One-Third of Companies Would Rather Pay Ransom Than Invest in Cybersecurity…Really?

Welcome Hackers! This might as well be the slogan for the third of companies who think it would be more cost effective to pay hackers ransom than to invest in a comprehensive cybersecurity defense. Such a conclusion is based purely on monetary considerations. The thinking is that investing in expensive cybersecurity may be nothing more than throwing money away. If no one ever tries to hack your company, you won’t need to pay for cybersecurity, right? After all, why pay for nothing? Why pay for cybersecurity architecture and all the qualified people you need to manage it? Wouldn’t it be less expensive just to pay the hackers some ransom or just pay for the cleanup after a hack? Although it may seem like a naïve approach to many in the cybersecurity industry, it’s a fair question and one that needs to be looked at seriously.

So, let’s delineate some of the monetary underpinnings for this viewpoint. According to a Deloitte survey of 747 firms, the average percent of revenue channeled into IT departments amounts to around 3.28%. Of this, generally less than 20% will be specifically designated for cybersecurity. The graph below shows that some economic sectors are more concerned about IT than others.

IT budgets

Gartner defines a small business as one with a revenue of less than $50 million a year. This means the average small to medium company would spend about $2 million on IT. Assuming about 20% of this is spent on cybersecurity, we end up with a cybersecurity expenditure of roughly $400,000. Of course, large companies in certain sectors will be paying much more, but, for the sake of this investigation, I’ll use the $400,000 figure as representative of a small to medium-sized business. These are businesses that have to keep a tighter rein on their expenditures so they would necessarily be most concerned about any losses due to hacking.

Last year, Kaspersky reported that the average loss to a small to medium-sized business from hacking was $117,000. Thus, on the surface, solely from a financial point of view, it would seem that taking the gamble on not being hacked could be justified. But Kaspersky notes that there are extenuating circumstances. Here are the costs that firms incur when trying to recover from the effects of a breach.

kaspersky hack recovery

Keep in mind that these are the costs that follow a breach. That’s where the $117,000 figure came from. It does not take into account any money that the hackers may have either stolen or asked for as in a ransomware attack. It does not take into account how much hackers can make from selling a database of personal information. Attacks that result in a lost database of personal information can be the most expensive to recover from. A Ponemon study estimated the average cost of a data breach to be around $690,000.

Now, back to the report from NTT which interviewed “1,800 global business decision makers” to find out their views on cybersecurity. The main takeaway I got from this report is that these “business decision makers” seemed naïve when it came to cybersecurity. A majority (47%) believed that they had never been affected by a breach. Maybe that was true or maybe they are just one of those companies who have been breached but don’t yet realize it. (Statistics for US firms show “63% report an incident in the past year and nearly half (47%) have experienced two or more”.) However, what was even worse was that one-third of the respondents felt that they would never be breached.

ntt breach chances

This fact probably explains what NTT claimed was “one of the most shocking statistics in this report”. That is, that one-third of respondents said they would rather pay a ransom than invest in cybersecurity. An additional 16% were unsure of whether they would pay a ransom or not. Taken together, this means that half of all companies would at least consider paying a ransom. This attitude must have been welcomed news to those criminals using ransomware to make money. It also reveals the respondents’ naiveté. Their underlying belief seems to be that paying a ransom will restore everything to normal. In fact, there is no guarantee that the criminals will either honor the ransom payment and decrypt the data or, given the incentive of the first payment, not attack them again.

Another fact that seems to emerge from the report is the uncertainty that exists over who would be ultimately responsible if a breach occurred. One-fifth believed that such a breach would be the responsibility of the CEO, even though it seems that few CEOs really knew what was going on in their IT departments. Statistics indicate that very little communication was going on between high level management and the IT department. This could be because management did not feel qualified to speak cogently on IT matters. Then again, it may be that such conversations only occurred when the IT department approached management for budget allocations or informed them about serious breaches. A Ponemon study seems to support a general lack of communication going on in most businesses, as can be seen in the graph below.

ponemon relationships

Malwarebytes found that, of companies experiencing a ransomware attack, 20% were forced to shut down immediately. Most companies were down for 1- 8 working days (assuming a 12 hour working day). 80% of ransom demands were for under $10,000. 21% of those receiving ransom demands paid the amount requested. Of those not paying the ransom, 32% lost files. It is impossible to assess the cost per day of a company not being operational. That would vary with the type and size of the company. In this respect, however, the ransom itself would probably be a minor expense. Medical, financial, and online retailing firms would probably be more likely to pay the ransom in the hope of resuming normal operations. So the average cost for a ransomware attack would be about $127,000. However, many companies experienced more than one ransomware attack in a year.

But hacking is not just for receiving a ransom. Hackers steal for financial gains or to acquire important information. Hacks stealing information tend to be more difficult to recover from. When customer information is stolen it is often sold on the deep web. How would customers ever trust a company that exposed their personal information? Stolen company secrets put the existence of the enterprise at risk. In both such hacks, the company reputation suffers. As most companies realize, reputation is closely linked to profits. The quarter after the Target hack, profits fell by 50%, a loss which smaller companies may not be able to absorb.

There is a widely quoted statistic that 60% of small businesses will fail in six months following a cyber attack. The statistic is claimed to originate from the National Cyber Security Alliance. I made a rigorous attempt to verify this claim, but could not. I did, however, eventually find a press release from the NCSA in May of 2017 saying that “this statistic was not generated from NCSA research” and that “members of the media, policy makers, small businesses and others are encouraged to rely upon more current and clearly sourced data.” That said, most businesses will experience serious financial stress following any cyber attack. A Cisco report found that 38% of organizations experienced a substantial financial loss, 42% saw a substantial loss of opportunities, and 39% saw a substantial loss of customers. Each small business needs to take these statistics into consideration and determine for themselves if they could survive such an impact to their particular business.

This is all not to say that small and medium-sized businesses have absolutely no security at all. They may have some simple antivirus software or may use a VPN. They don’t, however, have a coordinated cybersecurity strategy backed by an IT department that would be needed in the case of a strong attack. They certainly do not have state-of the-art technology to protect themselves from the most commonly used attack vector; the exploitation of unprotected endpoints. As such, they are continuously vulnerable to irresponsible online behavior of any employee that has access to their network.

And that brings us back to the main question: Is it better to wait to be hacked before paying for cybersecurity? It’s a gamble; a gamble that is the statistical equivalent of a coin toss. In other words, would you risk your business on the toss of a coin? In the end, you simply have to ask yourself one question: Are you feeling lucky?

Posted in Uncategorized | Tagged , , , | Leave a comment

Why Are Recent Employment Scams Fooling So Many People?

Most scams are pretty transparent. An email arrives with a tempting subject line, but you know, deep down, that what they promise is simply too good to be true. Why do “beautiful Russian women” want me to contact them? Why was I so lucky that they decided to send me their pictures? Why are people I never heard of dying and leaving me millions of dollars? Why?

Well if it’s so easy to spot a scam, then why are so many people falling victim to employment scams? Well, the basic answer is greed or desperation. Employment scams offer unusually good pay for unusually little work. It’s enough to get some people interested in reading the email that eventually traps them in the scam. That said, some of these scams are sophisticated enough to fool even the normally wary.

So let’s look at one of these emails that you may receive. It may come with a company logo and may refer to a resume that you have posted on some popular job search site. At first, it may be a simple message. Here is one example.

Hello Good Day. I am Mr. Jerry Nathan From ( Indeed Recruitment Team ).. Our HR Dept has reviewed your resume published on Indeed. Your resume has been reviewed and Approved. You have been scheduled for an interview. Reply back if interested for more details on the job position. Thank you.

This may also be sent as a text message. If you reply, you will probably be told to use some messenger service, such as Yahoo Messenger, to be interviewed. Occasionally, they will ask you to call a number for an interview. Don’t worry. No matter what you say at the interview, you will eventually be offered the job.

The type of job varies, but recently scammers have been focusing on shipping or logistics jobs. The job names change but the work remains the same. Some victims have even been given contracts to make them feel more comfortable. The scammers know that the victims will try to find a website connected to the company, and, not surprisingly, there will be one. The website may even have an https header which may further lower the suspicions of the victim. Scammers have been known to make use of legitimate websites as well. The scammers may even refer to their own job posting on a job seeker website and a link to it may be placed in the email, so as to make the offer appear more legitimate. The job will always be well-paid and the work will seem relatively easy and straightforward.

The victim may be asked to fill out some employment forms which will ask for personal information. Some victims have claimed that they were asked to fill out an application for a w2 form for tax purposes. This will give them the victim’s social security number. Once they have enough information, they can apply for a credit card in the victim’s name – but that’s not the main purpose for the scam.

Recently, employment scammers have been recruiting “shippers”. The work is as follows. If you are a victim, they will ship you packages which you must repackage and send on to certain addresses. The addresses are usually overseas addresses. Why any legitimate company would need people to do this should raise suspicions, but if you have followed the scam to this point, you will likely continue. You will be paid per package and will receive a payment at the end of each month.

Shortly after filling out all of the forms, you will receive your first package to reship. The package will come to your address but will often be under a different name. Often, the scammers will give you a ‘trial period’ which means you must show you can send the packages as ordered. The merchandise will not be expensive. Why? Because some victims realized they were being scammed and kept the packages for themselves. Thus, rather than lose valuable merchandise, they will see if you send some inexpensive products first and if you qualify as a bonafide victim. When you send your first expensive merchandise, you become officially part of the scam. Most victims will stay until their first paycheck and will do whatever they are told to do because they simply need the money. Only when they don’t receive the money and don’t get any answers to their questions, do they begin to suspect that something went wrong. In fact, many victims don’t really investigate the scammers until they don’t get paid and it is far too late.

This is what the victims should have done. Look more carefully at the company website. Don’t accept it as valid simply because it has an https address. That won’t necessarily mean it’s safe. You can get a certified address for free or buy cheap certificates that will do the job. (see my post) Is the https header in green? Probably not. Here is a fake website that is used to validate a fake company in an employment scam.

explicit

It may seem valid until you read the English. Do you really believe a serious company would allow such clumsy language use to appear on its homepage? A check on the site will show that it is about a year old. If you navigate to other pages you will see that they made a key mistake when they copied information from another shipping website to legitimize their business. Here is how the information appears on the Explicit Logistics page.

explicit cargo

Notice how the company name changes to Freight Logistics. Oops. That’s because there really is a company named Freight Logistics, which has this information on its page. See any similarities?

freight logistics

What I’m saying here is that before you take a job with any company; give their website a more than casual view.

Sometimes, scammers ask victims to pay a ‘training fee’ which they will reimburse in the first paycheck. Others have been told to log into a special site to get their assignments from a personalized dashboard. This gives the scammers a more ‘professional’ look. Once logged in, victims can see their assignments. They will be told where to pick up and where to send packages. They will also see how much money they’ve made and when they will receive their first paycheck. Sometimes, they may be promised bonuses for sending packages quickly. But, as one victim noted, “you will receive weekly updates of your pay for work completed, and a set pay day for your first check. On your set pay date you will be deleted from the work panel and no longer contacted and will not receive a response.” The scammers simply move on to the next victim. This particular victim spent over $2,000 sending packages.

Most people lost $2,000 to $5,000 in this scam. The most I found recently reportedly lost was $40,000. This was from a business that was scammed. They purchased products in advance and were paid through a checking account. After the scammers got what they wanted, they canceled payment on the check. But losing money may not be your main problem.

If you send stolen merchandise overseas, you may receive a visit from the police or FBI.
Some victims claim they received a call from the police after mailing several packages. Apparently, the merchandise you shipped was purchased with a stolen credit card and all signs point to you being the one who stole it. That’s when the fun really begins. You may be charged with distribution of stolen goods, defrauding customs, and mail fraud. You are the only one they will be able to trace and may face up to 20 years in prison. The real perpetrators will continue their scam unharmed, using new victims.

To avoid being scammed, avoid any job offers that can be filled by any unqualified person. Job offers for caregivers, mystery shoppers, repackagers, shippers, administrative assistants, and customer service reps are commonly scams, especially if they don’t require any special qualifications. Work at home jobs should be approached with great caution.

You may have seen the job posted on some job seeker site. You may even have a resume on those sites. The scammers will often use this information to entrap you. They may direct you to fake web pages. They may send you useless contracts and ask you for personal information. Job offers are often for about $4,000 a month for working 20 hours a week. Remember, if it sounds too good to be true, it probably is.

Any company that asks you to pay any money up front should be avoided, even if they say they will reimburse you. They won’t. You are just giving them money. You may be given a chat-style interview through some messenger app or Google Hangouts. If the interview really doesn’t get down to details, or if their use of English is poor; think scam. This goes for phone interviews as well. Ask the interviewer for details about the operations of their company. For example, all shipping companies will know about the WCA network, but do the interviewers?

Don’t think that just because they have a website means they are a real company. For some reason, this is the number one reason why victims believed their scammers legitimate. They may even send you to a real website that they don’t control. Some companies have complained that they were being contacted about job openings that they never had. Check out the URL with a domain checker tool. If the site was recently created, it is likely fake.

Many employment scams go unreported. If you use a job site, check the forums for others who may have had experience with the company you want to work for. Generally speaking, though, if you are at all suspicious, look for another employer.

Posted in Uncategorized | Tagged , , , | Leave a comment

Are VPNs Really Safe?

That depends what you mean by ‘safe’. Different people have different reasons for using a VPN so you can make a case for both sides of this issue depending on just how much safety you’re looking for. So, in this post, I’ll try to look at both sides of the issue and let the VPN user decide if it offers the degree of safety they are looking for.

The Case for Using a VPN

Just what is a VPN anyway? To understand its safety features, you first have to understand precisely what it is capable of doing.

Not all VPNs (virtual private networks) are created equal. For this reason, there are a lot of misleading diagrams of how they work. Most such diagrams don’t include the ISP, though this plays a role in all VPN-related connections. The diagram below, modified from SunVPN, is closest to depicting how a VPN actually works. (It should not be interpreted as any form of endorsement.)

vpn connection

When you connect to the internet, you do so with the help of an ISP (internet service provider). They will help you access the servers for web pages you want to look at. In so doing, they know what websites you are visiting. They routinely keep logs of such visits in case such information is needed later.

If you use a VPN, you get an encrypted connection to the VPN server that you requested. The ISP will only see that you requested a particular IP address. After you connect with the VPN server, the ISP will have no idea of what websites you are visiting. You could even connect to another VPN.

It is possible for an ISP to block you from accessing certain sites. Repressive governments frequently do this. However, if you use a VPN, they cannot block this access. This is why VPNs are used in China to visit certain websites that the government doesn’t want their citizens to see. It is also the reason why Russia is considering banning VPN use.

If you live or visit a foreign country, you may find that there are a number of U.S. sites that will not give you access. Certain YouTube videos, for example, will give you the following message.

vpn youtube

In fact, I first became aware of the benefits of a VPN when I was living in Afghanistan and wanted to download some videos for my students. I was able to spoof my IP address by using a VPN server in the U.S. to make it appear as if I was in the U.S. and everything was fine. This is called, ‘geo-spoofing’.

Your company, school, or organization may also try to restrict your browsing for any number of reasons. Perhaps, they even keep a record of where you’ve been online. Enter VPN. Now, they will only see that you connected to the VPN and nothing more.

Using free public WIFI servers is always dangerous as it leaves you open to attack. Bypassing the local servers with a VPN is always recommended.

File sharing sites offer downloads of movies, TV shows, and music via peer-to-peer sharing. Some governments frown on such ‘sharing’ and may even prosecute those who download material using these sites. In such cases, VPNs can be used to hide your identity.

Since your IP address gives away your location, companies will often target you for certain, location-specific ads. This can be annoying if you are in a foreign country and are suddenly given content in the local language rather than the language you are used to. Google has the bad habit of trying to foist their localized version on you whether you like it or not. VPNs can get around this by the same geo-spoofing techniques outlined above. At least the ads that target you will be in a language you can comprehend.

The Case Against VPNs

How much do you trust your VPN provider? The answer to this question will help you decide whether a VPN will meet your needs. Although your local ISP will not be able to see your browsing history when you use the VPN server, the VPN provider can. Many VPN providers will promise you anonymity but, again, can you trust them? It would be a relatively easy task for government agencies to learn what VPN you use and then pressure the company to hand over its records on your browsing history. If the company does not maintain such records, law enforcement can pressure them to begin recording your browsing history. Let’s face it, few VPN providers would want to risk their businesses over the browsing history of one questionable user.

When I used Skype to speak to a friend in China, I was surprised to find that it was possible. After all, Skype has been banned in China since last year. Actually, this is not really true. It seems to depend on what server you use Skype on, because, as long as the government has access to the servers in control of Skype-based communication, it wouldn’t really matter. The person I spoke to was using a VPN. On the surface, that sounded promising, but would China allow any VPN to be used that did not allow it access? In fact, China would not license any VPN that did not agree to give it access to its records. Sure, you may be able to use Skype and even a VPN from your hotel in China, but I doubt if your communication is as secret as you may think it is.

Privacy experts suggest that you do not use VPN servers located in the following countries.

U.S.
U.K.
Australia
New Zealand
Canada
France
Norway
Denmark
The Netherlands
Belgium
Italy
Germany
Spain
Sweden

Although these countries may not be considered repressive, they have all been known to spy on their citizens or pressure VPN companies for information. Of course, most people don’t worry about maintaining such a high level of privacy, but, for those who do, all VPN communications should be directed through more neutral countries. Some privacy experts claim the safest servers are located in Switzerland, Romania, or Panama, though others say that no VPN can offer complete privacy.

There are a few reasons why you may not want to use a VPN for downloading files or videos from file sharing sites. The most practical reason is that VPNs will slow down your browsing and downloading. In addition, some VPNs will block you from downloading from major file sharing sites. Also, keep in mind that whatever you download may be recorded by the VPN provider.

It is not necessarily true that a VPN will protect you from targeted ads. Some VPNs come with built-in ad programs that will try to lead you to a variety of sites. Some will also track your browsing in order to present targeted ads. Keep in mind that free VPNs aren’t providing their services just because they like you. Mostly, they make money by doing something else, like selling your personal information. This doesn’t mean they are useless for most people, but they do have limitations in terms of privacy.

For Those Concerned with Greater Privacy

Good VPNs need to be paid for. They generally cost between $3 to $5 a month. They should offer strong encryption, anonymity, numerous servers, and be located in a relatively non-repressive country. They should not keep logs of activity and should permit torrenting (P2P) connections.

Some privacy experts say that VPNs offer only promises and nothing more. They suggest using the Tor browser with a VPN for maximum privacy. Remember that all browsers offer privacy settings that can be maximized, but none are ultimately as safe as Tor. On the other hand, Tor slows down browsing.

Concluding Thoughts

Nothing you do will guarantee 100% privacy online, but for most people a good VPN will serve their needs. Although free VPNs have a number of shortcomings, they will still give basic VPN services and that’s enough for most people. However, if you have a job with an organization that could be a target of government agencies or hackers, and you are connected to its network, consider stronger security actions. Most companies and organizations will require those with connecting privileges to meet basic security guidelines. Those guidelines may or may not include the use of a VPN. In such cases, weaknesses in the VPN could be exploited by malicious actors. VPNs alone do not offer enough protection for a corporate or organizational network that is trying to protect sensitive information. More state-of-the-art architectures are needed for that.

In short, VPNs should be considered a good first step in protecting your privacy, but nothing more.

 

Posted in Uncategorized | Tagged , , | Leave a comment

Using Ultrasound to Hack Air-Gapped Computers

Air-gapped computers are computers that are not connected to any network. They may even be physically isolated. Such computers are usually presumed to be safe from cyber manipulation. For this reason, businesses or organizations will often store important data on such computers. However, they are not as safe as most people think. Researchers have found a number of ways to breach such computers. For example, it has been found that the pressing of keys on a keyboard emits electronic signals that can be detected and analyzed. So, it would be possible for a hacker with the right equipment to analyze these signals to, at least theoretically, steal passwords and other data. It would be the same as if they had installed a keylogger. Other air-gapped hacking has used variations in magnetic, radio, or optical signals that have escaped from the air-gapped computer during its normal operations. Here is a summary of ways air-gapped computers have been breached.

air gapped channels

But there’s a problem. Such hacks are limited by proximity and transfer speed. All attempted hacks of air-gapped computers need to occur physically close to the target machine and the data they access is only transferable in bits per second. In other words, for a successful hack of an air-gapped computer to occur, a malicious machine in the same room or, at best, a nearby room, must have appropriate malware installed on it and, in addition, be connected to some network so that the information it receives from the air-gapped computer can be transferred to the hacker. The other alternative is to have data hacked from the air-gapped computer and stored on the hacking computer. Later, the hacking computer and the stolen data can be physically accessed by an insider.

The concept of hacking through ultrasound has been around for a while. In most of these scenarios, communication with an air-gapped computer was established using the computer’s speaker and microphone. In 2014, Hanspach and Goetz showed how ultrasound communications could use a series of ultrasound-connected laptops to extend the normal transmission range. The use of ultrasound is important in keeping these transmissions covert, i.e. above the level of human auditory detection. However, there is one big problem. Such attacks can be easily thwarted by simply turning off the microphone on the air-gapped computer. In addition, some desk top computers may not have a built-in microphone as laptops do.

This problem has now been solved by researchers at Israel’s Ben-Gurion University. They have demonstrated how audio output devices can be converted into audio input devices, and visa versa. This means that a computer’s speakers can be used, not only to receive ultrasound signals, but transmit them. In other words, turning off an air-gapped computer’s microphone will not stop the transmission of data. Speaker to speaker communication is a possible channel. Not only that, but headphones and earphones can also be used for transmission. The main problem here is installing malware on the target computer which is necessary to make this audio transformation possible.

This attack vector shows some increase in transmission rates (300 to 600 bits/sec), but still has a limited range of about 8 meters (~25ft). One positive point about using ultrasound is that it is not substantially affected by background noise. On the other hand, ultrasound is more affected by the directionality of the transmitting and receiving devices. That is, they work better if they are aligned, which, you cannot always rely on to occur in a natural setting.

With such limitations, is it really worth worrying about being hacked in such a way? For the average individual, probably not. The difficulty of accomplishing such a breach means that it is beyond the capability of the everyday bedroom hacker. This is a technique that would be reserved for nation-states looking for specific information on specific air-gapped computers. Such attacks would need to be well-organized and precisely targeted. A computer in proximity to the target air-gapped computer must get the appropriate malware installed on it before any attack could take place. This would normally require the use of either a well-formed spear phishing email or the help of a malicious insider. Far more troublesome would be getting malware onto the air-gapped computer. Again, this would likely be in the form of an insider working with the attackers or a naïve insider using something like an infected USB. The installation of malware on both devices would open a communication channel between the two devices. 

The transfer rate of data is also a problem, but that can be overcome with pure patience. Even small bits of code can compromise machine performance. Passwords, for example, can be transferred in bits of code.

The malware installed, the two computers, using the speakers or earphones on the air-gapped computer, would establish a communication channel and begin exchanging information. Obviously, one way to stop any such attack would be to disable any speakers or the use of earphones on the air-gapped computer. Apparently, even using an amplifier on the air-gapped computer can prevent an attack. Here is a summary of countermeasures from the same report.

air gapped countermeasures

All of this may make it seem as if ultrasound communication between devices is nothing to worry about. This would be a mistake. Last year, researchers learned that voice assistants, such as Siri and Alexa, have a better hearing range than humans. In other words, they can hear commands in the ultrasound range. In fact, any device that can be voice activated may be commanded to do things that its owner may not want it to do. Yet, they would never hear these commands themselves. Advertisers could, for example, have these devices go to their web pages and play ad messages. But before you panic, this only seems to work when the ultrasonic message transmitter is near the listening device, often, within one meter.

Thus, if the distance limitations can be overcome with amplification of the ultrasonic signal, all sorts of unusual and dangerous hacks could take place. Ultrasound has been amplified using the SASER (sound amplification by stimulated emission of radiation), which is, basically, the sound equivalent of a laser. Could this be used to infect an air-gapped computer at a distance? I simply don’t know, but it is an avenue that is no doubt being explored. The problem is that such ultrasonic waves can be dangerous to nearby humans. In fact, 180 decibels of ultrasound can even cause death.

Hearing loss is the major result of being exposed to ultrasound. Studies on the effect of ultrasound exposure have found people also complain of “fatigue (36.8%), headache (12.1%), somnolence (5.3%), dizziness (5.3%) and palpitations (5.3%).” Other studies on excessive ultrasound exposure found people complaining of “irritation, memory problems and difficulties with concentration and learning.” These symptoms are similar to those reported by workers at the American Embassies in Cuba and China. Some have claimed that these symptoms were psychosomatic; however, if some sort of ultrasound hacking was being attempted, it could have accidentally produced these symptoms. In fact, research done by the University of Michigan indicates that this is a possible explanation for the health problems experienced by the embassy staff.

There is no way for us to know how far nation-states have advanced in such hacking, but I have no doubt it is under development. Could malware be installed directly onto an air-gapped computer through ultrasound? That would be the next big step and it would mean that any computer, not only an air-gapped computer, could be vulnerable. If all this is true, businesses and agencies serious about security need to consider using ultrasonic jammers as part of their cybersecurity architecture. In any event, the cybersecurity landscape has just become a lot more complicated.

Posted in Uncategorized | Tagged , | Leave a comment

Fake Lawyers and Law Firms Scam Multiple Victims in Multiple Ways

When I started investigating this problem, I thought I might find a few fake law firms being used as fronts to perpetrate fraud. I now realize that I profoundly underestimated how widely this attack vector is being used. In fact, I doubt if the legal profession realizes what it is up against.

There are a number of reasons why fraudsters would set up fake legal firm websites or pose as lawyers. First of all, scammers really need to get your personal information to begin their scam. One way to do this is to offer you free legal advice if you simply fill out a form on their website. The form will ask for personal information which can then be used to scam you.

The victim, visiting the fake website, will see that it is well-designed and even includes the biographies of the lawyers who work for the firm. The pure believability of the site lowers suspicion. Many law firms have pages for sending personal information in order to begin a case. Once these criminals get your email or phone number, they will contact you and agree to take you on as a client. They will likely promise you a favorable outcome. However, they tell you that you should send them a filing fee so that they can begin the paperwork. If you follow their directions you will never see that money again and no paperwork will be filed.

The above scam is quite basic. It is used to fool people who have a built in motivation for getting the help of a lawyer and who may, therefore, be willing to overlook any inconsistencies they may find on a law firm’s website because they want to solve their problem as quickly as possible. The website below is an example of such a well-designed site.

edmunds

In this case, it appears that the criminals took over the name of a law firm that existed until 2011. They then tried to perpetrate the old inheritance scam. In this scam, you, the victim, have had a distant relative die (they will always have the same surname as yours) and it has been found that you are the only heir. You will get this information in an email that may bear the logo of the law firm it is purportedly sent from. The sum of the inheritance is considerable, often into the millions of dollars. You are then told that you will get most of the inheritance if you pay for the legal work that must be done. Of course, you will probably check to see if the law firm that sent you the email actually exists. If you find a legitimate-looking page like the one above, it may be enough to convince you to proceed. That’s the scammer’s hope, anyway.

Recently this basic scam has been upgraded in a number of ways. In some cases, a person from overseas contacts a legitimate law firm about some problem they have “in your jurisdiction”. They are told that a settlement has been agreed upon but that they need a law firm to arrange for the receipt and forwarding of the funds to a foreign account.

Of course, the law firm will ask for documentation, and it will be sent and appear to be authentic. The documents will have the name and contact information for a person working with the company that has agreed on the settlement. When contacted, all will seem normal. In a short time, the law firm will receive a check, often for hundreds of thousands of dollars, by FEDEX. The check will look legitimate, like the one received by a New York law firm.

citibank check

Since the check has a correct routing number, it will be accepted by the bank. The money from the check will appear in the firm’s account. At the same time, the person who is to receive the money from the check has contacted the firm explaining that they need the money transferred immediately because of some emergency. Thinking that the check is valid and seeing that it has been deposited in the firm’s account, the firm may go ahead and send the money. Only days or weeks later will they learn that the check was a counterfeit and the firm has been bilked out of hundreds of thousands of dollars.

This scam template also uses fake law firm websites to validate other spurious claims. One targeted law firm may be told to contact another law firm, a fake one, to validate a transaction. Searching the internet to gather information on the validating firm will find a well-designed website with contact information and pictures of real lawyers, cloned from another valid law firm site. The phone number will either lead to a voice mail or to a scammer who will validate the fake transaction. In other words, contacting the fake firm will only further ensnare the victim firm.

Such scams are widely perpetrated but there seem to be a few hot spots. In the U.S., Texas, Florida, and California have been heavily targeted. Texas has been scammed by fake estate planning firms which target the elderly. California has been targeted by fake firms offering advice to legal and illegal immigrants. Their websites are often in Spanish.  In Florida, a variety of fake law firm scams are on the rise

In the United Kingdom, fake law firm scams are reaching epidemic proportions. In the last month alone, according to the Solicitors Regulation Authority website, scammers in the UK have used the names of actual solicitors or firms over 20 times to try to trick victims into sending them money. The scams are believable as they use the actual or similar names of real solicitors and real firms to perpetrate the scams. Here is an example.

There is a legitimate law firm called Crystal Law. It maintains the following website.

crystal law real

And here is the fake website that pretends to be Crystal Law.

crystal law fake

The format seems to be copied from the website of the Odaman & Taskin Law Firm located in Istanbul, Turkey.

While researching this post, I found two other fake websites using the same format.

ian bright

phillip johnson

I found that some of the images on these sites were stolen from another law firm site, Harcourt Chambers, and linked to a number of other sites, some of which Microsoft has determined to be dangerous. On its site, Harcourt Chambers notes that, “it has come to our attention that a number of bogus emails have been sent to individuals which purport to have originated from Harcourt Chambers or individuals from Chambers.” Many of these could be traced to a scam look-alike site and any correspondence from it should be either ignored or reported to the authorities.

After finding a number of these scam sites, I reported them to the Solicitors Regulation Authority. I received a reply (“We will look at your information alongside other relevant information we hold in order to consider the next steps”) and hope to work with them to expose the scammers. However, due to the massive prevalence of such scam sites, the task will be daunting. My suspicion is that I stumbled upon several of these sites before they had a chance to be monetized. The scammers may have taken over firms that have closed but did not, or could not, remove the original websites. I will update this information when necessary.

But why are law firms such tempting targets? That’s easy. They can give legitimacy to any scam. However, more importantly, information on law firms and lawyers is readily available. Most states have a searchable database for all of its bar members and firms. The database gives information such as the following from the Florida Bar website: Bar number, mail address, office phone, personal phone, fax, email, personal bar URL, vCard, practice areas, and the firm’s website. Below is the scammer’s dream page for setting up a scam.

florida bar

A potential scammer can find law firms specializing in the areas they are interested in, such as estate planning or real estate. They can then clone an appropriate website and begin their scam.

A few days ago (June, 8), the Better Business Bureau received a complaint about a fake law firm that scammed a victim out of $5,000 by pretending to represent a buyer of a timeshare. The fake law firm even encouraged the victim to go to their website. They also told the victim to check out the firm’s lawyers on the Idaho State Bar website. Yes, they were using the state bar site to legitimize the scam. The fake website is still up and, you would think that it was an obvious fake from some of the odd language on the home page, such as, “WE HAVE A LOT OF EXPERIENCE AND DON’T HAVE TO DO A BUCKET OF RESEARCH” and “ARE YOU HAVING ANY PROBLEMS BUT YET NOT CONSULT TO ANYONE ?” Or how about this puzzling banner.

idaho law

In researching this particular scam, I found more fake sites than I could ever report on. Not all of them were fronts for fake legal firms, but many were. According to a 2017 report by Webroot, 1.4 new phishing sites appear every month and are online for less than 8 hours. The short time-span makes it impossible for the site to be blocked and scammers can easily direct victims to new, unblocked sites. Fake law firm sites will be persistent through simply tweaking the URL. As the victim of the timeshare scam noted, “the problem we found was that by the time we got the website shut down (a herculean effort) a new one popped up with a new host.”

On the surface, the situation may seem hopeless. In fact, the responsibility of avoiding a scam comes down to the individual. Don’t rely on online communication or phone calls to validate a law firm. Check with authorities or meet with the firm representative in person. You may still become a victim, but the chances for this will be significantly reduced.

 

 

Posted in Uncategorized | Tagged , , | Leave a comment

Trending: Hacking School Networks to Change Grades

Have you noticed a sudden increase in your son’s or daughter’s grades? Do you wonder how they can do so well at school when they seem to spend most of their time playing online games? Well, maybe there’s a simple explanation. You see, there’s a new trend making the rounds among some students these days. It’s a trend that is becoming more popular now that graduation is approaching. This latest trend is hacking the school’s computer network to change grades. Why bother studying if you’re guaranteed to be a top student?

As most students who’ve been caught admit, hacking into the school’s network was surprisingly easy. Sixteen-year-old David Rotaro hacked his school’s network and admitted, “it was like stealing candy from a baby… It was like beginner level.” He claimed it only took five minutes to write the phishing email that began the hack. What he didn’t say was how long it took him to make the fake login page. Rotaro used a time-honored defense: He wanted to point out the school’s cybersecurity vulnerabilities. Sure. And, as is often the case in these stories, his parents had no idea he even possessed such hacking skills.

According to the 2018 Hacker Report, about 46% of hackers (we’re talking white hat hackers here) are below the age of 24. Since 25% of all hackers are students, we can assume that most of those under 24 fall into this category.

hacker age

According to the report, there are a number of reasons why these hackers hack.

hackers hack why

However, students wouldn’t hack a school to make money (13%), so we can eliminate that as a source of motivation. We can also eliminate that they would hack to advance their careers (12%) or do good in the world (10%). No, most would hack to have fun or show off. They may also like the challenge. David Rotoro hacked his school to raise the grades of his friends and lower those of his enemies. The fact that he didn’t change his own grades seems to show that he was trying to gain the praise of his peers.

Hacking to get passwords, alter records, or steal upcoming exams has been on the rise as well. Here are some hacks that have occurred in just the last month.

Bloomfield Hills High School – Students changed grades and attendance records. They also refunded lunch purchases.

W.S. Neal High School – Students changed grades and rankings of students. School cannot determine who the valedictorian is.

Gadsden High School – 55 students were found to have changed the grades of 456 students. They were in the system for at least 3 months.

Oakton High School – All student passwords changed.

University of Georgia – Student takes over a professor’s account and changes his grades.

Florida Virtual School System – All records and passwords of students and teachers hacked.

And here’s the bad news. There are probably many more cases that are yet to be discovered or were discovered but not reported.

A Note to Parents

There are a number of YouTube videos that claim to teach students how to hack their grades. Most are fake. They simply show students how to change the HTML code on the page they are looking at so that the grade appears to have changed. Once refreshed, the original grade reappears. So why use this hack? The answer: to fool parents. If a student’s parents are concerned about a particular grade and ask to see it on the student’s internet grade page, the student can change the grade via HTML manipulation and show the fake grade to their parents. So, if you are confronted with a suspicious grade on your son’s or daughter’s computer, simply refresh the page. If the grade has been tampered with, the original one will magically appear. Busted.

How Such Hacking is Actually Done

David Rotoro probably knew what he was doing. He sent phishing emails to all of the teachers which told them they had to change their passwords. Supposedly, most of these emails were caught by spam filters. However, one teacher opened the email and followed the link to a fake login page. Rotaro must have installed a keylogger or a RAT (Remote Access Trojan) so he could record or watch the login. It only takes one victim because, after that, he had the keys to the kingdom. In other words, he was allowed to freely roam the part of the grade site that was only accessible to teachers. Alternatively, he could have taken over the teacher’s email and sent more believable phishing emails to other teachers, thereby compromising them. Why was he caught? He made an amateur mistake and did not hide his IP addresses. They were easily traced back to him. As one student disturbingly commented, “so the kid wasn’t smart enough to at least use a VPN? I change grades all the time but I’m smart about it.”

But how did he manage to get the hacking tools necessary to pull this off? That’s pretty simple. You can get them online for free. The DarkComet RAT, for example, has been around for years. It can perform many malicious actions, such as turn on a victim’s microphone and webcam. It also comes with a keylogger to capture passwords and credit card information. It is readily available for download and even has its own legitimate website. How is this possible? Because it is advertised as a remote access tool. In other words, you could use it to access your home computer remotely. Sure, it has malicious potential but… Free keyloggers are also widely available. They are legitimately used by parents to monitor their child’s online behavior or by employers wanting to keep an eye on employees.

darkcomet

So, all of the tools for hacking grades are just waiting to be used by enterprising students. I’ve been monitoring discussions on this topic on some forum sites and was surprised at how many people confessed to hacking their schools. Some methods were quite complex but others were surprisingly simple, like installing a keylogger on the teacher’s computer from a flash drive when the teacher left the room.

Though many of the exploits used are relatively simple, there are some that are too complex for most students. Fortunately, for the aspiring grade hacker, there are step by step online instructions on how to hack into a school’s server and, in this particular example, steal the final exam.

how to hack

As the hacking instructor writes, “so for today, we’ll look at how to break into your school’s server to download the final exam file with the answers onto your computer. Just think of the benefits to your academic record, your Call of Duty skills, and your popularity when you show up at school with the final exams days ahead of the finals!” Yeah, that about sums it up. Of course, this all comes with a disclaimer, “this is for demonstration/entertainment purposes only. Please do not break into your school’s server and steal exams as it’s illegal and very likely will get you kicked out of school.” And he then gives the details of the hacking. Of course, you shouldn’t actually do this hack, but if you do, he advises you not to make your grade too high because that would look suspicious. Interestingly, this type of hack may escape all detection and has likely been performed with the school never learning a thing about it.

This exam-stealing exploit, as well as any grade-changing exploit, could easily be monetized. How much would a failing student pay to get a passing grade? My guess is quite a lot. How much would a student with a gaming addiction pay to get a final exam in advance and give themselves more gaming time?

The good news is that most students are not as computer savvy as the adult world thinks they are. Only a small percentage of students would actually know how to perform a hack of their school’s network. Fewer still would want to take that risk. However, the demand for getting grades changed or getting advanced copies of exams probably exists. There is an opportunity here for the enterprising student and they may be beginning to take advantage of it.

 

Posted in Uncategorized | Tagged , , | Leave a comment