Cyber Security Best Practices and Threat Examples

Seen in the Wild

These are some examples of malicious activity that I have seen "in the wild". Most of these either happened to me, happened to someone I know, or I saw explained somewhere.

General Cyber Attack Concepts

1. Steal your login information

The best way to trick your family and friends is to pretend to be you. Your connections are more willing to give you money based on how well you know them. When a malicious actor steals your login credentials to a social media account, they are riding your coattails of your social status to manipulate and steal either information (including other victims) or money / gift cards.

This is often done by a malicious link that will send you to a fake login website built to look just like the real login website.

I've also seen spam emails with Google Docs, Google Sheets, Google Forms, or some other way of entering a username and password combination and they ask you to provide your login credentials. This is usually from a spoofed email meant to look like a school or workplace where you might have login credentials to.

2. Trick you into paying to send you money

I've seen this a couple ways. The first is the Nigerian Prince scam where a Nigerian Prince had his assets frozen and needed money. There was a promise of much more money to be paid back once the prince had his assets unfrozen.

That's the really popular scam, but the one I've seen I detail further down as the X App "Lottery winner". That scammer was trying to convince me that I needed to send money to pay for a FedEx driver to deliver me a package of physical money. Right away, I knew it was weird to not just wire money digitally. Anytime someone asks for something before they give you something, you need to be sure that they'll actually give you that something.

Facebook

1. My grandma friended me again with a second account using the same picture.

• Bad actors will copy a profile picture and name to try and friend the victim's friends. They may slightly alter the profile picture to not be screened as using the same exact picture.

• "She" said she was in a car accident and needed me to send her money. I was more worried about her being injured that I reached out to other family to see if they could help. They told me grandma was fine and that was someone else.

2. My relative was kidnapped in another country and needs money

• Didn't happen to me personally, but I've heard of this one. This is where they will trick an older relative into thinking they are traveling and in need of money - either car accident, stolen wallet, etc.

X. Remedies - adjust the visibility of your Friend's list to only Friends, even then just Mutual Friends

X app | Twitter

1. A lottery winner reached out to gift me money

• Even having just finished a 6 month cyber security boot camp, I still somewhat fell for this. I thought to myself "If I had won the lottery, how would I randomly hook people".
• I was about 60-80% sure this was a scam. But that 20-40%.
• They sent me a picture of a FedEx driver, the name of the driver, the ID of the driver, and the whole time I'm wondering "why do you care so much about the driver".
• They wanted to deliver physical bundles of money to me via this driver.

Phone Call

1. Student Loan Forgiveness

LinkedIn

1. Someone made a fake profile of a high ranking member of the non profit I work for. That profile sent connection requests to several, if not all, of our team. I saw this the day before I acted, figured it looked scammy and ignored it. However, technically, I help manage the IT Security for where I work.

So today, when I realized it was probably something I should head off, I ensured it was a fake profile by finding the real profile, which is verified and has 500+ connections. I included links to both profiles and sent direct messages to all those involved: the victim the malicious actor was impersonating, and the victims that accepted the connection requests.

2. When I started at this company, someone used LinkedIn (I assume) to find out who the CEO / President used to be of the company I just hired on at and sent me a text message "from them". I asked the person that was training me if it was legit, and he told me "oh no, that used to be the president long ago. That's a scam."

The reason I think they got my phone number, and possibly email, is the LinkedIn data breach.

From Google AI:

""" Yes, LinkedIn has experienced data breaches in the past where phone numbers were leaked. These leaks, which have involved scraping of public profiles and other security incidents, have exposed phone numbers along with other personal and professional information such as full names, email addresses, and job titles.

Details:

Past Leaks: Several incidents involving the exposure of LinkedIn user data have occurred, with one notable instance in 2021 where a hacker advertised 700 million profiles for sale on a dark web forum.

Data Compromised: The leaked data included full names, email addresses, phone numbers, LinkedIn profile URLs, job titles, company information, social media account links, and more.

Impact on Users: Leaked phone numbers can be used for malicious activities such as spam calls, phishing attempts, and identity theft.

Recommendations: Users are advised to be cautious of unsolicited calls or messages and to consider limiting the visibility of their phone number on LinkedIn or other public platforms. """

OnlyFans

1. I have a free subscription to a lady that makes content on there. I was contacted by someone pretending to be her on Facebook. I looked her up and found her real Facebook profile, which had the same image for the profile picture as this fake account. I told the fake account I know they are fake as she would just talk to me with her real profile. The fake account said "oh no, this is my private account."

The way that these services work is the content creator would only use their established social media accounts to conduct business. There is no reason to make "a private account" and talk with fans or customers. Period. I told the fake account that when I find them, I'm not going to go easy on them. Maybe even physical violence. She continued to argue, so I reported the fake profile and sent a DM to the real artist saying that I had a fake profile contact me.

2. I had a fake OF account try to get me to subscribe to what looked like a OF account that was using other people's content. The description and aspects about it seemed like it was managed by an Indian company that just had a bunch of content of women that didn't work there. I reported this profile as well, as the "person" that was pretending to try and sell me content wasn't able to prove their identity. I asked for this "woman" to send me a picture with "a-Rye" written on her. "She" sent me a poorly photoshopped image of the text "a-Rye"...typed and with a color filled background that they tried to match her skin tone with. "She" was a darker skinned lady and the color box that the text was in wasn't a perfect match. This was laughably horrible of a job trying to pose as someone else. AKA Catfishing. The "lady" also tried to do it with a coffee cup by buying a coffee somewhere and photoshopping my alias of "a-Rye" on the coffee cup. I just stopped responding and reported the OF profile and explained that I think that profile was stealing content from other creators.