The Saga of the Stolen Stingray

Protect It: I imagine one day I’ll own a 1970 Corvette Stingray. It will have its own garage. I’ll lock the garage doors when I’m not using it to make sure it’s safe. I’ll put an alarm on the building—to be sure. And I WON’T leave the keys in it!

Hijacked: A few months ago, my mother-in-law told me her email “broke.” For a few days, she hadn’t received any emails in her Outlook Client. So, I took a peek at her Cox webmail. I found a message stating the account was locked, due to suspicious activity. After a couple hours with tech support, we were able to get in. We found the account had been sending hundreds of spam emails every day. A criminal had hijacked her mail.

Recently I read a blog post in Dentaltown from a dentist victimized like this. His email account had become an unwitting offender. How did this happen to them? Will it happen to you? How can you prevent it?

Credential Stuffing: These email accounts fell victim to what we call a “credential stuffing attack.” It’s often performed by software known as “bots.” See, websites should be storing your username/password pairs (AKA “credentials”) in an encrypted database, but they often don’t. It’s like storing a 1970 Corvette Stingray in your garage (keys in the switch), and then leaving the door wide open. You’d never do that, but websites do—all the time!

Darkweb Dump: Criminals break into those websites and scoop out your credentials. Then, those same criminals dump your credentials on the darkweb. Other crooks snag these breached credentials from darkweb, Amazon-like sites. They then code their bots with lists of credentials, including yours. Finally, the bot logs into your email account.

Picture this:  You use your Gmail address as the username to log into scrapbook.com. Then, you use the same password for scrapbook.com that you use for your Gmail account. A criminal breaks into scrapbook.com. If the database isn’t encrypted (the doors were left open), the thieves steal your credentials. In essence, the criminal drove away in your beloved Stingray! It happened because you used the same key for every door you own: Your house, your Stingray garage, your business office, your mailbox…  You get my point? Worst of all, you left a copy of the key taped to the front door of your house, right in plain sight.

Unique Passwords: We often recommend in these articles that you make sure and use unique passwords for the bucketload of websites you log into. Certain sites are more critical, for example, your email account, as well as your bank account and other accounts containing your financial information. Use a password manager like Bitwarden. If you use a long, unique passphrase, instead of a short password,  and you use a different passphrase for each site you visit, then you reduce the chance of becoming a credential stuffing victim.

Your BlueTooth Is Showing

Is Your Bluetooth On?: I’ll bet the Bluetooth on your phone is enabled right now. How you can tell: when you get in the car and it automatically switches to the hands-free option. This is how most people operate. It’s convenient.

What Is It?: So, what is Bluetooth? It’s like Wi-Fi but for short distances and its built into nearly every smartphone. In an iPhone you use it to Airdrop files to your friends. It connects to your wireless earbuds so you can listen to Sgt. Pepper’s Lonely Hearts Club Band. It can also be used to steal files off your phone without your knowledge.

Snarfing: I’m referring to the attack tactic called Bluesnarfing. This attack exploits a weakness in some mobile phone Bluetooth implementations and it provides unauthorized access to the personal information stored on your phone.

How It Works: Here’s the scenario. You are attending an event outdoors and properly observing the government recommended social distance of six feet. Maybe you’re at the grocery store or one of the few remaining restaurants in town that still allow sit-down dining (like Dickies over by Food City). Someone sits six-feet next to you. They then create a Bluetooth connection to your smart phone, and capture the data stored on it. All without your notice or consent!

Exposure: Why is this important to you? This attack can expose your emails, contact lists, and text messages. Literally anything you store on your phone. Do you have a photo of your drivers license or social security card in there? Anything else you don’t want to become public?

What Risks?: Maybe you think the risk isn’t very high. I mean, how important are you really? In a way, this is conceptually similar to ransomware attacks. Your data is held for ransom. If an attacker gets access to any sensitive data on your phone, they can simply email you anonymously and request a few Bitcoin to have the data deleted. In case you were wondering, at the time of this writing, Bitcoin traded for $11,345.96 per coin. So yes, it’s worth the effort for someone to steal your data.

Please Stop It: Now you may be wondering how you can stop this attack, or if it’s even worth it to try. I mean, are you really at risk? Mitigation is easy. Turn off the Bluetooth when you are in public places. It takes almost no effort on your part. As for risk. Do you have sensitive data on your phone?

What Bugs You?: Now that I have your attention. Bluesnarfing isn’t the only thing that should terrify you. The really scary one is Bluebugging. Bluebugging allows an attacker to have COMPLETE control over your phone. If your phone is Bluebugged, an attacker can make and receive calls over your phone, AND eavesdrop on YOUR phone calls.

Opportunity: Some of this may have sounded like scenes from Mission Impossible, but Bluesnarfing and Bluebugging aren’t make-believe.  And you don’t need to be Ethan Hunt to become a target. As with Ransomware, sometimes all a cyber-criminal needs is an opportunity. Leaving your Bluetooth on all the time is convenient for sure. For both you AND the criminal.

Rise of the Cyber Lamb Chops

Sock Puppet Fame: In the 1950s, a ventriloquist, named Shari Lewis, put a sock on her hand and became famous. Lewis created the persona of a 6-year-old sheep, named “Lamb Chop,” that spoke the punch-line to her jokes. A sockpuppet helped her rise to fame with a very popular 1990’s children’s program. Fame and fortune from a sock!

Cyber Sockpuppets: Social media today has thousands of sockpuppets. No, Lamb Chop hasn’t taken over. A sockpuppet is a phony online identity using “real” accounts for the purpose of deception. Originally, this term referred to people who responded to their own blog posts, or authors who applauded their own books, while criticizing their competition. Nowadays, sockpuppets are used for a wide range of objectives. They are used to shower praise on a person or organization or to antagonize them; they are used to manipulate public opinion, to circumvent restrictions and suspensions, or get others banned from web sites. For instance, Utah Senator Mitt Romney acknowledged operating a secret Twitter account, “Pierre Delecto,” in order to defend himself against criticism — his sockpuppet.

Impact: The impact of sockpuppets would be marginal, except for the fact that nation-states create armies of sockpuppet bots to divide people and dispense misinformation. A single operative may monitor hundreds of sockpuppets, and an organization may use hundreds or thousands of operatives. The bot may simply “re-tweet,” “like,” or “re-post” a divisive headline or comment. 

The Difference: While a human Twitter user may post a few times a day, a bot may tweet hundreds of times per day, all day, on a specific topic. One study by USC analyzed election-related tweets sent in September and October 2016 and found that 1 in 5 were sent by an automated sockpuppet. Some social media platforms have developed software to identify and block bots, so puppeteers have developed something called Cyborgs. These Cyborg accounts mix human subtleties with the 24/7 work ethic of a bot. These are much harder to identify.

U of A: Awareness of threats is a step in the right direction. Michelle Menninger, a student in the University of Arizona’s Cyber Operations program recently made this comment to me,

“Technology opens up an entire world to my kids that could easily destroy their innocence. Being in the Cyber program gives me the opportunity to speak openly with them about the dangers of technology and allows me to be in control of it, instead of letting technology control us.”

Nation States Involved: Nation-state actors use technology to attack the U.S. and spread misinformation in order to destabilize our republic. An article on Wired calls the Russian campaign of disinformation “Active Measures” (https://www.wired.com/story/a-guide-to-russias-high-tech-tool-box-for-subverting-us-democracy/). Their objective is to get Americans to argue about an issue – any issue, as long as it’s divisive. These sockpuppets may appear as someone trusted in your community to draw you into the fray and make you think there is an actual human behind an idea or a movement. They spread lies or half-lies, innuendos, and fake news. They are looking to degrade civil discussion of a given topic and inflame opposing views. For these actors, a divided America is much less of a threat than a united one. 

Be Alert: We are all susceptible to these propaganda campaigns on social media. With all the re-posting and re-tweeting, sometimes it is hard to find the origin of a comment. However, awareness that a sockpuppet army, whose intent is to manipulate public opinion, is out there may provide some protection from taking the bait.

So, the next time you are on social media responding to a post that got your blood boiling, keep in mind that you may be arguing with “Lamb Chop.”