Hackers have used some strange ways to break into networks or commit fraud. Not all are clever or smart.
Hackers are determined, persistent, clever, adaptable, stealthy and merciless. They will exploit any tragedy, even the current COVID-19 pandemic, and take advantage of any vulnerability in your network.
Sometimes hacks can be incredibly complex and sophisticated, but most hackers take the path of least resistance and attack networks through phishing, weak passwords, unpatched systems and social engineering. And sometimes hacks can be just plain weird. Here are eight examples:
1. Data stolen through fish tank
Cybersecurity firm Darktrace made quite a splash in 2017 when it announced that it had discovered hackers using an internet-connected fish tank to steal data from an unidentified North American casino. Apparently, the aquarium tank was equipped with IoT sensors connected to a PC that monitored and regulated the water temperature and the cleanliness of the tank and controlled the feeding of the fish.
“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” says Justin Fier, director for cyber intelligence and analysis at Darktrace.
The casino’s name was not disclosed, but the report did say that data was sent to a device in a foreign country. If you guessed Fin-land, you would be correct. Darktrace CEO Nicole Eagan explained to attendees at an event in London that once hackers got a foothold in the network, they moved on from the little fish to access a database of high rollers, also known as whales.
2. Vishing attack scams CEO
We’re all on the lookout for email phishing attacks, but what happens when your boss calls you on the phone and asks you to do something? Would you suspect that you might be the victim of a voice phishing or vishing attack?
The first reported case of an AI-based vishing attack occurred in 2019 in England. Apparently, criminals used commercially available, voice-generating AI software to impersonate the boss of a German company that owns a UK-based energy firm. The criminals called the UK CEO and tricked him into wiring $243,000 to a supplier in Hungary. The CEO recognized the slight German accent and voice patterns of his boss and the call didn’t arouse suspicion. That’s until the criminals got greedy and called a second time asking for another huge wire transfer. This time, the CEO refused and the ruse began to unravel.
However, authorities have not been able to nab the culprits or get the money back. This may be just the beginning of a new, scary era of AI-based deepfakes.
3. Pump hack yields free gas
Hackers usually traffic in cash or cryptocurrency. In 2019, French authorities nabbed five men who stole nearly 25,000 gallons of fuel from gas stations around Paris by hacking gas pumps with a special remote that unlocked a particular brand of pump installed at Total gas stations.
The hack was possible because some gas station managers didn’t change the gas pump’s default password from the standard ‘0000’. Hackers used the PIN code to reset fuel prices and remove any fill-up limits.
Operating in teams, one hacker would use the remote to unlock the gas pump, while a second vehicle, a van with a large tank in the back of the vehicle, would fill up with as much as 750 gallons at a time. What did they do with the gas? They advertised on social media and re-sold the gas at discount prices. Police estimate the gang made around $170,000 before they were caught.
4. Road sign hacks annoy local police
Weak log-in credentials are a perennial security problem, and with the advent of electronic billboards and road signs, enterprising hackers have figured out ways to gain control to get a funny or raunchy message across.
A Texas man was walking his dog when he came upon a road sign warning motorists about construction ahead. He quickly guessed the user name/password for the electronic message board and changed the sign to read: “Drive Crazy Yall.” An alert neighbor witnessed the scene and called police, who failed to see the humor. The man was arrested and charged with criminal mischief.
Last September, two young men wearing hoods and masks broke into a small building underneath a digital billboard on the side of a major highway in Auburn Hills, Michigan, hacked the system, and used it to display pornography. According to police, the duo, who were captured on surveillance video, were in and out in less than 15 minutes, so the password couldn’t have been that hard to crack. The video entertained drivers for about 20 minutes before police responded and turned it off.
Even more outrageous, a 24-year-old IT professional who was stuck in Jakarta rush hour traffic apparently looked up at a giant electronic billboard, spotted login credentials that were accidentally displayed for a moment on the screen, hacked the system and streamed hardcore porn. Indonesia happens to be a very conservative Muslim country, so authorities were not pleased. The prankster has been charged and could face six years in prison.
How secure is your network? – Reclamere’s Managed Vulnerability Scanning keeps you on top of weak passwords, unpatched systems, and unauthorized changes in your environment. Give our scanning a try at no cost. Learn more here.
5. Shark Tank star victimized by email scam
Barbara Corcoran, one of the sharks on the television show Shark Tank, lost nearly $400,000 recently in a clever email scam. The hacker posed as Corcoran’s executive assistant and sent an email to Corcoran’s bookkeeper containing a fake invoice. The bookkeeper failed to notice that the return email address was not legit.
So, when the bookkeeper asked questions about the request that nearly $400,000 be transferred electronically into a German-based bank account, that email went to the hackers, who, of course, confirmed the invoice request. It wasn’t until the bookkeeper sent a separate email to the correct address of the executive assistant asking if the payment had gone through that the light bulb went on.
Unfortunately, Corcoran is out $388,700.11. You might think that the bookkeeper would be out of a job, but it seems that Corcoran is the forgiving type. She said, “I lost the $388,700 as a result of a fake email chain sent to my company. It was an invoice supposedly sent by my assistant to my bookkeeper approving the payment for a real estate renovation. There was no reason to be suspicious as I invest in a lot of real estate. I was upset at first, but then remembered it was only money.”
Don’t fall victim to a phishing scam – Reclamere’s Managed Security Awareness Training makes educating your team easy, fun, and effective. Give our training a try at no cost. Learn more here.
6. Hacking competitor’s network backfires
Sometimes hackers can be incredibly clever. Other times, not so much. Keith Cosbey, CFO of California school lunch provider Choicelunch, was arrested in 2019 and charged with identity theft and unlawful computer access.
Seems Cosbey hacked into the network of his competitor, LunchMaster, and accessed sensitive personal data on hundreds of students, including names, grades, meal preferences and allergy information. Once Cosbey knew that little Susie was a vegetarian who got all A’s, what did he do with this treasure trove of information? He anonymously sent the data to the California Department of Education and claimed LunchMaster wasn’t doing enough to protect student privacy.
This attempt to smear his rival backfired when the state, with help from the FBI, traced the intrusion into LunchMaster’s network back to Cosbey, who was arrested. No word on his special dietary preferences should he ever wind up in the slammer.
7. Hackers activate tornado warning system, leaving people at risk
March 12, 2019, was a quiet night in the Dallas suburbs of DeSoto and Lancaster – until 30 high-decibel tornado sirens suddenly began blaring at 2.30 a.m. and continued to go on and off until 4 a.m. However, there was no tornado. This was a hack.
Residents at first were panicked that the siren warning might be real and a twister was about to hit. After all, this area of Texas is known as “tornado alley” and the period between March and May is prime tornado season. DeSoto had run tests of the tornado alarm sirens a week prior (during the day) and the weather report for that week called for severe thunderstorms and possible twisters.
City officials reported that “based on the widespread impact to the outdoor sirens located in two separate cities, including Lancaster, it has become evident that a person or persons with hostile intent deliberately targeted our combined outdoor warning siren network.” Officials pointed out that they had to take the entire system offline and in the meantime the residents were without that warning system as storms rolled in. (Of course, residents could also receive warnings via text message, so they weren’t left completely in the dark.)
Even more curious, in April 2017, a hacker set off 156 tornado sirens across Dallas proper, also in the middle of the night. Investigators attributed that hack to a technique called “radio replay,” where the hacker records a prior test of the system and replays it back repeatedly.
So, maybe there’s a serial siren spoofer on the loose.
8. Hacked baby monitor alarms parents
Potential vulnerabilities associated with home security and baby monitoring systems have been well documented. Through techniques like credential stuffing or taking advantage of weak or default passwords, hackers can spy on unsuspecting residents.
Apparently bored by watching a baby just sleeping, a hacker who had taken over an Ohio family’s baby monitoring system, began repeatedly screaming, “Wake up baby!” The stunned parents rushed into the baby’s room only to find that the hacker had pointed the camera directly at them and was screaming obscenities. IoT-based taunting has seemingly taken off, as similar cases have been reported across the country.
Not sure what you need to secure your environment? – Reclamere’s Virtual Chief Security Officers are your experts on call. Talk with our certified engineers and analysts about your challenges at no charge. Learn more here.