Oceans 11 Ain't got nothing on this hack!
Oceans 11 Ain't got nothing on this hack!
When it comes to cyber security, "Be the Ball"
We bury our head in the sand for many reasons. Sometimes we’re trying to ignore the present, sometimes the oncoming train of the future. Every now and again we see the sandstorm and we feel powerless to repel the onslaught. This type of head burying is common in technology.
Consider the iPhone. An innovative revolution amongst revolutions. A revolution only 15 years old. Not long ago people carried around a giant brick phone as their “mobile” device. Home phones lived in your home. Only 15 short years since the revolution that would forever change how we go to the bathroom, Instagram or TikTok at the ready… and I guess make phone calls.
How crazy is that? Up until recently we used to poop without access to the world’s knowledge.
Technology provides an immense upside to how we interact with our world, how we lively our daily lives. This empowerment though has come quickly. Really, really quickly. Similar innovations have not had the speed that technology does. The printing press, a milestone in human innovation spent its first couple hundred years printing only a limited selection of books. The important ones, mostly bibles and instruction manuals on how to kill witches.
Any innovation though has two sides. If something can be used to help humankind, it can probably be used maliciously as well. It’s certainly true with technology.
A decade ago, tech leaders were waging war against the growing tide of malware. Innovations in virus and malware technology were popular hobbies for many. We had some fancy names like worms, trojan horses, back-doors… but these were all essentially viruses. You’d install your Norton Anti-Virus or that copy of McAfee that came with the new computer. You could run a manual virus scan or setup the little automated process that would drag your machine to a slow crawl as it inspected every file on your computer, comparing the bits to those in its virus definition tables.
Viruses were a pain certainly. Yet, we had relatively simple problems. So we had simple solutions to combat those problems. Eventually though someone figured out how to monetize it. That’s when the flywheel started exponentially spinning.
The world of malware is evolving at an astounding pace. Generating billions and billions of dollars in revenue. Entire industries are setup to enact and support the malicious software being iterated upon.
I’ve spent my life at the forefront of the technology revolution. Even I’m amazed at how sophisticated the malicious actor has become. Pesky little viruses that might eject the CD-Rom drive at an inopportune time are relics of the past. Expertly orchestrated social engineering gigs stealing millions of dollars are the present.
That’s why I think some people put their head in the sand when it comes to technology. The overwhelming fear of this malicious revenue generating machine. A sophisticated network of threat actors backed by billions of dollars of investment. What is a lone individual to do?
Some companies do what they can. Information Security is an every day discussion for them. It’s unsurprising and natural that large swathes of time getting eaten by the “InfoSec” beast. The good ones spend real money trying to be the wall that malicious actors bash against. Knowing eventually, the hack will come.
So the truth with cyber security is, like many things in life, your safety, your children’s education, your something, the ultimate line of defense is you. Don’t get eaten by the bear. Be the one who outruns the other guy.
Your security has to be led by you because the opportunity for malicious acts is too great. The machine that is aimed at your data, your money, your work… is significant.
So how are “the bad guys” coming after you? They’re clever and inventive. The schemes are always evolving. However, I wanted to highlight one of the more crafty ways because this style of attack is gaining traction in the wild.
“Recruiters” will reach out to people on LinkedIn posing as agents for a large or growing company. There game is pretty simple. Engage with someone looking for a job. Over promise and under deliver on the opportunity available. Maybe even seal the deal with a real, “fake” interview.
In the end, the unsuspecting new hire is sent a welcome letter and job packet that includes a direct deposit form. Just send the banking and routing information so HR can queue up those hefty “paychecks”. Clever. Well targeted. Highly effective.
If you don’t think this is happening effectively, check out this real world example.
What if you are a bad actor and you are looking to pull off a major con. I’m talking next level, Clooney/Pitt style. This happened to Axie Infinity and it took but a single chink in the armor to yield a 625 million dollar pay day.
How?
Start with that LinkedIn recruiter scam but add a slight twist with a bit of olive. Target the development team employees with the promise of a new startup. Fat paychecks, generous equity, and Kombucha on tap; all to support building really cool new shit. Once you IPO, the questions isn’t if you will buy the yacht, just which yacht will it be.
Remember… they only need one.
A single engineer. Feels underpaid, overworked, and ready to put in some grind time to hit the mother of all payouts. Looking to retire as a traveling influencer or whatever these crazy kids are doing these days.
A single Axie engineer was interested in the opportunity. But he didn’t bother to do the homework he should have. So a couple interviews later (all seemed legit), he was sent a “phenomenal” compensation plan. Details inside the PDF “we” sent you. His new life awaits!
Then all hell breaks loose!
Classic trojan horse/spyware attack allowed the hacking group to gain control of key services in the Axie Infinity blockchain. Using that as a beachhead, the threat agents then escalated their permissions to extend the sphere of control. In the end, north of 600 millions crypto stolen.
Worst part, this is not the first case of this type of attack. This is just the most recent type of this attack.
So consider you might have your own company. Maybe your a principal or senior operator. Hell, you might be working on your own legit startup. It might seem easier to bury your head in the sand. The crazy attacks are hitting the public every day. What chance do you have?
You have more agency than you think.
Remember, it isn’t about outrunning the bear. Just outrun the other person. You’ll fail at making it impossible for someone to get into your environment. No environment is completely off limits, entirely inaccessible.
Yet you can make it distasteful enough that “the bad actors” will seek out someone else. Remember that the next time you download a random app or you sign up for some weird new website.
You are your strongest line of defense protecting your valuables. Read up a little and be your own front line of security.
Shameless Plug - Fabled Fudge (www.fabledfudge.com) is getting ready to launch! That’s right, the delicious fudge that comes to some of your doors at Christmas will now be available year round with some amazing new flavors to come.
I am super excited to be able to make this a reality. Have had a lot of fun figuring out the logistics of this, testing new recipes and making something near and dear to the Wilcox Family.
Sign up for the mailing list over there, be the first to get the goods!
If you found this worthwhile, hit the like (heart) or share this out and let’s grow this subscriber base.
Also feel free to leave a comment!