Security Horror Stories and How to Avoid Them

The spookiest month of the year calls for pranks, themed home decor, assorted sweets, and a bunch of bone-chilling horror stories. In the world of tech, "scary" stories often make for funny “server room” jokes, or provide a supply of hardware and software hacks to last you a lifetime. This Halloween, we’re serving up some true security horror stories, and offer some advice on how to avoid being a victim.

The Ransomware Survivor

ransomware-survivor

DJ Singh, a digital architect at Wipro Digital, is a ransomware survivor who shared his tale that began after he clicked on a link that was supposed to lead to a whitepaper. Unfortunately, the link pointed to a compromised Ad-Server. After clicking the link to the whitepaper ad—ironically titled "Preventing Ransomware"—malware took over his computer, with a small window appearing and disappearing in the blink of an eye.

That was when DJ realized that he had been infected with ransomware, a type of malware that prevented him from accessing his files. He tried to check the security controls on his computer, but none of them worked. In an attempt to rescue his files, he found a message that explained that they were all encrypted, requiring a decrypt code to unlock them. Luckily, DJ found a solution online that allowed him to recover a number of files.  It turned out that the majority of the decryption keys were poorly hidden within the malware code. After this ransomware scare, DJ realized that he was able to mitigate the effect of the ransomware by isolating his laptop from other networks. It also helped that he knew he had backups and didn’t need to pay the ransom.

Losing access to important and unreplaceable files can be an individual's or organization's worst nightmare, and the number of ways that ransomware can infect a system make it a common threat. Besides using security software that can defend against ransomware, users are also advised to avoid opening unverified emails and links, and regularly update software and applications. Backing up files using the 3-2-1 rule can also help mitigate the effects of a ransomware infection. 

I Know What You Did Last Night

extortion-story

This horror story begins when Matt, from Melbourne, Australia, woke up, opened his email, and was greeted with a video of a man in a compromising position. To his horror, he realized that the man in the video was him. The email from the hackers threatened to release the footage to all is Facebook friends and colleagues if he didn’t pay them money.

After initially negotiating with the perpetrators, Matt changed his mind and decided to put up a Facebook post announcing that he had been hacked, and that the hackers threatened to expose the film if he did not pay up. In an interesting twist, Matt warned his friends to be careful if they receive a link as they could also get hacked and blackmailed if they clicked on it. He also told his friends to enjoy it nonetheless if they open it, as he thought it was nothing to be ashamed of. Fortunately, he won the support of his friends and colleagues, and Matt never heard from the hackers again.

Matt was lucky as the perpetrators never went through with their threat, but this case highlights the damaging effects of online extortion. This type of abuse happens all the time on the internet. In fact, Trend Micro predicted that cyber extortionists will continue to use fear as a major component of their schemes.

To avoid this online trap, users should stay vigilant and be extremely careful when opening links or attachments. Cybercriminals know that many users are likely to fall for legitimate-looking emails,  and craft the perfect bait to fool users. Always be extra wary of emails coming from people you don’t know and learn to flag suspicious emails as junk or spam. They say that mishaps make for good, funny stories, but when your private moments are at stake, it pays to make sure no one is watching!

The Bookkeeper’s Mistake

bookkeeper-bec

This story began when a bookkeeper at a midsize company received a wire request. Upon receiving an approval email from their CEO to submit and approve wire transfers, the bookkeeper followed her boss’s instructions. The very next day, she received a request from the CEO asking her to submit a wire transfer request. Since the email was consistent with the company’s previous wire requests, the bookkeeper didn't suspect anything irregular and processed the order. The bank, however, called the company to verify if the request was valid because it seemed out of character. In response, the bookkeeper insisted that the wire request was legitimate and that it came from the CEO.

The bank eventually processed the payment and wired the transfer. The business later realized that fraudsters manipulated the request.

The bookkeeper’s tale reminds users about the dangers of Business Email Compromise (BEC) schemes. While it sounds as common as the classic Nigerian Prince scam, this threat should never be taken lightly. Over the past two years, BEC schemes have resulted in over $3.1 billion in total losses to approximately 22,000 enterprises around the world. Stay safe by carefully scrutinizing all emails, and by installing proper protocols for handling these types of requests. The FBI urges businesses to use two-factor authentication (2FA) where available and to use other communication means such as telephone calls to verify transactions.

The Doppelganger

identity-theft

On a cold February night, a woman came home from work and received a call from a major credit card company. They had asked her to call them on account of some unusual activity. Thinking it was fraudulent, the woman ignored it at first, but when she got the call again, she decided to double-check the number.

Sure enough, it was the credit card company’s fraud department. They told her that someone tried to obtain a credit card using her name, address, and Social Security number. This prompted the bank to verify if she had signed up for a card. Furthermore, the bank told her that the hacker had more of her personal information, such as her birthdate, her mother’s maiden name, and had even succeeded in changing the contact information associated with her credit card.

Identity theft cases such as this demonstrate only one of the possible ways stolen personal information can be used. Like an evil doppelganger, identity thieves can impersonate a victim to gain access to online accounts and finances. Given the prevalence of this threat, users must remember to be careful who they give their personal information to—and this includes posting personally identifiable information on public platforms such as social media. 

Trend Micro Security can help minimize the amount of personal data tracked by websites and services and safeguards accounts and ensures that the data isn't transmitted without your consent. You can also prevent identity theft by carefully managing your account passwords, learning about a site’s privacy and security policies, and by limiting your exposure on social networks.

It Comes From the Server Room

tech-support-scam

This last story is about an employee who became a victim of a tech support scam. 

David, an elderly gentleman from the Midlands, received a phone call from someone who claimed to be a representative of BT, his broadband provider. The call appeared to come from an international number, making David more suspicious as the usual international calls they get were always just a waste of time. However, the man on the other end of the line tried to convince him that his BT broadband service was rife with viruses that it had to be addressed right away. David then asked the caller for details to verify the validity of the source.

After a few attempts to contact the real helpline of BT broadband, he called the fake number back and was greeted appropriately by a call center agent who transferred his call to a technician. The technician, who sounded quite credible, told David that he has been monitoring David’s broadband activities and that a few anomalies showed that he had been hacked. The technician instructed him to type “Alureon” to show him the virus that had infected his computer. Incidentally, “Alureon” is a real virus that affects Windows OS. After this show and tell, David was convinced that he was infected, and gave the technician remote access to his computer, supposedly to further examine the so-called errors in his system. Just as David was about to completely fall for the scam, the technician asked him to log into his banking site. After falling for a similar scam years ago, he recognized that something was wrong and hung up.

Online and phone scams are often fundamentally the same, with scammers using various methods to dupe users into falling for their traps. The tech support scam uses a slightly different tactic by offering to “help” the user with a non-existent problem. In reality, when victims take the bait, the scammers could install malware such as keyloggers or access your computer without your knowledge.

To avoid becoming a victim, hang up immediately when a caller offers to fix your computer for a fee—especially when you didn't request for support. Always question the need for remote access, and get legitimate security solutions. When it comes to scams, awareness of common social engineering tactics and other online threats is the best defense.

HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.