Introduction
You’ve heard about it since you first started using the internet: Cybersafety must be practiced at all times when you’re online. Hopefully, you undergo regular security awareness training if you work at a computer to stay up-to-date on modern cyberattacks and the best way to combat threats. Maybe you’ve even completed phishing trainings sent by upper management.
Have you ever actually encountered a cyber-threat in real life, though? It doesn’t always go as well as the perfect scenarios you may have studied. Here are 3 examples of real cybercrimes and how they played out for people who probably thought that they, too, would recognize and avoid a cyber-threat when it came knocking.
#1 Ransomware
2022 was a landmark year for cybercrime, as Costa Rica became the first-ever country to declare a national emergency because of a cyberattack on its government. In April, a group called Conti demanded a $20M ransom from the country after gaining illegal access to a system inside the Ministry of Finance through a compromised VPN. Conti successfully installed malware onto the computer which grabbed the remote connection credentials needed to take data ransom.
Refusing to pay the fee, Costa Rica instead declared a national emergency on May 8. Many parts of the government remained offline until June, when the ransomware group closed down their operations on their own. This is a perfect example of when multi-factor authentication would have been an asset!
#2 Business Email Compromise
BEC scams are a kind of phishing that either hack a company account or spoof a domain that looks similar enough they hope you won’t notice. This adds credence to the hacker’s plea for money, information or whatever else they’re seeking to take. When you see that your CEO made the request for your bank account statements and home address, you’re much more likely to comply.
From 2013 to 2015, Facebook and Google were targeted for a whopping $121M in fraudulent invoices. The BEC scam was pretty simple: Evadas Rimasauskas, a Lithuanian cybercriminal, got together some associates and set up a company in Latvia under the name Quanta Computer, which is also a very real Taiwanese computer manufacturer that does legitimate business with both Facebook and Google. Then the scammers simply sent out phishing emails to employees who worked for both target companies. The invoices looked like they came from legitimate partners, but instead came with instructions to deposit the funds into Rimasauskas’s bank accounts.
To convince them of the invoice’s legitimacy, they even sent fake lawyer contracts and messages. Ultimately, however, Rimasauskas was discovered. He was found guilty and sentenced to five years in 2019. This is just ONE example of how a relatively straightforward scam stole from two powerful companies for years.
#3 Dark Web
Sometimes cybercriminals steal your login credentials, not to use themselves, but to sell to others on the Dark Web who can then perform whatever malicious attack they feel like carrying out.
700M LinkedIn users experienced the fear of knowing their personally identifying information (PII) ended up for illegal sale in June 2021. Cybercriminals acquired email addresses, full names, phone numbers, locations, login credentials and connected online accounts of over 90% of the user base at the time. They illegally scraped data using LinkedIn’s own API tool and posted the information to the Dark Web.
In this situation, it’s not as though LinkedIn could erase the stolen data off the Internet. As the saying goes: once it’s online, it’s out there forever. It does, however, highlight the necessity of truly understanding the tech you use so as to close zero-day vulnerabilities before they are exploited and performing security updates ASAP.
Conclusion
For your safety, the less you tell about yourself online, the better. In the unfortunate event that you do run into trouble, hopefully you have two-factor authentication set up already and have been performing regular backups too.
Automate as many processes as you can so that you can focus on the elements of cybersafety that require a human touch, like recognizing convincing phishing messages and multi-factor authentication. If you see something suspicious, slow down, remember your security awareness training, and use common sense to quarantine the attacker and protect your accounts! Follow our blog for more tips on staying secure in today’s threat landscape.
References
- https://www.tessian.com/blog/business-email-compromise-bec-examples/
- https://www.cm-alliance.com/cybersecurity-blog/5-major-ransomware-attacks-of-2022
- https://www.bleepingcomputer.com/news/security/how-conti-ransomware-hacked-and-encrypted-the-costa-rican-government/
- https://www.spiceworks.com/it-security/data-breaches/articles/human-error-led-data-breaches-2021/
- https://www.inputmag.com/culture/hackers-used-linkedins-official-api-to-leak-tons-of-dataagain