(In) Secure digest: the hit parade of the most comical infosecurity incidents - SearchInform

(In) Secure digest: the hit parade of the most comical infosecurity incidents

07.04.2021

Back to blog list

 

 

 

 

 

 

 

 

 

 

 

 

We collected the most comical infosecurity incidents to laugh and learn from it. Enjoy, but tread carefully!  

 

Who Wants to Be a Millionaire 

A Bollywood drama took place in India. The honest father of the family faced blackmail: he was contacted by a mysterious hacker who threatened to expose his vices to friends, colleagues, and family. The attacker hacked the victim's email, and changed the password and linked phone number. For keeping secrets and returning access to the mail, he demanded 10 million rupees, which is 137,000 USD. 

The man was seriously frightened (was there really something to hide?) and asked police to help. In search of the IP address from which the attacker sent threats, detectives got to the victim's home. The digital thread led them to the children's room, where they found merciless... 11-year-old son of the victim. 

The novice hacker confessed to everything. It appeared that the idea on how to quickly become a millionaire he learned on YouTube.    

 

Secret Messages

This incident is fresh - on March 28, there was a strange twit posted by U.S. Strategic Command (USSTRATCOM). The twit comprised of a set of letters and symbols: ;l;;gmlxzssaw.  

The tweet blew up the Internet and in a couple of hours gained thousands of replies, likes and reposts. Users joked that this is a secret code for launching nuclear missiles. Then they decided that the account was hacked, or at least that it was an SMM-specialist cat, which ran across the keyboard. There were also conspiracy theorists who interpret the tweet as a secret message from QAnon – a mythical employee of the US government, who sometimes allegedly shares insider information. The account was not updated for several hours, which aggravated the situation.  

 

Finally, the tweet was deleted. USSTRATCOM issued an apology in a follow-up tweet and asked users to “disregard” the previous post.  But the job was done – without explanation, the number of jokes and theories grew like a snowball. Mikael Thalen The Daily Dot journalist managed to get the truth. 

At his request, USSTRATCOM’s FOIA officer stated that the tweet had been made when the agency’s Twitter manager momentarily left his computer unattended. As the witty commentators noted, "for a few moments, the official communication channel of the strongest army in the world was controlled by a very young child."

Remember: to avoid accidents, block your device no matter how quick you are to return.

 

Excessive Generosity

The hacker group has been attacking companies around the world since August 2020. The scheme was elegant and simple. The victims received an email: in the subject – their name or company name, in the attachment – an HTML document that opened in the browser as a Microsoft Office 365 authorization page. Having opened the attach, the victims saw the window saying, "This document is password protected. Please enter your password." Suspecting nothing, the users entered their password – after all, their email address was already in the "Username" field in the authorization form. 

As a result, the hackers managed to collect at least 1 thousand passwords in six months. 

Stolen passwords, coupled with addresses, became fuel for the next attacks – to increase the mailing reliability, phishers utilized compromised mailboxes of real companies.


 

The scheme was elegant, simple, and efficient, however, not all that glitters is gold - cybercriminals forgot to protect their catch. They registered special domains to store the data, but the file with the stolen passwords was publicly available - the entire database appeared in the Google search results.   The fraudulent chain was discovered by researchers from Check Point and Otorio.


It’s a VSOP, Man!

Could a lady become a heroine of adult films if she is already over 70? For a scammer from Chelyabinsk the answer was "Why not?". So, he decided to threaten the local pensioner that he would post her intimate photos on the Internet. Although the woman did not shoot nudes, the fraudster claimed that he managed it himself while watching her through a webcam.

For inaction, the aspiring porn producer demanded $650 from the woman, and necessary in bitcoins.  The outraged woman asked for help, therefore, now it will be the law enforcement officers with whom the fraudster will discuss the amount of his remuneration.  

 

The Golden Key 

A key 50,000€ worth fell into the hands of a Brandenburg prison intern.

That is, the key itself does not cost that much, but it was the price new intern paid for posing for a selfie with a special key that locks all the cells and the passage doors to the prison. The trainee inadvertently shared the picture with his friends on WhatsApp to brag about his new job. The friends were not as impressed as the jailers, who had to urgently change the old locks, destroyed them and replaced those with 600 new locks.

It took 20 staff members to install the new security set up in the prison -  all at the expense of a hapless intern. The intern who tried to show off his new job in fact lost it, more then that - now he has to pay another 50,000€ fine. The mindlessness of the intern could have resulted in a mass prison break-out as anyone could have easily made replicas of the keys with the leaked image. 

(We have another question: is a universal key in prison a good idea?)
 

Check Out Your Fingerprints!

The British police also suffered losses. Due to a technical problem, the agency lost 150 thousand records from the arrests database. The files contained criminal records, fingerprints, and DNA. Potentially, the incident could give freedom to hundreds of criminals – since there is no biometric evidence. In addition, the work of National Visa Centers was suspended for two days - applications were delayed because the connection with the police base was lost.

The authorities claim that nothing serious has happened, they lost only the records on detainees who were released without charge. However, they are investigating the incident at the government level. 

According to the main versions, the "technical problem" has a human face. A mistake could be made both by a developer, and a specialist who worked with a database. Because of the wrong code, instead of reserving data in the back-up, data was deleted.

 

Button Theft

One more story about carelessness (and the button). Last April, streamer twomad achieved a million subscribers on his YouTube channel and received an award  –  YouTube Play Button. He launched an "unpacking” live stream: in front of the subscribers, he opened a letter from YouTube, which contained a one-time code to receive the prize.

It was the moment when popularity played a cruel joke with the blogger. He tried to enter the code – it turned out that it did not fit. Someone out of a million subscribers saw the code on the stream, and managed to use it earlier, ended up getting hold of YouTube Gold Play Button.  twomad was totally freaked out by the theft. As far as we know, he never returned the button, however, he is still being trolled by the subscribers.

(link to the tweet: https://twitter.com/AltCriminals/status/1247439923784724485?s=20 ) 

 

//condition = true 

In this case, no customer fault, just a relentless AI. Having installed the last update, American actress Rachel True could not log in to her iCloud account. The problem dragged on for six months and it seems has not been solved yet: the subscription fee continues to be debited, access is closed, and the transition to a free plan can result in loss of important data.

Rachel spent hours communicating with Apple tech support. It turned out that the error occurs because the cloud software algorithms perceive her last name as an attribute of the code: the command "true". Artificial intelligence remains adamant. Even the technical support could not help, but to advise the girl to change the name. 

Is it safe? No, it's better than safe. It's death-proof. 


 

Keep Calm and Sing!

Police from California deserves our special prize "For ingenuity". They protected their personal data, namely, images and videos from getting to the Internet – they really did not want to become bloggers.  

Police officers try not to get caught by the camera lenses, so that their words "are not taken out of context and misinterpreted." A few officers from Beverly Hills are already used to go out on patrol with a playlist - so whenever someone starts filming them, they turn on the music loudly. The idea is that Instagram, YouTube, and other services remove content if it contains copyrighted works. So shooting provocative videos becomes impossible.

However, creative law enforcement officers still get into the media - now journalists discuss their musical tastes.  They say they are ever-changing – first it was the Beatles ballads (first, they turned on the imperishable Yesterday when an activist tried to take a live interview on Instagram), then it continued with the joyful ska-punk Sublime. They also have a suitable song with the line "I don't want to start this conversation."


Investigation Fraud Human factor


Subscribe to get helpful articles and white papers. We discuss industry trends and give advice on how to deal with data leaks and cyberincidents.