5 types of cybercriminals

Technology has evolved. Unfortunately, humanity does not always evolve with it. As soon as the internet was invented, bad people were coming up with bad ways to use it.

Here are five types of cybercriminals:

INDIVIDUALS who are motivated by financial gain, basically your run-of-the-mill thieves with a 21st century twist. They can get you with phishing or malware scams.

ORGANIZED GROUPS who are motivated by financial gain. These groups are often highly organized, with specialization of roles and responsibilities. They often attack banks or go after intellectual property.

NATION-STATES whose intent ranges from monitoring other countries to interfering in elections to outright cyberattacks. They sometimes go after intellectual property. (Here's looking at you, China.) Some states employ thousands of citizens to conduct such activity.

CYBERTERRORISTS who partake in a sort of digital nihilism, where the only goal is disruption and destruction, often for political reasons. While ISIS immediately comes to mind, cyberterrorism is not limited to jihadists, but can include any group whose aim is to disrupt and destroy, such as eco-terrorists, white supremacists, and homophobes.

HACKTIVISTS are distinguished from cyberterrorists in that their goal is not destruction per se. Hacktivism is the subversive use of computers and computer networks to promote a political or social agenda. The term is confusing, because many self-described hacktivists are do-gooders who seek to advance human rights. While their actions are technically illegal, we'd like to distinguish them from the attention seekers or those with nefarious social goals or the generic "disrupt the status quo" justification. These often call themselves "hacktivists" though they would fall into the cyberterrorist category.

The crime of the 21st century

They said it was the perfect crime, except it wasn't. The gang would have gotten away with it were it not for greed, criminal stupidity, and the frigid obstinacy of a Boston winter.

The Great Brink's Robbery occurred on this date in 1950. The heist took two years to plan and was at the time the largest bank robbery in United States history, pulling in $2.775 million USD ($28.2 million USD today.) The robbers, who wore uniforms similar to those of Brink's employees and Halloween masks, left but three clues, none of which was helpful in their capture. (DNA evidence was not used in forensics until 1986, otherwise the chauffeur's cap left behind by one of the robbers may have given him up sooner.)

Brink's attempted some prehistoric crowdsourcing in seeking information about the crime, offering $100,000 USD for tips leading to the arrest and conviction of the perpetrators. No internet was needed to receive hundreds of dead ends and conspiracy theories, as any kook with a phone seemed to have a "tip." Police rounded up the usual suspects around Beantown, but it was a long list of hoodlums and hooligans.

Since the robbery had occurred in the dead of winter, the Boston ground was thoroughly frozen. Despite the careful planning of the thieves, it seems they had not considered winter's wrath, as they surely would have buried the cut up pieces of the getaway truck had the ground been receptive to a shovel. Instead, bags of the cut up truck meant for interment were discovered by police two months after the heist. Having learned through interviews that witnesses had seen a green truck outside the bank that day, the discovery of parts of a truck matching that description proved to be a break in the case. Two of the suspects lived in the neighborhood where the parts were discovered, bringing closer scrutiny upon them.

But it would be years before any arrests could be made; in fact, the gang were arrested a mere five days before the statute of limitations ran out, five days shy of the six year mark that would have put them in the clear forever.

In the meantime, two of the gang members went to prison for another burglary. Another went to prison for tax evasion. One had to fight deportation. A fifth spent time in prison for parole violations. One died. The robbers had agreed not to touch the money until the statute of limitations had expired, but all of this legal trouble left some of them in need of the loot before then. One kidnapped another for ransom, then was shot and wounded by a hitman. In the end, he was the one who confessed, imagining his associates living life in luxury while he spent his remaining years in prison for another crime. The gang ended up getting eight to ten years in prison, and half of the money was never recovered.

Over the years, many bigger bank heists made the nearly $3 million from Brink's seem like small potatoes. The Guinness Book of World Records lists the robbery of the Banco Central in Fortaleza, Brazil as the largest physical bank heist in history. They made off with about $160 million USD. Some of the thieves have been arrested; most have not. Some ended up dead. Only $20 million USD have been recovered to date.

These days, you need not suffer the physical labor of robbing a bank or risk getting backstabbed, kidnapped, or murdered by your co-conspirators.  Now you can rob away from the comfort of your living room all alone. All you need is a decent internet connection, some hacking skills, and a secure place to change the money into something usable and untraceable.

The first online bank robbery happened in 1994, when much of the world had never heard of the internet, the FBI had no cybercrime team, and Nigerian princes had yet to ask you to help them save their funds. A group of criminals on mulitiple continents, led by a Russian programmer named Vladimir Levin, hacked into Citibank and began to steal money, adding up to more than $10 million USD. (The more things change, the more they stay the same?) He was eventually convicted and sentenced to three years in prison, with all but $400,000 USD recovered.

Today, a major target for virtual bank robbers is Swift, the international monetary transfer system. Perhaps the largest of these robberies involved the Bangladesh Bank, when hackers made off with more than $80 million USD. It is thought that at least ten similar, albeit smaller attacks, have hit Swift.

Card cloning is another new development in the world of bank robbery. One group took $45 million USD from ATMs in a matter of hours. Hackers can get your card information when you use it online.

Phishing and malware are a favorite tool of the nouveau bank robber. You can protect yourself by reciting this mantra: if it's spamming that you think, don't you dare click that link. Or just follow this advice: https://www.welivesecurity.com/2016/09/22/5-simple-ways-can-protect-phishing-attacks/

Global financial institutions suffer tens of thousands of cyberattacks every minute. Hackers would love to get their hands on your financial information - account numbers, your address, the routing number that would allow them to transfer your funds into an account of their choosing... Yet too many of the world's banks don't realize the extent of their cybersecurity problems. One macrocosmic solution to the problem is to introduce regulatory legislation that requires financial institutions to take greater cybersecurity precautions. At the very least, you can ask your bank to do so.

Of course, physical bank robberies still happen. In 2016 in the United States alone, more than 4,000 bank robberies took place. But there's a new twist on the physical robbery - thieves are posing as IT support and installing devices to siphon off cash electronically. What's more, criminals can use DDoS attacks to take CCTV offline long enough for them to pull off a traditional mask-on, hands-up bank robbery. Technology can make our lives easier, even for those of us with criminal proclivities.

One aside: several films were made about the Great Brink's Heist, including 1978's The Brink's Job. In August of that year, 15 unedited reels of the film were stolen at gunpoint by robbers demanding a $1 million USD ransom. The joke was on them, however, as positive prints of the negatives existed elsewhere, and nothing was lost, proving, once again, that crime doesn't pay in the end.

All is not lost. Take steps to protect yourself from virtual bank robbers using VPN encryption. Get it here: https://www.sumrando.com/vpn.aspx.

SumTips: 7 Signs You’re at Risk of a Webcam Hack

[Image credit: Facebook]

A recent photo of Mark Zuckerberg revealed something far more noteworthy than Instagram's latest growth milestone: the Facebook founder covers his laptop webcam and microphone with tape—and no one is calling him irrational or paranoid for doing so. In fact, the response to Zuckerberg’s laptop has largely consisted of cybersecurity experts reminding users that the smart thing to do is to take similar precautions. “What’s scariest about it is not who’s doing it but how easy it is to do,” acknowledged the Digital Citizens Alliance’s Adam Benson.

In case you’re wondering if you are at risk of an invasion of privacy via webcam, take note of our 7 warning signs below:

1.    You have a weak wireless password—or none at all. A strong password will keep hackers out of your wireless network. Be sure to always avoid insecure public Wi-Fi without the added protection of a VPN.

2.    You turn off your firewall and/or anti-virus protection. Hackers frequently take over webcams with malware sent via malicious email links. Although even the best security solutions are known to let new viruses through, turning them off entirely—even for a moment—will only increase your risk.

3.    You ignore software updates. “The biggest compromises that have happened over the past six to nine months often happened in an un-patched device that had a security vulnerability, and the patches weren’t applied fast enough,” reported Gerhard Eschelbeck, Google’s head of cybersecurity.

4.    You bought or borrowed a computer from an untrustworthy or unknown source. Before you login at an internet café or boot up the laptop you bought used, know that a previous user could now be spying on you.

5.    You click on attachments in emails addressed to you. Chinese hackers GhostNet took over nearly 1,300 webcams in more than 100 countries by sending out realistic-but-spoofed emails. As soon as users opened their email attachments, a Trojan virus was released and the hackers had complete webcam control.

6.    You spend time in front of your computer. In 2015, a Canadian woman discovered her webcam had been infiltrated when she received photos via Facebook of herself and her boyfriend watching Netflix. Her story is just one of the countless personal events that webcam hackers document when unsuspecting individuals think no one is watching.

7.    You don’t use a SumRando Cybersecurity webcam cover. Zuckerberg used tape, but we have something better: custom-designed SumRando webcam covers for your computer and smartphone. Email us at contact@sumrando.com to receive a complimentary set of 5.

We live in a world in which webcam hacking is a real threat for everyone from Facebook founders to everyday internet users. Take necessary precautions, surf secure and stay Rando!

---

Looking for some ways to enhance your cybersecurity? Read on!

• SumTips: 3 Ways Brexit Will Influence Your Cybersecurity
• SumTips: Eight Ways to Protect Your Mobile Device When Traveling

SumRando Cybersecurity is a Mauritius-based VPN, Web Proxy and Secure Messenger provider. Surf secure and stay Rando!

Vodafone Hacked! Over 2 Million Users Exposed

For a while now, we’ve been pushing the point that we can no longer trust established businesses and institutions to properly safeguard our data. If you doubted us, here’s some more evidence.

News broke last Thursday that a Vodafone server in Germany was hacked and the names, addresses, birth dates and bank account numbers of approximately 2 million customers have been exposed.

According to the latest statement from Vodafone (in German), it appears hackers were unable to access other sensitive details like passwords and credit card numbers, but the information that was exposed should certainly be cause for concern.

As Vodafone explained in their (translated) statement, "It is virtually impossible to use the data to get direct access to the bank accounts of those affected." And that’s true. It is also true, however, that the leaked information could be enough to distribute very convincing, but fraudulent phishing emails and phone calls that encourage customers to hand over key access information like passwords that could ultimately give hackers full access to bank accounts.

The exact timing of the attack has not yet been made public, but the German branch of Vodafone said police have identified a suspect and began notifying customers on Thursday that their information may have been compromised.

Sadly, this is the type of attack that is very difficult for the end user to prevent. But it should also act as a reminder that our digital security is constantly exposed to very real and potentially damaging threats. If you aren’t yet taking practical measures to safeguard your personal data, it’s time to start.

You can try SumRando for free here.

News Roundup

Facebook Refuses to Pay Bug Bounty

Like many web companies, Facebook offers independent analysts monetary prizes for discovering bugs. But when independent researcher Khalil Shreateh tried to use Facebook’s conventional channels to report a critical security vulnerability that allowed users to post on any other user’s wall—friend, enemy or other — the social network’s white hat disclosure programme failed to acknowledge his findings.

Not one to be ignored, Shreateh used the very exploit he tried to report and posted the information directly to Mark Zuckerberg’s wall.

Unfortunately, Facebook is now refusing to pay Shreateh. According to a post on Y Combinator’s forum, a Facebook representative said, “The more important issue here is with how the bug was demonstrated using the accounts of real people without their permission. Exploiting bugs to impact real users is not acceptable behavior for a white hat."

Shreateh claims posting the bug on Zuckerberg’s wall was the only way he could prove it existed after being told previously that the bug was not valid.

Researchers Sneak Malicious App into Apple Store

Apple has always kept tight tabs on their app store. Whenever developers want to make a new app available for purchase, it must first receive the O.K. from Apple to make sure its content is neither malicious nor inappropriate. But a team of researchers has developed a work-around and successfully got a malicious app, called Jekyll, approved.

Instead of submitting an app that explicitly contains malicious functionalities to Apple, the attacker plants remotely exploitable vulnerabilities (i.e., backdoor) in a normal app, decomposes the malicious logic into small code gadgets and hides them under the cover of the legitimate functionalities. After the app passes the App Review and lands on the end user's device, the attacker can remotely exploit the planted vulnerabilities and assemble the malicious logic at runtime by chaining the code gadgets together. [usenix]

In other words, the code needed for the malware is hidden in pieces within legitimate code and then reassembled during an update.

An Apple spokesman said the company has addressed the issue, but has yet to provide any details.

Cyberattacks Cause Internet Outages for More People than Hardware Failure

It’s important to remember we live in a world where cyberattacks affect more than just personal computers. According to the European Union Agency for Network and Information Security (ENISA), cyberattacks caused significant communications outages for more people than hardware failure last year.

The report shows that although cyberattacks caused only 6 percent of significant outages in the E.U., they affected about 1.8 million people. Comparatively, while hardware failure accounted for about 38 percent of all incidents, it only affected about 1.4 million people. Read more here.

Aw Crap, Toilets are Hackable

Remember when we only had to worry about our computer being hacked? Those were the days. Unfortunately, as technology improves and an ever-increasing number of otherwise mundane devices are outfitted with microchips and wireless connections, we’ve also seen a rise in security vulnerabilities in everything from mobile phones to pacemakers. And now, sadly (or hilariously), even our toilets aren’t safe.

Security company Trustwave issued an advisory last week that LIXIL’s Satis line of smart toilets is vulnerable to hackers with a penchant for pranks. Among the many vital features of the toilets are the capabilities to play music, raise the lid, flush, and operate the bidet with a Bluetooth connection and an Android app. Unfortunately for the unsuspecting toilet enthusiast, LIXIL hard-coded the Bluetooth PIN “0000” into all of their toilets. This means that any ne’er-do-well with a smartphone can download the “My Satis” app and control any Satis toilet.

An attacker could simply download the "My Satis" application and use it to cause the toilet to repeatedly flush, raising the water usage and therefore utility cost to its owner.  Attackers could cause the unit to unexpectedly open/close the lid, activate bidet or air-dry functions, causing discomfort or distress to user. [Trustwave]

Here at SumRando, we’re wondering why anyone would need to remotely access a toilet. Perhaps they just like a fresh bowl?

And while hacking a toilet may be laughable for the security-minded (or anyone), the widespread neglect of basic security precautions in non-traditional wireless devices is a serious issue. Things like computer-controlled power grids, remote-controlled pacemakers, and digital medical records have dramatically improve our quality of life through greater efficiency and accuracy. But as we increase our connectedness, we also open ourselves up to substantial risk. Moving forward, it is essential that we include security and privacy in any discussion relating to technology. Unless we establish and prioritise cybersecurity best practices, we could find our progress flushed down the tubes.

You can try SumRando for free here.

Hacking So Scary It Will Stop Your Heart

As if blackhats going after bank accounts and email passwords wasn’t enough, U.S. federal officials warn that a wide array of medical devices are susceptible to potentially life-threatening hacks.

Pacemakers are among the devices vulnerable to hacks

The devices, including heart defibrillators, drug infusion pumps, ventilators, patient monitors, and anesthesia devices, all possess serious password vulnerabilities that open them up for tampering.

According to an advisory issued last week by Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the devices have a hard-coded default password that, if used, provides backdoor access to the devices.

The affected devices have hard-coded passwords that can be used to permit privileged access to devices such as passwords that would normally be used only by a service technician. In some devices, this access could allow critical settings or the device firmware to be modified. [ICS-CERT]

For most of the devices like drug pumps and patient monitors, the hacker needs physical access to the device to actually access anything. However, some devices like pacemakers and insulin pumps, since they are actually inside or on the body, can be accessed remotely, which is both very dangerous and super creepy.

Officials have not named the specific devices that are effected, but have said that most devices are effected.

Private Parts is the official blog of SumRando VPN and is basically the coolest thing on the web. You can try SumRando for free here.