and money laundering.
It was found out her father Omar Ambuila received at least $600,000 in bribes since 2012 in overseas payments that have been traced by investigators, but could have received much more.
The daughter has been charged with money laundering. Her father and her mother are in prison on additional charges of aiding smugglers and corruption.
As media influencers say “Thanks for watching, please hit the like button and goodbye”.
5. Nominated for Being Pizza-Blind
No one is immune from small mistakes, but for cybercrime patrons this minor thing can lead to disastrous outcomes.
David Bukoski, the creator of one of the oldest DDoS services, Quantum Stresser, has been successfully hiding from the authorities since 2012. It is estimated that his attack-for-hire business had more than 80,000 customer subscriptions, and that during 2018 the service was used to conduct approximately 50,000 actual or attempted attacks targeting people and networks worldwide. Even though in 2018 as a part of a coordinated takedown, the site quantumstress[.]net was liquidated, law enforcement officers were still interested in establishing the identity of the Quantum Stresser owner.
It was a long hide-and-sick game, which make David believe he is off the radar…until a pizza-man knocked on his door. At the beginning of 2020 David Bukoski became hungry and made his mind on a bacon & chicken pizza to be delivered to his place. Inadvertently, he left the same email address he originally used to register his criminal attack service.
Previously, the address was blacklisted by several services that David used to advertise Quantum Stresser, the address was also used to accept payments from the customers. The pizza-request help the police to find out the real name of the hacker and his exact address. However delicious the pizza was, the price for it was remarkably high, namely, it resulted Bukoski in 5 years of probation.
As they say, the darkest place is under the candlestick and the one should have a long spoon that sups with the devil.
6. Nominated for Best Selling Attempt
There are people who believe, that it is perfectly fine to beat a person and then offer a bodyguard service. Sounds wild, nevertheless there are still such characters in the virtual world.
For example, recently the Ministry of Internal Affairs of Russia detained an unfortunate “pentester”. The investigation revealed, that the man carried out a DDoS attack on the online store of the largest enterprise in the region. The detainee confessed to deliberately load the site in order to test it for stability. The final purpose of it all was to offer his services in DDoS attacks protection.
There are enough stories to laugh at. For example, you can recall a recent incident that occured in Germany, when on eBay somebody sold a laptop with top-secret instructions for destroying the state missile defense system, or you could be slightly surprised to discover that over the past 4 years, the Ministry of defense of the United Kingdom lost almost 800 laptops with military secrets.
7. Honorable Mention “Hats off to Tinder Addicts”
The heroes of this story were several dozen soldiers of the Israeli army. All of them made pleasant acquaintances on the Internet, and then found out that they were leaking state secrets.
The incident became public this February. The reports state, that since the end of 2019, girls have been actively writing to soldiers in social networks and on dating sites. From the very start of the chit-chat they were ready to share juicy photos, with only one reservation: to avoid a leak to the network they want to use a specially protected app, which they kindly shared via link.
Those, who were talk into, reported their smartphones to behave in a strange way. Data transmission was activated, outgoing traffic grew, and the camera & voice recorder were automatically turned on. It soon became clear that the “secret chat” with photos is a malware for remote phone control, and the “girls” are none other than Hamas hackers. Throughout several months, they had access to sensitive information featuring the location of the affected devices, photos, and phone contacts.
Representatives of the Israeli army claim that they discovered the fraudulent scheme almost immediately, but did not react to monitor the situation. They keep insisting no valuable data was leaked to the Palestinian militants, since all the military was warned about the danger in advance.
Are there any other breathtaking cases which could expand the list of nominations?