2023 February Cyber Bytes

A Basic iPhone Feature Helps Criminals Steal Your Entire Digital Life

The passcode that unlocks your phone can give thieves access to your money and data; ‘it’s like a treasure box’

Source: Forbes by Joanna Stern and Nicole Nguyen on February 24, 2023

NEW YORK—In the early hours of Thanksgiving weekend, Reyhan Ayas was leaving a bar in Midtown Manhattan when a man she had just met snatched her iPhone 13 Pro Max. Within a few minutes, the 31-year-old, a senior economist at a workforce intelligence startup, could no longer get into her Apple account and all the stuff attached to it, including photos, contacts and notes. Over the next 24 hours, she said, about $10,000 vanished from her bank account. Similar stories are piling up in police stations around the country. Using a remarkably low-tech trick, thieves watch iPhone owners tap their passcodes, then steal their targets’ phones—and their digital lives.

The thieves are exploiting a simple vulnerability in the software design of over one billion iPhones active globally. It centers on the passcode, the short string of numbers that grants access to a device; and passwords, generally longer alphanumeric combinations that serve as the logins for different accounts. With only the iPhone and its passcode, an interloper can within seconds change the password associated with the iPhone owner’s Apple ID. This would lock the victim out of their account, which includes anything stored in iCloud. The thief can also often loot the phone’s financial apps since the passcode can unlock access to all the device’s stored passwords. “Once you get into the phone, it’s like a treasure box,” said Alex Argiro, who investigated a high-profile theft ring as a New York Police Department detective before retiring last fall. He said there have been hundreds of these sorts of crimes in the city in the past two years. “This is growing,” he said. “It is such an opportunistic crime. Everyone has financial apps.”

Apple Inc. has marketed itself as the leader in digital privacy and security, selling its tightly integrated hardware, software and iCloud web services as the best protection for its customers’ data. “Security researchers agree that iPhone is the most secure consumer mobile device, and we work tirelessly every day to protect all our users from new and emerging threats,” an Apple spokeswoman said. “We sympathize with users who have had this experience and we take all attacks on our users very seriously, no matter how rare,” she said, adding that the company believes these crimes are uncommon because they require the theft of the device and the passcode. “We will continue to advance the protections to help keep user accounts secure.” An examination of the recent spate of thefts reveals a possible gap in Apple’s armor. The company’s defenses are designed around common attack scenarios—the hacker on the internet attempting to use a person’s login credentials, or the thief on the street looking to snatch an iPhone for a quick sale.

They don’t necessarily account for the fog of a late-night bar scene full of young people, where predators befriend their victims and maneuver them into revealing their passcodes. Once thieves possess both passcode and phone, they can exploit a feature Apple intentionally designed as a convenience: allowing forgetful customers to use their passcode to reset the Apple account password. “It was only a matter of time before an attacker would use shoulder surfing or social engineering,” said Adam Aviv, an associate professor of computer science at George Washington University. Relying on a phone as a trusted device fails in such cases, he added. All of the victims interviewed by The Wall Street Journal said their iPhones were stolen while they were out at night socializing. Some said the phones were grabbed out of their hands by someone they had just met. Others said they were physically assaulted and intimidated into handing over their phones and passcodes. A few said they believe they were drugged. They woke up the next morning missing their phones, with no memory of the previous night.

In all cases, the iPhone owners were locked out of their Apple accounts. They then discovered thousands of dollars in financial thefts, including some combination of Apple Pay charges, drained bank accounts linked to phone apps and money taken from PayPal Holdings Inc.’s Venmo and other money-sending apps. A similar vulnerability exists in Google’s Android mobile operating system. However, the higher resale value of iPhones makes them a far more common target, according to law-enforcement officials. “Our sign-in and account-recovery policies try to strike a balance between allowing legitimate users to retain access to their accounts in real-world scenarios and keeping the bad actors out,” a Google spokesman said.

On the evening of Jan. 22, 2022, Reece Thompson, an art director at a creative agency in Hiawatha, Iowa, was having a drink with his girlfriend while visiting downtown Minneapolis when his iPhone 12 Pro went missing from the bar. The next morning, when he tried to log into his Apple account from a different device, the account password had been changed. Thousands of dollars had been charged to his credit cards via Apple Pay and $1,500 was stolen from his Venmo account, he said. Reece Thompson was visiting Minneapolis when thieves stole his iPhone 12 Pro at a bar and then racked up thousands of dollars in charges via Apple Pay. Minnesota prosecutors say Mr. Thompson, age 42, was a victim of a theft ring that accumulated nearly $300,000 by stealing iPhones and their passcodes from at least 40 victims. The group targeted bar-goers with Apple smartphones, quickly looted accounts accessible via those devices and then resold the phones, according to the arrest warrant for one member of the alleged ring, Alfonze Stuckey. Mr. Stuckey has since pleaded guilty to one count of racketeering and received a 57-month prison sentence. Eleven other suspects have been charged with racketeering in the case.

Mr. Stuckey, 23, who has a previous record of misdemeanors, said he wouldn’t comment unless he is compensated. His lawyer declined to comment. Groups of two or three thieves would go to a bar and befriend victims, often asking them to open up Snapchat or some other social-media platform, said Sgt. Robert Illetschko, the lead investigator on the case. During that interaction they would try to observe the victim unlocking the iPhone with the passcode, he said. If they didn’t catch the passcode at first, they might have tried to get the victim to hand them the phone for a photo and then subtly turn it off before handing it back, he added. After an iPhone is restarted, a passcode is required to unlock it. “It’s just as simple as watching this person repeatedly punch their passcode into the phone,” said Sgt. Illetschko, adding that sometimes thieves would covertly film victims so they could be sure they caught the correct sequence. “There’s a lot of tricks to get the person to enter the code.” Similar cases have been reported in Austin, Denver, Boston and London. In New York City, one of the first inklings police received about the extent of this new crime wave came in the form of an unexplained death.

On Friday, May 27, while visiting from Washington, D.C., John Umberger went out for the night in Manhattan, ending the evening at a bar in the Hell’s Kitchen neighborhood. Five days later the 33-year-old director of diplomacy and political programs at the American Center for Law and Justice was found dead in the apartment he was staying in, with an emptied wallet and no iPhone. At first, police suspected it was a routine drug overdose. Then his family discovered thousands of dollars had been taken from his bank, PayPal and Venmo accounts, along with suspicious credit card charges, according to Mr. Umberger’s mother, Linda Clary. She believes her son’s Apple account password was changed. Mr. Argiro, the New York City detective who participated in the investigation of Mr. Umberger’s death before retiring in September, said authorities came to believe he was the victim of a group of thieves that target New York bar-goers, launder money via apps and then resell the phones. This particular group is believed to be responsible for more than 30 incidents, he added. The Manhattan district attorney’s office is assembling a case to present before a grand jury, according to people familiar with the investigation.

The Method
In theory, recent security innovations from Apple should eliminate the vulnerability of an intercepted passcode. The Apple spokeswoman pointed to Face ID and Touch ID as ways that would limit the need to type a passcode at all. Yet in New York, some authorities have suggested Face ID as a possible point of entry into the phones. The city’s Office of Nightlife, a liaison between City Hall and the hospitality industry, hosted a speaker who recommended bar-goers disable facial recognition, on the theory that an incapacitated person’s face could be used by the thieves.

Anatomy of the attack
A passcode breach is the more likely scenario, according to the Journal’s reporting and on-device testing. To change someone’s Apple ID password on an iPhone, a face scan won’t suffice: A passcode is needed. When the password change is complete, the software offers an option to force other Apple devices, such as Macs or iPads, to sign out of the Apple account, so a victim couldn’t turn to those devices to regain access. The software never requires the user to enter an older password before setting a new one. Journal reporters were able to do all that in less than a minute.

An Apple spokeswoman said the system is designed to help users who have forgotten their account password. She added that it requires two factors, the physical device as well as the device’s passcode. With the new password, the thief can disable Find My iPhone, which would otherwise allow victims to locate their phones and even remotely erase them to protect their data. Disabling Find My iPhone also allows the thief to resell the iPhone. Apple recently introduced the ability to use hardware security keys, little USB dongles, to protect the Apple ID. In the Journal’s testing, security keys didn’t prevent account changes using only the passcode, and the passcode could even be used to remove security keys from the account.

The Damage
Taylor Ashy, a sales executive at a New York-based tech company, said he was drugged the night of Dec. 10, 2021, at a New York bar. He has no recollection of how his phone was taken. All he knows is that whoever took it gained access to his bank app, enrolled his bank’s debit card in Apple Pay, and opened a Venmo credit card and Apple credit card in his name. Taylor Ashy said he was drugged at a New York City bar before thieves stole his iPhone 11. He awoke to find thousands of dollars taken via his bank and money-sending apps. The New York Police Department declined to provide details of how they believe thieves are gaining access to their targets’ phones. Mr. Ashy, who had more than $10,000 transferred out of his bank account, said he stored passwords to those accounts in Apple’s iCloud Keychain password manager. The feature auto-fills login information following successful Face ID or Touch ID scans, or the input of the iPhone’s passcode, according to the Journal’s testing. In Mr. Ashy’s case and others, the bank fraud happened after the victims’ biometrics were no longer available to the thieves.

If apps require text-message codes as part of their logins, a security practice known as two-factor authentication, the messages are sent to the iPhone—the same one a thief would be holding. After logging into bank apps with the passcode, the Journal was able to add digital debit cards to Apple Pay without needing the physical cards or their PINs. Money can be sent from the debit cards to Apple Cash, which can be used to send money or to make contactless payments at stores. Several victims said an Apple credit card was opened in their name. The cards quickly accrued thousands of dollars in charges. Accessed through Apple’s Wallet app, an Apple Card application will autofill with information that might be stored on the iPhone, such as the owner’s name, address and birthday. The Apple Card form does require applicants to enter the last four digits of their Social Security numbers. One victim, David Vigilante, believes the thieves found that information right in the Photos app on his iPhone XS Max.

After having the phone stolen at a pizza shop on Manhattan’s Lower East Side in the early hours of Oct. 23, the 30-year-old product manager at a real-estate data company realized someone had attempted to charge $15,000 to his credit card via Apple Pay and that a new Apple credit card had been opened in his name. When he got back into his Apple account a few days later, he found photos he had previously taken of sensitive documents—his passport, driver’s license, paycheck direct-deposit form and health-insurance paperwork—collected in a new photo album. Apps such as Apple Photos, iCloud Drive and Google Drive now offer the ability to search text within images and documents. In the Journal’s tests, a search in the Apple Photos app for ‘SSN’ (Social Security number) and ‘TIN’ (taxpayer identification number) immediately produced a photo of a 1099 tax form with Social Security information that had been stored on the phone.

Most victims the Journal spoke to filed police reports. One filed an identity theft claim with the Federal Trade Commission. Most of their banks and financial apps have refunded money considered lost through fraudulent activity. Some people whose iPhones were stolen are unable to regain access to their Apple accounts. With the passcode, an Apple ID’s backup email and phone number can be changed, and a security feature called a recovery key can be enabled. In recent cases, thieves changed the Apple account’s contact information and turned on the recovery key, blocking victims from being able to use an account-recovery service for those who forget their Apple ID password. The Apple spokeswoman said that account-recovery policies are in place to protect users from bad actors accessing their accounts.

Reyhan Ayas lost about $10,000 and access to her Apple account after her iPhone 13 Pro Max was stolen outside a bar in Manhattan. Those who remain locked out of their Apple accounts have often lost something irreplaceable. Right after her iPhone was stolen outside the New York bar, Ms. Ayas, who holds a graduate degree in economics from Princeton University, tried to log into her Apple ID and access Find My iPhone. By that point the thief had already changed her password. Months and numerous calls to Apple support later, she still is unable to get back into her account because the thief also enabled the recovery key. According to Apple’s policies, the company doesn’t allow users to regain access to their account if a recovery key is enabled and they can’t produce it. “I go to my Photos app and scroll up, hoping to see familiar faces, photos of my dad and my family—they’re all gone,” Ms. Ayas said. “Being told permanently that I’ve lost all of those memories has been very hard.”

Writing Like a Boss With ChatGPT and How to Get Better at Spotting Phishing Scams

It’s never been easier to write a convincing message that can trick you into handing over your money or personal data

Source: Welivesecurity.com by Phil Muncaster on February 22, 2023

ChatGPT has been taking the world by storm, having reached 100 million users only two months after launching. However, media stories about the tool’s uncanny ability to write human-sounding text mask a potentially darker reality. In the wrong hands, the powerful chatbot (now also built into the Bing search engine) and technologies like it could be misused by scammers and so ultimately help “democratize” cybercrime to the masses. By delivering a fairly low-cost, automated way to create mass scam campaigns, it could be the start of a new wave of more convincing phishing attacks.

How cybercriminals could weaponize ChatGPT
ChatGPT is based on OpenAI’s GPT-3 family of “large language models.” As such, it has been painstakingly trained to interact with users in a conversational tone, wowing many with its naturalistic responses. It’s still early days for the product, but some of the initial signs are troubling. While OpenAI has built guardrails into the product to prevent its use for nefarious ends, they don’t always appear to be effective or consistent. Among other things, it has been claimed that a request to write a message asking for financial help to flee Ukraine was flagged as a scam and denied. But a separate request to help write a fake email informing a recipient they had won the lottery was given the green light. Separate reports suggest that controls designed to stop users in certain regions from accessing the tool’s application programming interface (API) have also failed. Type in a prompt and voila! Criminals could also ask the tool to further tweak these kinds of (still mostly boilerplate-ish) messages to their heart’s content and leverage the output for attacks, both targeted and indiscriminate. This is bad news for everyday internet users; indeed, cybercriminals have already been spotted leveraging ChatGPT for malicious purposes on multiple occasions. These developments might put the ability to launch large-scale, persuasive, error-free and even targeted cyberattacks and scams such as business email compromise (BEC) fraud into the hands of far more people than ever before. Indeed, most (51%) cybersecurity leaders now expect ChatGPT to be abused for a successful cyberattack within a year.

One clear takeaway is that we all need to get better at spotting the tell-tale signs of online phishing scams and prepare for a potential surge in malicious emails. Here are some things to look out for:

1. Unsolicited contact
Phishing messages usually appear out of the blue. Granted, business marketing missives can also seem pretty sudden. But when an unsolicited email that claims to be from a bank or any other organization pops into your inbox, you should automatically be on high alert for potentially suspicious activity, doubly so if it contains a link or attachment.

2. Links and attachments
As mentioned, one of the classic methods used by scammers to achieve their ends is by embedding malicious links or attaching malicious files to their emails. These might covertly install malware onto your device or, in the case of links, whisk you to a phishing page where they’ll be asked to fill in personal information. Avoid clicking on links, downloading files or opening attachments in messages even if they appear to be from a known, trusted source – unless you have verified with the sender via other channels that the message is authentic.

3. Requests for personal and financial information
What is the end goal for a phishing attack? Sometimes it’s to persuade the recipient to unwittingly install malware on their machine. But in most other cases it’s to trick them into handing over personal information. This is usually sold on dark web marketplaces and then pieced together to commit identity theft and fraud. It could be a request to take out a new credit line in your name, or payment for an item with your card details, for example.

4. Pressure tactics
At the heart of phishing is a technique known as social engineering, which is essentially the art of making other people do what you want through persuasion and exploitation of human error. Creating a sense of urgency is a classic social engineering tactic – achieved by telling the victim they only have a limited time in which to respond or else they’ll be fined or miss out on the chance to win something.

5. Something ‘free’
If something looks too good to be true it usually is. Yet that doesn’t stop people falling for non-existent freebies all the time. A classic example of this is generous ‘gifts’ offered to people in return for participating in surveys, in which they have to hand over personal and/or financial information. Needless to say, the victim never receives their iPhone, gift card, money or any other item they were promised.

6. Mismatched sender display and real domain
Phishers will often try and make their email address look like it’s come from a legitimate source, when in fact it has not. For example, by hovering over the sender domain you can often see the real email address that sent it. If the two don’t match and/or if the underlying one is a long combination of random characters, there’s a good chance it’s a scam.

7. Unfamiliar or generic greetings
Phishing actors try to impersonate individuals from legitimate organizations in a bid to build trust with their victims. But they may not always know the right tone to use when emailing. If you’re used to being called by your first name by a company but then see an email which is more formal, it should ring alarm bells, and vice versa. Also, no legitimate bank or another organization will send you an email from an address that ends in @gmail.com.

8. Exploiting current events or emergencies
Another classic social engineering technique is to piggyback on popular news events or emergencies in order to persuade recipients to click through. This is why phishing emails soared during COVID-19 and also why criminals deployed charity scams soon after Russia invaded Ukraine. Always be skeptical of messages that cite current events.

9. Unusual requests
Similarly, look out for emails in which the sender makes unusual requests. It may, for example, be your bank asking to confirm personal and financial details via email or text, which an actual bank will never do. Any email that opens with “Dear customer” or “Dear [email address]” should set your alarm bells ringing.

10. Asking for money
Phishing is about harvesting personal information and/or installing malware. But some scams are even more direct. It goes without saying that you should never agree to hand over money to someone who sends you an unsolicited message, even if it is described as a “fee” to release a delivery, or a cash prize.

Grammatical errors may be a thing of the past thanks to tools like ChatGPT. But fortunately, there are many other warning signs to alert us to possible scams. Take your time online, and always think about what motivated an individual to send a particular message.

Accidental WhatsApp Account Takeovers? It's a Thing

Blame it on phone number recycling (yes, that's a thing, too)

Source: theregister.com by Jessica Lyons Hardcastle on February 21, 2023

A stranger may be receiving your private WhatsApp messages, and also be able to send messages to all of your contacts – if you have changed your phone number and didn't delete the WhatsApp account linked to it. Your humble vulture heard this bizarre tale of inadvertent WhatsApp account hijacking from a reader, Eric, who told us this happened to his son, Ugo. "This is a massive privacy violation," Eric said. "My son had long-lasting access to that person's private messages as well as group messages, both personal and work related." The security hole stems from wireless carriers' practice of recycling former customers' phone numbers and giving them to new customers.

WhatsApp acknowledges that this can happen, but says it's extremely rare. "We take many steps to prevent people receiving unwanted messages, including expiring accounts after a period of sustained inactivity," a WhatsApp spokesperson told The Register. "If for some reason you no longer want to use WhatsApp tied to a particular phone number, then the best thing to do is transfer it to a new phone number or delete the account within the app." "In all cases, we strongly encourage people to use two-step verification for added security," the spokesperson continued. "In the extremely rare circumstances where mobile operators quickly re-sell phone lines faster than usual, these additional layers help keep accounts safe." It's not a widespread problem, at least not yet, but a data privacy issue nonetheless, and a cautionary tale for users of any messaging service that uses mobile phone numbers as a primary form of user identification. Oh, and the WhatsApp spokesperson is spot on about two-factor verification, which everyone should use anyway.

Here's what happened.

Ugo was a long-time WhatsApp user in Switzerland with his account tied to his Swiss phone number. In October, he moved to Paris for work, got a new French phone number and a new SIM card. All the while he was using WhatsApp, which continued sending and receiving messages per usual, unaware of the phone number change. Later that month, he changed his phone number with WhatsApp, and then things got ugly. Here's what happened, according to Eric: His phone was immediately flooded with all the groups from a stranger, and he started receiving all the new messages that were meant for that person, whether individual or in the groups. His profile photo was also swapped for the other person's photo. Note that this person seemed to be Italian, most/all messages were in Italian… He tried to respond to these individuals and groups saying he wasn't the right person, but that was very confusing to others because to others, he appeared as the person they thought he was. Eric disclosed the issue to WhatsApp and parent company Meta, and was told that it's a recycled phone number issue, not a WhatsApp-specific bug. "For example, if a number has a new owner and they use it to log into Facebook, it could trigger a Facebook password reset," the security team told him. "If that number is still associated with a user's Facebook account, the person who now has that number could then take over the account."

Meta admitted that "this is a concern," but told Eric that it didn't qualify as a bug for the bug bounty program. "Facebook doesn't have control over telecom providers who reissue phone numbers or with users having a phone number linked to their Facebook account that is no longer registered to them," the email said. According to Eric, however, WhatsApp could take steps to mitigate the problem, like regular checking to ensure a user's phone number is correct. "At the very least when they see that someone is requesting a phone number change (from A to B) and they see that there is an active account on phone number B that does not seem to have anything to do with the also active account attached to phone number A, challenge the account on phone number B to prove that they still own phone number B or update their number," he said.

For its part, WhatsApp provides a help page about how to transfer phones, and recommends if someone wants to stop using WhatsApp altogether, they should delete their accounts.

How Many Cyber Attacks Happen Per Day in 2023?

Source: techjury.net by Jacquelyn Bulao on February 27, 2023

Everyone connected to the internet is a target to hackers. Sorry, we don’t make the rules. With this in mind, we have decided to bring you some of the most incredible cyber attack statistics in 2022 to give you an idea of how many cyber attacks per day are happening worldwide. 

How Many Cyber Attacks Happen per Day in 2023?

•    By 2025, cybercrime will cost the world $10.5 trillion yearly.
•    The entire cost of cyberattacks in 2022 was $6 trillion.
•    95% of data breaches are the result of human error.
•    Globally, 30,000 websites are hacked daily.
•    64% of companies worldwide have experienced at least one form of cyber attack.
•    There were 22 billion breached records in 2021.
•    In 2021, ransomware cases grew by 92.7%.
•    Email is responsible for around 94% of all malware.
•    Every 39 seconds, there is a new attack somewhere on the web.
•    An average of around 24,000 malicious mobile apps are blocked daily on the internet.

Cyber Security Attack Statistics
When it comes to IT, cybersecurity has one of the most significant budgets.  Why’s this? It has become an issue that eats deep into the very foundation of a business, crashing the party and costing millions and even billions of dollars in the process. 

Let’s look at some cyber attack statistics: 

1. 300,000 thousand new pieces of malware are created daily. (Source: Web Arx Security). Yes, you read that right! Thousands of new malware are being created daily, ranging from viruses, adware, Trojans, keyloggers, etc., with one sole aim - to steal people's data. Luckily, we've ranked the best antivirus solutions to keep you safe from all this nasty malware. 

2. As of 2022, over 60% of financial service companies have 1000+ sensitive files accessible to all employees. (Source: Varonis). Moreover, about 60% of companies in the field have 500+ passwords that never expire. With insiders being a significant risk factor, such businesses are more vulnerable to cyber attacks and data breaches.

3. Zip and .exe are among the most popular malicious email attachment extensions. (Source: NordVPN). Cyber attack stats for 2022 show that opening emails containing file extensions like .iso, .exe, .zip, .dmg, .rar should be avoided. Zip. and jar. files can easily bypass the anti-malware security of most email providers, so be on the lookout for them. Microsoft Office files could also pose a threat. Since most people are used to extensions like .ppt, .doc, and .xls, they’re easy to overlook.

4. The average cost of a data breach in 2022 was over $3.80 million. (Source: Cybercrime Magazine). 2022 data breach report from IBM shows that companies spent up to $3.80 million per data breach in 2022.

5. Uber reportedly lost the information of 57 million riders and drivers after a data breach in 2016. (Source: Tech Crunch). The Uber data breach occurred in 2016 with more than 600,000 drivers having their license numbers and names exposed to hackers. According to cyber attack statistics, this attack represents one of the most significant data breaches in recent times. What’s more, Uber did pay off its hackers $100,000 to delete the stolen data. However, word came out about a year later after the attempt proved unsuccessful. Following this, Uber had to pay a sum of $148 million to settle a nationwide investigation into the data breach. Quite fascinating, right? But that's not all - if you are interested in more curious facts about the ride-hailing company, you can check out our Uber statistics list. 

6. Friendfinder's website lost 412 million user accounts after being hacked. (Source: Wall Street Journal). Friendfinder is the parent company of a few other online dating websites such as AdultFriendFinder, Cams.com, Penthouse, Stripshow, and iCams.com. In 2016, Friendfinder was hacked, leading to the loss of millions of accounts containing the personal details of users. Cyberattacks statistics have it that Cams.com had the worst hit, with over 62 million accounts exposed. Penthouse.com, in its own case, lost more than 7 million accounts.

7. Over 550 US healthcare organizations experienced data breaches in 2022. (Source: Health Hit Security). Statistics on hospitals and cyberattacks have shown that financial institutions aren’t the only ones facing data breach issues. History has shown that the healthcare sector is among the most targeted. In 2022, up to 550 US healthcare organizations experienced data breaches. These cyber attacks affected over 40 million individuals as patients’ private information was stolen.

8. About 14.5 billion email spam campaigns accounted for over 45% of the email traffic. (Source: Statista). In 2022, up to 45% of all emails sent out were spam. Of these, a good number were malicious, while the rest were marketing emails. During that time, the largest number of unsolicited spam emails came from Russia. Up to 24.7% of the global spam volume originated from there.

9. The average life cycle of a data breach is about 11 months. (Source: Cyber Observer). 314 days is the total time it takes from the breach to the containment of a successful cyber attack. It takes an average of 7 months to identify a breach, and another 4 months to contain such a breach.  The malicious programs deployed by successful hackers are stealthy, automatic, and can successfully disguise themselves as non-malicious files in case of a routine security check-up.

10. Ransomware is the third most used form of cyber attack in 2022. (Source: Panda Security). Up to 10% of data breaches in 2022 were ransomware-related. This made it the third most used cyberattack method. There were 304.7 million ransomware attacks in the first half of 2022 alone. This high volume is expected to continue into 2022.

11. Email is responsible for 91% of all cyber attacks. (Source: Deloitte). According to cyber attacks statistics, email remains one of the most popular and successful means that hackers use in distributing malware to their prospective victims. When a target opens the attached file or clicks on the malicious link following an email, a type of malware is executed. It either steals user information or disrupts company operation, depending on what it was programmed to achieve.

How Many Cyber Attacks Happen per Day Globally?
Before you are done with this post, someone somewhere would have successfully been hacked. Yes, you read that right! Keep reading to find out statistics on how many cyber attacks happen per day on average.

12. Globally, 30,000 websites are hacked daily. (Source: Web Arx Security). Financial, healthcare, and retail organizations are all prime targets to hackers daily. When cybercriminals can't get through the cybersecurity infrastructure of an organization, they can try to gain access to your website. Some of the ways they can achieve this include software vulnerability, access control, and third-party integrations like extensions. For content management system platforms like WordPress, which host over 35% of all websites on the internet, 98% of its vulnerabilities come from plugins. That's why there are also tons of security plugins to protect the vulnerable ones. 

13. Every 39 seconds, there is a new attack somewhere on the Web. (Source: University of Maryland). That is about 2,244 attacks that happen on the internet daily! That’s how many cyber attacks happen per day. We saw earlier how hackers are creating hundreds of thousands of new malware daily. They are not created to sit idle; they are to be deployed onto the web and penetrate vulnerabilities within specific targets.  However, it is also essential to take note that an attack does not necessarily mean a breach. A cyber attack can be successful or unsuccessful, depending on the cybersecurity measure put in place by a target. 

14. Hackers breached almost 4 million records in March 2022. (Source: IT Governance). As of March 2022, there were 88 publicly disclosed cybersecurity cases. This resulted in 3,987,593 breached records. For the entire first quarter of 2022, a total of 75,099,482 records were breached.

15. More than ½  the organizations with IoT devices have no security measures in place. (Source: IoT World). According to remote cyber attacks statistics, eight in 10 corporate networks utilize internet of things devices. Shockingly, only about 50% of them have the proper infrastructure to protect themselves from hacking. In fact, most of them still use the default password. That poses a massive risk, as data breaches could happen any minute. 

16. An average of around 24,000 malicious mobile apps are blocked daily on various mobile app stores. (Source: Symantec). With over 4.78 billion of the world's population now mobile phone owners, it is expected that the attention of hackers will shift to mobile phone users. Most malicious mobile apps fall under these four categories - spyware, Trojans, phishing sites, and hidden processes.

17. In 2022, businesses around the globe face a ransomware attack every 11 seconds. (Source: Dataprot). Statistics on how many cyber attacks happen per day inform us that in 2022, businesses fall victim to ransomware attacks every 11 seconds. This marks a 20% increase from 2019.

18. 23,000 DDoS attacks are happening somewhere on the internet every 24 hours. (Source: Net Scout). A distributed denial of service attack, also known as a DDoS attack, uses multiple systems to flood a particular server with irrelevant requests. This leads to a point when the server in question is unable to process legitimate requests from genuine users. It is simply an attempt by hackers to disrupt the day-to-day operation of a business. The motive behind most DDoS attacks is to obtain ransom from victims. Reports have it that 679,000 DDoS attacks occur monthly, which results in a total of 16 DDoS attacks every minute.

19. There are 65,000 attempts to hack small-medium-sized businesses in the UK daily. (Source: Hiscox). Statistics on how many cyber attacks per day in the UK report that the country has one of the lowest costs of data breaches compared to the world's average. Also, out of all cyber attacks attempts made daily, 4,500 of them are always successful. The average cost of a data breach in the UK is $3.8 million, lower than the world's average of $3.92 million. That said, if you live or operate a business in the UK, you might want to consider getting a better AV solution.

20. 64% of companies worldwide have experienced at least one form of cyber attack in the past year. (Source: Cybint Solutions). There are countless reasons why hackers would want to attack a business. Stealing business financial details, customer financial details, espionage, etc., are among the top reasons hackers attack online businesses. Some of the most popular forms of cyberattacks mostly utilized by these cyber attackers are; phishing, malware, man-in-the-middle, denial of service, and more attacks.

Industries and Businesses Cyber Attack Statistics
Though individuals and businesses are both prime targets of cyber attacks, the frequency of attacks on businesses (especially small ones) far outweighs that of individuals. Here, we take a look at some of the industry statistics on cyber attack on small businesses worldwide: 

21. In 2022, 43% of cyberattacks target small businesses (Source: Forbes). According to Forbes, only 14% of these companies have proper defenses. And 83% aren’t financially prepared to recover from such attacks.

22. IoT devices suffer approximately 5,200 attacks per month. (Source: Forbes). That’s largely due to IoT devices still being in their infancy stage – thus lacking the necessary level of security to deter cyber attacks.

23. 63% of all organizational internal data breach is a result of compromised usernames and passwords. (Source: ID Agent). In the journey of online security, deploying a strong password system is your first line of defense against cyber attackers, irrespective of what device you are trying to protect. cyberattacks statistics reveal that the lack of employee cybersecurity training causes workers to use weak and predictable passwords such as "12345", "QWERTY," etc. In its research, Microsoft found that 73% of people online use duplicate passwords across various platforms, thereby leaving themselves exposed to a possible data breach. That's why you should consider creating a strong password, or better yet - use a password manager. 

24. 74% of organizations worldwide claim they are susceptible to insider threats. (Source: Bitglass). We pay so much attention to threats posed by external hackers, forgetting that insider threats are as dangerous to us as those we receive from outside sources. Statistics on malicious cyberattacks revealed that insider threats caused 60 % of all data breaches for the year. Insider threats can come from malicious/careless workers, inside agents, third-party users/contractors, and even disgruntled employees.

25. By 2031, ransomware will cost the world up to $265 billion. (Source: Forbes). By the end of 2021,up to 37% of all businesses were hit by ransomware. 2022 cyberattack statistics show that ransomware alone had cost the world about $20 billion. Experts estimate that this amount will hit $265 billion by 2031.

26. As of Q1 of 2022, The highest number of DDoS attacks comes from China. (Source: GovTech). According to China’s cyberattack statistics, the country is the highest originator of DDoS attacks in the world. The United States follows closely behind, while Brazil comes third. One of the most recent and notable DDoS attacks occurred in January 2022 when North Korea’s internet was crippled. This attack lasted for six hours and all traffic to and from the country was taken down.

27. Windows is the most vulnerable Operating system (OS) for ransomware. Source: (Safety Detectives). Ransomware is likely to affect eight in 10 Windows machines. In contrast, only 7% of macOS devices have the same problem. The Operating system that is less likely to get such an infection is iOS with 3%.

28. 53% of Canadian companies that experienced ransomware paid the hackers. (Source: Blakes). Despite warnings by the government not to comply, more than half of the companies that hackers targeted paid the ransom, businesses cyber attacks statistics show. Organizations dealing with professional financial and healthcare services suffered the most breaches. 

Cyber Attack Trends
The YoY increase of cyber attacks has been on the rise for a couple of years now and shows no signs of slowing down. With that in mind, here are some of our picks for possible global cyberattacks trends that could happen in a few short years.

29. The cost of crypto crimes could rise to $30 billion by 2025. (Source: Forbes). According to Cybersecurity Ventures, the cost of crypto crimes hit $17.5 billion in 2021. This figure is predicted to exceed $30 billion by 2025.

30. Global spending on cybersecurity sat at $16.6 billion in 2022 first quarter. (Source: Statista). Worldwide cybersecurity spending hit $16.6 billion by first quarter of 2022.

31. Almost 80% of cyber attackers target government agencies. (Source: Forbes). The United States is the most targeted country in the world. Up to 46% of cyberattacks worldwide are directed toward the US. Of these, up to 80% target thinks tanks, government agencies, and other NGOs.

32. The most common type of ransomware is CryptoLocker - 52% of all. (Source: Safety Detectives). Ransomware is ever-evolving and every so often, a new variant crops up. Cyber attack statistics for 2021 show that the most prominent one is CryptoLocker, involved in over half the hacking incidents. It encrypts your files, then demands payment before it can make them accessible to you again. It started affecting systems in 2013 and has been gaining momentum of late. Second, in line is WannaCry, North Korean ransomware - 26%. In 2017 it crippled logistics, telecommunications, transportation, governments, and even government organizations in 150 countries.  The third most common ransomware is Cryptowall with 16%, and then the fourth is Locky with 13%. 

Wrap Up
So, to give you a straight answer to how many cyber attacks per day would be kind of hard. But there are a lot of people out there who have dedicated their lives to getting people’s data and sabotaging businesses. Hopefully, organizations will begin to spend more on cybersecurity to mitigate the growing severity of these attacks.

Alexa, Who Else is Listening?

Your smart speaker is designed to listen, but could it be eavesdropping too?

Source: welivesecurity.com by Jake Moore on February 9, 2023

Ever since Amazon came under fire for being able to potentially listen in on people through its Echo smart speakers, and even transcribe what they were saying, I have been intrigued by the idea of how IoT could be used to snoop on us, unbeknown to the victims. Big tech companies behind Alexa-enabled and other similar devices have since taken steps towards making them more privacy focused, but I recently demonstrated a feature that you should be aware of. Let’s cut right to the chase.

Trouble with an ex
I was recently asked by a friend to help check if she had been hacked, because she could not work out how her ex-partner knew specific information about her life and even private conversations she had had. I first checked her phone and laptop by running ESET’s security software, and couldn’t see any malware or anything untoward. She mentioned that it was if her conversations were being listened to and mentioned some of what she had only said to others had been relayed back verbatim. This is when I checked for listening bugs. I didn’t discover anything that shouldn’t be there. However, I was interested in the family’s Amazon Echo Dot smart speaker and asked who could have access to it. She told me that her ex-partner had set the device up two years previous, when they were together, and they both had access to the speaker via a shared account, but only she used it now. As she hadn’t changed her Amazon password – or any other account passwords – since her breakup with her partner, this was a good place to start investigating. I wondered if the device could be used to eavesdrop remotely via the app by anyone with access to the account, which would have let them listen in to her conversations. I remembered I had heard it was possible, but I wanted to test myself that an Alexa device could be used as a covert listening device. So I bought an Amazon Echo Dot and long story short, my gut feeling didn’t fail me.

The privilege problem
Some smart devices can be taken out of the box and immediately plugged in and used with default – and therefore usually insecure – settings. Obviously I have never been a huge fan of default privacy and security settings on the majority of smart (or almost any other) devices even after Amazon and a number of other technology giants have been forced to improve their settings in order to better protect users from intrusive practices by manufacturers or third parties. Now, people don’t normally realize how easily the devices themselves could be used as spying tools by anyone (more precisely, the device’s admin) with illicit intent. (Obviously it’s not a security vulnerability if an admin can enable it via a checkbox – take note of Law #6 in Microsoft’s Ten Immutable Laws of Security: “A computer is only as secure as the administrator is trustworthy”.) So, I set up my Echo Dot with a unique and strong password and enabled two-factor authentication using an authenticator app, and connected it to my phone. I was also able to connect it to my iPad with ease and I was relatively happy with the security,

I then went to “Devices” in the app and selected my “Echo Dot” and “Settings”, then enabled “Communication”. I then tapped on the “Drop In” feature to enable it. Then back in the “Communicate” tab, all I had to do was select “Drop In” and select my Echo Dot and I was able to listen in to the room that it was in. Easy as pie. I even logged off my home Wi-Fi and connected via 4G to prove I could easily do this from another remote location too. When you Drop In and listen in to a room, the device light ring displays a spinning green light and it also makes a small ring sound to make those in the room aware of the Drop In. I was unable to Drop In with this light and sound turned off, but an unsuspecting victim might not hear it or simply think nothing of it. After all, these devices tend to make lots of sounds and always seem to have coloured light rings for some reasons. I also decided to check the device logs via my app, but unfortunately there weren’t any logs or anything to suggest I had “dropped in”, which makes forensic evidence more difficult in such a situation. Logs in Echo Dot devices are called “Activity”, but there’s no way to record the use of the Drop In feature.

The spy in your smart speaker
Back to my friend now. When I asked her if there was a chance her Echo Dot could have been used to listen in, it seemed like she experienced a lightbulb moment. She noted that her Alexa would often have coloured rings spinning and she assumed the sounds were to do with her self-claimed “deluge of Amazon purchases” and other notifications. She claimed that she simply thought that her Alexa was listening for keywords, rather than allowing anyone with her password to listen in on her. She immediately felt uneasy, changed her password, and made her phone the only device pairable with her Echo Dot. Her device has not made any strange sounds or lit up unintentionally since, and she says she now feels far safer.

Is your home bugged?
There are lots of listening devices on the market, but those hiding in plain sight (and not normally thought of as ‘listening bugs’) are often the most commonly used. It goes without saying that we should be aware of their capabilities if they are going to feature heavily in our homes. As a result, it is vital that people follow a few tips when using smart technology to remain safe and secure:

•    Always use strong and unique passwords
•    Enable two-factor authentication
•    Review the device’s settings
•    Only connect to devices that you own access to
•    Do thorough account maintenance – configure user permissions and disable or remove accounts if they’re not needed
•    Change the password if you suspect someone has access to the account who shouldn’t
•    Turn off the device or disable listening mode when having sensitive conversations

iPhones as listening devices
Lastly, aside from the perhaps more obvious devices like smart speakers, did you know that Apple AirPods can also be used as listening devices? Few people seem to be aware that all that somebody has to do is turn on an accessibility feature called Live Listen on their iPhone and with AirPods in their ears, they can use the phone, left in any room, as a listening device. Who would suspect that an apparently “forgotten” phone was actually a deliberately planted “bug”?

Stay safe!