Once upon a time, we almost lost everything
A story of a near victim of a cyber crime
I was talking to a friend after a long time yesterday.
“What’s new?” I asked him after we were done with the initial chit-chat.
“We nearly lost everything”, he said with a chuckle, “There was a targeted cyberattack on Dad’s phone”.
Targeted cyberattack? That’s being a bit dramatic. Maybe it was SIM spoofing or a phishing attempt, I thought. Maybe uncle clicked on a link he shouldn’t have?
What happened was this. Uncle has retired from a bank. There was a demand from the unions that retired people should get better healthcare coverage. It was supposed to be done very soon.
Uncle started seeing a message on the WhatsApp groups from his friends and colleagues that here’s a link, you need to fill out the details here to get this better coverage.
He ignored it at first. But then after he saw that message getting repeated many times, he clicked on it.
The link was an .apk. The app/malware installed itself on his phone. He opened the app scrolled through, and then thought he would fill the form later.
While he was out for groceries he saw many OTP requests regarding login to banking services, requests for password changes, etc.
My friend happened to get home early on this day. When uncle told him wrist was happening, he asked uncle to return home.
The first thing they did was get their accounts frozen. At around the same time, their WhatsApp account sent the same .apk to other users in their WhatsApp chat. My friend tried to take control of WhatsApp but was not able to.
They went to a police station to file a complaint, where they were told to go to the cyber cell. The cyber cell is close to where my university used to be.
The first day they were told to go back as it was late. The second day they were told to return later as the cyber cell expert (and there’s only one for the entire district) was away for a court case. Finally, when they returned the cyber cell expert ran a tool and told them what was happening. They removed the app and told them the phone was good to use.
My friend did a factory reset.
The ordeal was over.
This is basically the setup for The beekeeper.
We don’t have a Jason Statham defending us though.
Whenever we read or listen about these things we always think this could not happen to me. Or, we blame the victim. This is a thing I have been thinking about this week. Not everybody has my technical know-how. What is par for the course for me, might not be so obvious to most of the people I have in my life.
Still, despite being aware of phishing techniques I was still caught in one, during the last appraisal cycle. We had received a well crafted mail to check something on our internal portal. The UI for login was the same but without the Authenticator option. I felt weird but continued to enter my password. It was only when it failed the login, I got suspicious.
With the advent of AI, these attacks get better (worse?) by the minute. There was a report of an employee transferring 25 million because they thought their CFO asked them to do so.
There are a few things you can do:
- Use a password manager
- Use 2FA everywhere
- Use passkeys where possible
None of these methods are fool-proof. But they help.
So much of our lives are lived on our phones now. Our communications, banking, documentation, everything lives on our phones. If that device is compromised, we can lose everything. With this push to digitise everything and with growing unemployment everywhere I feel like instances of cyber crimes will increase.
Education and awareness are critical to ensure we remain safe in this environment.
