Cybersecurity news headlines for March 2021

In March’s edition of cybersecurity news headlines, there are only three stories to report on. There were no significant hacks or data breaches but some stories did make bigger headlines. A teen hacker responsible for the Twitter bitcoin giveaway scam has been sentenced to three years in prison for his “mastermind” role in the incident that made headlines all over the world. Google will have to face a class-action lawsuit over data collection practices in Incognito mode, despite the tech giant’s efforts to throw it out. And a yearly cybercrime report by FBI’s IC3 reveals that cybercrime losses amounted to $4.2 billion in 2020.

 

In no particular order, here’s what made the biggest cybersecurity headlines in March 2020.

Twitter bitcoin scam hacker receives a sentence of three years in prison

The teen hacker responsible for breaking into Twitter accounts of Bill Gates, Elon Musk, Apple, and others to promote a Bitcoin giveaway scam has pleaded guilty and will spend three years in prison, with a further three years of probation.

In July 2020, Graham Ivan Clark, who was 17 at the time, along with two others was able to access Twitter accounts belonging to high-profile individuals/companies and post messages encouraging users to participate in a cryptocurrency giveaway. Among the hijacked Twitter accounts were those of now US president Joe Biden, former president Barack Obama, billionaires Bill Gates and Elon Musk, tech giant Apple, and many others. Tweets posted by these hijacked Twitter accounts claimed that a Bitcoin giveaway is taking place, and those who sent some amount of BTC to the displayed wallet address will receive double in return.

Message sent from Elon Musk’s hijacked Twitter account

While these fake tweets were available for mere minutes, hundreds of transactions were made to the cyber crooks’ wallets, with over $117,000 transferred by unsuspecting users. Twitter immediately took measures to secure the accounts and temporarily stopped verified accounts from posting tweets. An investigation showed that a successful spear-phishing attack was used to steal a Twitter employee’s credentials, which allowed the malicious actors to access Internal Twitter tools. Using the stolen credentials, Clark and others were able to hijack the Twitter accounts long enough to post the tweets.

Graham Ivan Clark, Mason Sheppard, and Nima Fazeli were soon named as the perpetrators, with Clark being the “mastermind”. He was arrested the same month by a coordinated operation by the FBI, the IRS, and the Secret Service, and was charged with organized fraud, communications fraud, fraudulent use of personal information, as well as access to a computer without authorization. Clark has been charged under the Florida Youthful Offender Act, and has pleaded guilty. He has received a three-year prison sentence, followed by a probation period of three years. The 7.5 months he has spent in prison prior to his sentencing will be applied towards his three years of imprisonment. All Bitcoin sent to the scammers’ wallet address was returned to law enforcement.

California judge rules Google will have to face a lawsuit for tracking users in Incognito mode

Back in June 2020, a class-action lawsuit was filed against Google, alleging that the tech giant was tracking users and collecting personal information when users were browsing in private browsing mode (Incognito). While Google has tried its best to have the case thrown out, a judge in California has ruled that the company will have to face the class-action lawsuit. The lawsuit seeks at least $5 billion.

The US District Judge who made the ruling for the lawsuit to go forward said that Google “did not notify users that Google engages in the alleged data collection while the user is in private browsing mode”. Google has previously said that it is made clear to users that Incognito mode does not mean that users’ activity becomes invisible to websites, third-party analytics, or ad services.

Google has tried to get the case thrown out on the basis that users see a clear warning when they enter Incognito mode that “activity might still be visible to: websites you visit, your employer or school, your internet search provider”. However, this does not appear to have convinced the judge, and the lawsuit will proceed.

“We strongly dispute these claims and we will defend ourselves vigorously against them,” Google spokesperson Jose Castaneda said in a statement to Bloomberg. “Incognito mode in Chrome gives you the choice to browse the internet without your activity being saved to your browser or device. As we clearly state each time you open a new incognito tab, websites might be able to collect information about your browsing activity during your session.”

The ruling does not come as a surprise, as Google has faced much criticism over its data collection practices. Google has said in the past that it will eliminate third-party cookies that allow advertising services to track users’ activities. It has also said that it will not use alternative methods to track users.

Cybercrime losses amounted to $4.2 billion in 2020, FBI reports

According to the yearly cybercrime report by the Federal Bureau of Investigation (FBI), cybercrime losses exceeded $4.2 billion in 2020. This is a record sum, and a 20% increase compared to 2019 when losses were reported to be $3.5 billion. FBI’s Internet Crime Complaint Center (IC3) reportedly received 791,790 complaints from the American public in 2020, which is a 69% increase from 2019.

It is of no surprise that these record-breaking numbers are very much related to the global COVID-19 pandemic, a time when people all over the world started spending more of their time and money on the Internet. The unique situation that forced millions of people to stay home has provided cybercriminals with an opportunity to make a profit. They were able to take advantage of people doing their shopping online, of those looking for information related to COVID-19, medication, vaccines, stimulus checks, and much more.

Image: IC3 Internet Crime Report 2020

The biggest increase in complaints received in 2020 compared to other years was related to phishing/vishing/smishing/pharming. In 2020, IC3 received 241,342 said complaints, more than double the amount from 2019 (114,702). Cybercrime related to non-payment/non-delivery was also common, with 108,869 complaints received in 2020, an increase from the reported 61,832 complaints in 2019. The number of complaints related to extortion was 76,741 in 2020, while personal data breaches and identity theft were reported 45,330 and 43,330 times respectively in 2020. Cybercriminals also targeted unemployment insurance, Paycheck Protection Program (PPP) loans, Small Business Economic Injury Disaster Loans, and other COVID19 related stimulus funds.

The IC3 notes that cybercriminals impersonating government agencies have been a particularly common scheme during this pandemic. Various means were used to contact potential victims, including email, social media, and phone calls, and scammers mainly tried to obtain victims’ personal information or extort money via threats or schemes. Once COVID-19 vaccines became available, scammers started contacting potential victims, inviting them to pay for a supposed vaccine or register to get one. This way, cybercriminals were able to phish users’ personal information and steal money.

According to the annual report, the IC3 received 19,369 Business Email Compromise (BEC) and Email Account Compromise (EAC) complaints in 2020, with estimated damages exceeding $1.8 billion. Both BEC and EAC scams can lead to the unauthorized transfer of funds and involve cybercriminals compromising legitimate business email accounts through social engineering and computer intrusion techniques. IC3 also notes that 2020 saw a larger number of BEC/EAC complaints related to identity theft and funds converted to cryptocurrency.

The annual internet crime report further mentions that the IC3 received 15,421 complaints related to tech-support scams in 2020. It is estimated that losses related to these scams amount to over $146 million. Tech-support scams are one of the most common cybercrimes encountered on the Internet, and involve malicious actors claiming to be real technical support and pretending to resolve made-up issues on victims’ computers. 66% of victims who reported the crime in 2020 were over the age of 60 and experienced approximately 84% of the reported losses.

2,474 of the complaints received by the IC3 in 2020 were related to ransomware. The estimated amount of ransomware-related losses was over $29.1 million. Ransomware is malicious software that once inside a computer will encrypt personal files and demand that users pay money in order to recover them. The report also mentions that the FBI does not encourage victims to pay the ransom, noting that paying does not guarantee file decryption, as well as may encourage other cybercriminals to engage in ransomware distribution. It should be mentioned that the numbers related to ransomware crime are rather inaccurate, as numerous companies have paid millions of dollars in ransom in 2020. The inaccurate numbers likely stem from the fact that many ransomware victims do not report the attacks and silently pay the ransom.

References

• Dan Sullivan. Tampa Twitter hacker agrees to three years in prison. Tampa Bay Times.
• Malathi Nayak and Joel Rosenblatt. Google Must Face Suit Over Snooping on ‘Incognito’ Browsing. Bloomberg.
• IC3. Internet Crime Report 2020.