(In)Secure digest: if there was the “Darwin Award” in information security sphere – 2023 edition

05.04.2023

Back to blog list

In the beginning of April we traditionally gather funny, ridiculous and silly incidents in the sphere of information security. This time we’ve asked our expert, Leading analyst at SearchInform, Sergio Bertoni, to share his own list top incidents. 
However, this isn’t the exhaustive list of remarkable infosec incidents,  you may refer to the post New Year digest to find a few more.

Fins up
Situation: aquarium fish leaked their owner’s credit card details, while the man was outside.
Case study: the Japanese decided to check whether his aquarium fish could play games themselves. The man placed the web-camera in front of the aquarium and installed the software, which traced fish movements. With the help of motion sensors the program detected fish movements over squares corresponding to different buttons on a controller. When a fish stopped at some specific cell, the program counted it as an action and sent to the console. Thus, the Japanese’s pets finished the Pokemon Sapphire game within 3195 hours.
However, this time the experiment went wrong. The data leak happened while the aquarium cybercriminals’ owner was outside. In the beginning everything was as usual, fish won a few battles, however, lately a glitch happened. As the man wasn’t at place at that moment, he couldn’t do anything about the situation. The software, however, continued to register commands by fish. Thus, pets opened Nintendo Switch and added 4$ to their owner’s account. What’s more, they downloaded a new avatar and changed the account name from «Mutekimaru» to «ROWAWAWAWA¥». And, finally, last, but not least – during the cyber incident fish exposed their owner’s credit card details to all spectators, who were watching the stream, which, obviously, went wrong.

Sergio Bertoni: «The news reminded me a kind of situation, when parents give a smartphone with the credit card added to their kid. Then they are surprised why the payment for some game is lost or why some data is deleted”.
If a user provides third parties with access to his/her devices and data, it is important to understand, that even fish can “hack” the user. This particular incident reminds about the importance to strike a balance between comfort and security. Indisputably, it’s very comfortable when all the data is gathered in a single place or kept on a single device, which is always accessible. However, such comfort may cause very serious problems and affect a user badly» 

I’ll do what I can
Situation: Apple watch accidentally called police officers, ambulance and rescuers to the gym. 
Case study: the incident happened in Australia in a gym in Sydney. Jamie Alleyne, martial arts instructor made an emergency call. It turned out that during the training Jamie accidentally held down a button on Apple Watch and activated Siri. Then the instructor took off watches in order not to feel discomfort while practicing punches. During the training the voice assistant fixed, how the instructor hit the punching bag. Smart watches detected that the instructor called the emergency service phone number and called the dispatcher. The dispatcher heard noise, punches, shooting and decided, that the alleged intruder is equipped with firearms. As a result, the dispatcher sent 15 police officers and an ambulance to the gym. After the incident, the martial arts instructor decided to give up using voice assistant on his watches.
Sergio Bertoni: «Such incidents are interesting in terms of AI further development trends: will it capable of distinguishing legitimate actions and illicit ones in future or not. I, personally, believe that there is a singularity point, and this is especially true when it comes to information security, when it’s impossible to distinguish illicit actions and legitimate ones. For instance, it isn’t always possible to distinguish pentester and cracker» 

Magic wallet
Situation: fraudsters stole $ 4.000.000 in cryptocurrency during offline meeting with their victim.
Case study: Ahad Shams, who is the co-founder of Webaverse startup was robbed. He told, that some intruders had been impersonating themselves as investors, wo were ready to invest in the project. Initially, the “investors’” advocate got in touch with Shams, and it should be noticed, that a real organization was mentioned in the email. Then the advocate sent Shams information about his client, which turned out to be fake. However, Shams didn’t recognize the fraud and agreed to meet the “investor” in Rome. The robber asked Shams to confirm that he had enough money for the project, and the so-called investor was satisfied with the fact that there was an existing crypto wallet.
During the meeting in Rome the intruder asked Shams to transfer $ 4.000.000 to the crypto wallet. Ahad Shams made the transaction and let the alleged investor to take photos, which confirmed the fact that the transaction was completed. At the same time Shams claimed that the photo didn’t contain aby specific payment details. Nevertheless, money was somehow stolen. Shams notified law enforcements about the incident, however, the investigation is currently in progress.
Sergio Bertoni: «Taking into consideration all the peculiarities reported, it’s absolutely unclear, how such an incident could have happened. Only some fantastic theories come to mind»

Hollywood passions
Situation: a fraudster impersonated Mark Ruffalo, tricked a Japanese artist and managed to illicitly gain $500.000
Case study: a veteran manga artist Chikae Ide told that once a user, who impersonated the famous Hollywood actor, well-known for his role of Hulk, added her to friends on social networks. As a result, they had been in contact for a few years. During this time the artist even had videocalls with “Mark”. However, it turned out that the fraudster used deepfake technologies to enhance the credibility. What’s more, the Japanese artist and fake Hollywood artist nearly got “unofficially married”. Then, the intruder made the woman transfer large sums to him. The artist had to go into debt to financially help the impersonator. All in all, the woman transferred $500.000 to the intruder.
Sergio Bertoni: «There are plenty of cases of successful deepfakes usage reported globally. For instance, a similar case happened with a Japanese woman who transferred about $30.000 to a fraudster. The victim of social engineering thought that she corresponded with a “Russian astronaut”.  The intruder promised to come to Japan and marry the woman. The so-called astronaut told that he needed money to return to Earth. That’s why he asked the gullible lady to cover his expenses for returning home, including the rocket flight. 
Sometimes, intruders complement social engineering techniques with deepfake technologies, like it was in case with the fake Mark Rufallo.There was already a case when a Lloyds Bank customer managed to access his account using AI. The user was able to trick the voice ID to log into the account by generating his voice.
At the same time, technologies become a norm and some companies yet offer their clients to communicate with the help of their avatars. For instance, some Ersnt&Young partners decided to use deepfakes to communicate with clients in online mode» 

We won’t protect your data
Situation: Chinese messengers tricked their users assuring them that their data is appropriately protected. Cyber security researchers obtained data on a few million users exposed.
Case study: developers of popular in Asia applications JusTalk and JusTalk Kids claimed that they used end-to-end encryption. Developers also assured that their team members couldn’t obtain messenger users’ data. Overall, approximately 21 million users downloaded these “reliable” applications. TechCrunch researchers decided to check whether the applications are really as trustworthy as their developers claim. The experts revealed that, in fact, applications don’t implement end-to-end encryption. What’s more, the obtained by experts cash contained a few million JusTalk users’ messages. What’s more, the experts also managed to obtain recordings of videocalls, senders and recipients’ phone numbers, as well as information about dates, when messenges were sent. 
Sergio Bertoni: «A similar incident happened with the Whisper, which is the service for anonymous messages exchange. Then cyberexperts detected that someone exposed the database, containing users’ data. In fact, anyone could access it. Ashley Madison dating website users’ data leak case also comes to mind. The company, which is the owner of the website was hacked then. Hackers then told, that the company lied to users, earning millions of dollars.
So, as they say, trust, but verify. Even a secure service for anonymous communication can lie to you about its security and anonymity, and, finally it will end up in a leak. If the user really cares about the security, it is required to spend time and figure out if the service or application is as secure as the developers claim it is» 

What if no one will spot
Situation: a former HP employee spent $ 5.000.000 of company’s finance on jewelry, watches ad cars.
Case study: Shelbee Szeto was an executive assistant and finance-planning manager. The woman was in charge of payments for company suppliers via corporate credit cards. As it was revealed, the adventurous employee opened a few accounts in payment systems and transferred money to those accounts, issuing these transactions as payments to suppliers for different goods. In order to make sure that there won’t be any suspicions, Shelbee uploaded fake invoices to the HP system.
Overall, the woman made a number of such transactions, and the total amount of money stolen was $4.8 mln. She also tried to transfer $330.000 from an account, however, this operation was considered as a suspicious one by bank employees.
The woman spent the stolen money on expensive goods: Tesla and Porshe cars; bags by Chanel, Dior, Gucci, Hermes; Rolex, Patek Philippe, Audemars Piguet watches; jewelry by Cartier, Tiffany, Gucci, Bulgari, Louis Vuitton и Christian Dior.
Sergio Bertoni: «The incident is striking in its simplicity and the naivety of the perpetrator. The employee immediately bought expensive things for herself, but didn’t think about the fact that the deception could be revealed. She didn't think she could attract the attention of the IRS as well» 

Don’t be mad at me
Situation: cracker demanded $1 million from mobile operator Optus for stolen data, then changed his mind and publicly apologized.
Case study: last September, an Australian cracker called optusdata posted a message on a forum and told that he had obtained data on 10 million Optus users. The leak contained the following data on the company's customers:
•    Addresses
•    Passport numbers
•    Driver's license numbers
•    Medical insurance, etc. 

The leaked dataset also contained email addresses of employees of the Ministry of Defense and the office of the Prime Minister of Australia. The cracker promised to publish 10,000 strings of data each day unless Optus paid him $1 million in cryptocurrencies. But a day later, the attacker deleted the post about the leak and released a new publication in which he apologized and promised to delete all the stolen data.
Sergio Bertoni: “It is important to understand that even if a particular incident ended successfully, this is not a reason to relax and not work on the mistakes. Cybercriminals often break promises. For example, during the pandemic, cracker groups declared that they would not attack hospitals and interfere in their work process, but then they “forgot” their words and attacked medical organizations»