The 5 Most Embarrassing Hacks Ever

What is the worst thing about being hacked?  Is it losing your data? The financial costs?  Having to spend tedious hours getting your system back to where it was?  Or is it the embarrassment?

According to Wikipedia, a hacker is someone who displays “playful cleverness.” Hackers take “the serious humorously and their humor seriously.”  And in the beginning, most hacks were done by hobbyists, intent on having some serious fun at their targets’ expense. Breaking into networks was a way to demonstrate skill, to prove it could be done. And many hackers still have a code that they live by.

However, we are now in the age of cybercrime when crackers and cyber gangs employ every possible hack, malware and scam to make much money as possible. Criminals know that our PCs facilitate in the most intimate activities in our lives. We bank, shop and flirt via our PCs, as if no one can see what we’re doing. Yet, if our system becomes compromised, every byte of our personal data is there for a criminal to use.

Crackers have rarely gotten into the business of exposing private details, unless they were trying to satisfy a personal or political vendetta. But now—as social networks increasingly entwine or real and our digital lives—criminals recognize that our private lives can be used against us. They can play with their victims’ consciences to soak money out of even the most rational computer user. This has given rise to a new generation of extortionware that is designed to threaten both our wallets and our reputations.

From the harmless to the heartless, here are the 5 most embarrassing hacks in history:

1. Bearded
If you ever received the message “You have been bearded”, you know how humiliating it can be to have your PC hit by a Trojan. In the summer of 2000, this nasty Trojan installed a vile, not-safe-for-work desktop wallpaper that once seen can never be deleted from your memory.

2. Sober.
The Sober worm didn’t do much damage to your system, but it did give all of your email contacts something to think about. Disguised as a computer security warning (as many attacks often are), Sober included a SMTP engine that sent out to every email address it could find. If the person who received the email—which often used a provocative subject line like “You have sent me a virus!”—installed the attached executable file, the attack spread and spread and spread. It was quickly disarmed up by most antivirus software, but the embarrassment still lingers.

3. You got phished.
For most of us, getting phished can result in our accounts being hijacked and our contacts being harassed. But if you’re a Facebook board member, a phishing attack can make international news. Facebook investor Jim Breyer’s 2301 Facebook friends found out that even insiders at the world’s largest social network are vulnerable. It isn’t clear whether Breyer’s account was hacked or he fell for a scam himself. What is clear is that when you use a social network, any mistake you make can affect both your friends and your reputation.

4. Hentai virus.
This virus took embarrassment to a whole new level. Users who were infected by it had their web history was published online. The victim was then instructed to pay 1,500 yen to have the history deleted. What was particularly insidious about this attack is that the criminals knew the victim probably had something to hide since the virus was hidden to a Hentai porn video game (IF YOU DON’T KNOW WHAT “HENTAI” IS, PLEASE DO NOT GOOGLE IT WHILE AT WORK). Every virus teaches a lesson, and as PC magazine said, this virus taught us all, “Don’t enter any personal information in the videogame porn that you download from Japanese torrent sites.”

5. ICPP Copyright Foundation
The F-Secure Labs is familiar with Trojans that extort users to get their own documents back. But this newly discovered Trojan played on the nearly universal fear of profound legal trouble. Infected users were told that illegal torrents had been found on their system. The choice: Pay $400 or face jail time and fines. (Of course, the real solution was to delete the Trojan using a tool like our free Online Scanner.) What was most impressive about this attack was the detail and professionalism of the design. The use of legalese and small print tapped into a latent fear of many computer users: Someday you’re going to have to pay for all that music on your iPod.

Guilt and shame are powerful motivators. But when your computer starts acting suspiciously or your software starts making demands, the smartest thing you can do is to scan your system.

Cheers,

Jason

CC image credit:  Perfecto Insecto

More posts from this topic

Asian mother and daughter talking to family on digital tablet

Kids need better protection – An open letter to developers and decision makers

Tuesday February 9th is Safer Internet Day this year. An excellent time to sit down and reflect about what kind of Internet we offer to our kids. And what kind of electronic environment they will inherit from us. I have to be blunt here. Our children love their smartphones and the net. They have access to a lot of stuff that interest them. And it’s their new cool way to be in contact with each other. But the net is not designed for them and even younger children are getting connected smartphones. Technology does not support parents properly and they are often left with very poor visibility into what their kids are doing on-line. This manifests itself as a wide range of problems, from addiction to cyber bullying and grooming. The situation is not healthy! There are several factors that contribute to this huge problem: The future’s main connectivity devices, the handhelds, are not suitable for kids. Rudimentary features that help protect children are starting to appear, but the development is too slow. Social media turns a blind eye to children’s and parents’ needs. Most services only offer one single user experience for both children and adults, and do not recognize parent-child relationships. Legislation and controlling authorities are national while Internet is global. We will not achieve much without a globally harmonized framework that both device manufacturers and service providers adhere to. Let’s take a closer look at these three issues. Mobile devices based on iOS and Android have made significant security advances compared to our old-school desktop computers. The sandboxed app model, where applications only have limited permissions in the system, is good at keeping malware at bay. The downside is however that you can’t make traditional anti-malware products for these environments. These products used to carry an overall responsibility for what happens in the system and monitor activity at many levels. The new model helps fight malware, but there’s a wide range of other threats and unsuitable content that can’t be fought efficiently anymore. We at F-Secure have a lot of technology and knowledge that can keep devices safe. It’s frustrating that we can’t deploy that technology efficiently in the devices our kids love to use. We can make things like a safe browser that filters out unwanted content, but we can’t filter what the kids are accessing through other apps. And forcing the kids to use our safe browser exclusively requires tricky configuration. Device manufacturers should recognize the need for parental control at the mobile devices. They should provide functionality that enable us to enforce a managed and safe experience for the kids across all apps. Privacy is an issue of paramount importance in social media. Most platforms have implemented good tools enabling users to manage their privacy. This is great, but it has a downside just like the app model in mobile operating systems. Kids can sign up in social media and enjoy the same privacy protection as adults. Also against their parents. What we need is a special kind of child account that must be tied to one or more adult accounts. The adults would have some level of visibility into what the kid is doing. But full visibility is probably not the right way to implement this. Remember that children also have a certain right to privacy. A good start would be to show whom the kid is communicating with and how often. But without showing the message contents. That would already enable the parents to spot cyberbullying and grooming patterns in an early phase. But what if the kids sign up as adults with a false year of birth? There’s currently no reliable way to stop that without implementing strong identity checks for new users. And that is principally unfeasible. Device control could be the answer. If parents can lock the social media accounts used on the device, then they could at the same time ensure that the kid really is using a child account that is connected to the parents. The ideas presented here are all significant changes. The device manufacturers and social media companies may have limited motivation to drive them as they aren’t linked to their business models. It is therefore very important that there is an external, centralized driving force. The authorities. And that this force is globally harmonized. This is where it becomes really challenging. Many of the problems we face on Internet today are somehow related to the lack of global harmonization. This area is no exception. The tools we are left with today are pretty much talking to the kids, setting clear rules and threatening to take away the smartphone. Some of the problems can no doubt be solved this way. But there is still the risk that destructive on-line scenarios can develop for too long before the parents notice. So status quo is really not an acceptable state. I also really hope that parents don’t get scared and solve the problem by not buying the kids a smartphone at all. This is even worse than the apparent dangers posed by an uncontrolled net. The ability to use smart devices and social media will be a fundamental skill in the future society. They deserve to start practicing for that early. And mobile devices are also becoming tools that tie the group together. A kid without a smartphone is soon an outsider. So the no smartphone strategy is not really an alternative anymore. Yes, this is an epic issue. It’s clear that we can’t solve it overnight. But we must start working towards these goals ASAP. Mobile devices and Internet will be a cornerstone in tomorrow’s society. In our children’s society. We owe them a net that is better suited for the little ones. We will not achieve this during our kids’ childhood. But we must start working now to make this reality for our grandchildren.   Micke

February 8, 2016
BY 
Mikko Hypponen

Mikko Hypponen’s Malware Hall of Fame

Mikko Hypponen is one of the world’s most prominent cyber security experts. Described as a “virus hunter” in a Vanity Fair profile called “The Code Warrior”, Hypponen has spent nearly 25 years with F-Secure protecting people from computer viruses, worms, trojans, and other types of malware. In 2011, Hypponen travelled to Pakistan to meet the men behind the first known PC virus – Brain.A. [youtube https://www.youtube.com/watch?v=lnedOWfPKT0&w=560&h=315] The Brain virus was released in January of 1986, making January 2016 the 30th anniversary of this milestone in malware history. I thought it would be interesting to reach out to Mikko and ask him about other families of malware that standout as being noteworthy. So here’s Mikko’s list of some of the most infamous malware families (including viruses, worms, trojans, etc) that’ve pestered, frustrated, and even extorted computer users over the past few decades. 1990 Form – Form was a common computer virus identified in 1990, and for several years, was arguably the most prominent computer virus in the world. Spread through 3.5” floppy disks, it infected millions of computers throughout the world, and is possibly one of the most widespread viruses in history. 1992 Michelangelo – Michelangelo earns a place on the list for being the first truly global virus scare. It was named after the famous artist because the virus remained dormant until March 6 (the artist’s birthday), when it would awaken and overwrite sections of infected hard disks, thereby making the information inaccessible and the computer unusable. The virus was never particularly prominent compared to some of its contemporaries, but its destructive nature and subtlety helped spread Michelangelo Madness throughout the globe. 1995 Concept – Concept was the very first macro virus – a type of virus that infects applications such as Microsoft Word. It was a very prominent security concern in the mid-nineties, and even though it was successful in propagating itself organically during this time, it hasn’t been seen in over a decade. As the first macro virus, it was notable in that it spread by hiding itself as a Word doc and then infecting computers as those documents were shared. By using Word, it could use both Windows PCs and Macs to spread infections, as the software could run on both platforms. 1999 Melissa – Melissa, supposedly named after an exotic dancer, was a computer virus that sent infected Word documents to contacts in victims’ Outlook address book. While the virus was not designed to be particularly destructive, its rapid proliferation through the Internet wreaked considerable havoc on corporate servers and infrastructure. Some accounts claim that it infected twenty percent of computers globally, and the man eventually convicted of releasing the virus into the wild admitted to causing eighty million dollars in financial losses. 2000 Loveletter – Loveletter, also widely known as ILOVEYOU, was a prominent email worm that was able to spread itself throughout the globe in a matter of hours by promising victims a little bit of love. Disguising itself as a chain, love-themed email to recipients helped it quickly spread from its Filipino origin through Asia, Europe and North America. To this date, it is one of the largest malware outbreaks of all time, and responsible for an estimated 5.5 billion dollars of damage. 2001 Code Red – Code Red was the first fully-automated network worm for Windows. As in users would not have to interact with a machine in order to spread the infection. Code Red’s most infamous day was July 19th, 2001, when it successfully infected 300,000 servers. The worm was programmed to spread itself on certain days, and then execute distributed denial-of-service (DDoS) attacks on others, and was used against several different targets (including The White House). 2003 Slammer, Lovsan, and Sobig – Ok, so there’s three here and not just one. But they all occurred very close together, and unfortunately, all three were worms responsible for massive, global malware outbreaks. Slammer targeted servers so it’s presence wasn’t readily apparent to end users (save some lagging when they were attempting to access an infected server). Lovesan, however was able to infect end users running Windows ME or Windows XP, and use the infected machines in DDoS attacks. Sobig spread itself through email and network drives, and contained a trojan in order to cause more headaches for infected users. However, it appears that the trojan feature did not function as expected. These three worms infected millions of machines, and made headlines all over the world. 2004 Sasser – A computer worm that can be considered as the last large “hobbyist” outbreak. This is significant as it signaled the end of an era when most malware was written by people who were simply curious to see what the malware could do. Nowadays, malware has a more specific, insidious purpose, such as stealing information or making money. 2006 Warezov – A two-year email worm campaign perpetuated by professional criminals, Warezov gained notoriety for downloading new versions of itself from remote servers – sometimes as frequently as every 30 minutes, according to a 2006 interview with Mikko. 2007 Storm Worm (also called Small.dam) – Storm Worm was a trojan that was spread as an attachment to spam emails. But more importantly, it was a combination of complex and advanced virus techniques that criminals were able to use to make money by using infected machines as part of a botnet. 2013 Cryptolocker – A notorious ransomware family, Cryptolocker was spread through malicious email attachments, as well as the infamous Gameover Zeus botnet. Infected victims would find their hard drives suddenly encrypted, essentially locking them out of their devices and data until they paid a ransom to the perpetrators. While the FBI, in cooperation with other law enforcement agencies and security companies (including F-Secure), were able to disrupt the operation, the perpetrators were able to use Cryptolocker to extort about 3 million dollars from victims before being stopped. Other notable mentions include the 2005 Sony rootkit (for being distributed on Sony BMG CD-ROMs on their behalf), the still prominent Downadup worm from 2008 (for infecting millions, including armed forces of several countries and police departments), and the well-known Stuxnet virus from 2010 (for both its sophistication and its apparent state-sponsorship). If you want to know more about the history of computer viruses, you can check out Computer Invaders: The 25 Most Infamous PC Viruses of All Time!

January 29, 2016
BY 
Scam

Yes, it’s OK to play with scammers

This TED talk is so hilarious that I just have to share it with you. Watch it! British comedian James Veitch is engaging in the noble art of scam baiting, or scamming the scammers. The same as this site is dedicated to, or when I almost sold my boat to Mexico. I guess most or all of you already know how to spot an advance payment scam, aka. Nigerian scam. But James has some more to offer here. He’s making two important points, in addition to the excellent entertainment value. People often warns about engaging in any kind of conversation with these scammers. They are after all criminals and it’s safest to steer clear of them. I disagree, just like James. The people behind this kind of scams is not exactly the violent drug mafia. As a matter of fact, anyone who can use e-mail and Google Translate can set up a scam like this. And they are located in some poor remote country, typically in Africa. So it’s extremely unlikely that any of them would start hunting down people who play with them. That would disrupt their everyday business and cut profits, cost money and introduce the risk to get caught. But I do discourage people from engaging in scam baiting under their real identity. Set up a new mail account under a false name and never reveal any real contact info to them. You can reply from a different address than where you got the original spam. They are pumping out millions of spam messages and will not even notice the changed address. This adds an additional layer of security. And more important, it keeps your real inbox free of spam. Use their own tactic. Create a false identity with name, address, profession and country of residence. Stick to that story and make sure not a single bit of it is true. Read more about how to scam bait at 419eater.com. The other point is that scam baiting is a good deed. It keeps the scammers busy and ties up their resources. Resources that otherwise would have been used to scam a real victim and cause real damage. A single scam baiter can’t of course save the world, but they would probably shut down if all of us spent an hour a week scam baiting. And it can be fun so why not? A good scam baiter can be a real pain in the a** for the scammers. Be prepared to get some threats and evil language when they realize what is going on. Consider that as a trophy, a proof that you did it right. Don’t feel bad for them. They did after all contact you with the sole purpose to scam you for money.   Safe scam baiting, Micke   Image: Screenshot from ted.com  

January 28, 2016
BY