Hackers are considered persistent, passionate, smart, adaptable, stealthy and merciless: no disaster is enough of a deterrent to not take advantage of it in an unfair, technological way – as the corona crisis has impressively demonstrated.

The hacker attacks can be extremely complex and sophisticated, but most cybercriminals like to rely on the path of least resistance and rely mainly on phishing, insufficient password protection, unpatched systems and social engineering to achieve their goals. But there are also cases of compromise that are anything but conventional, as the following examples show.

In 2017, security provider Darktrace caused waves of disbelief when it discovered a hack in which criminals used an internet-connected aquarium to an American casino to facilitate the dates. The aquarium was equipped with IoT sensors and connected to a computer that could monitor the water temperature and quality.

The aquarium served as a gateway for the attackers: once they were “inside”, they discovered even more vulnerabilities and were able to move sideways through the network. The tapped data was sent to a device abroad.

Most business users now have phishing emails on their screen – it’s a different story when the boss calls them directly. In such a case, very few people assume that they may be the victim of a voice phishing (vishing) attack.

It happened in England in 2019 first known AI-based vishing attack: The attackers used commercial AI speech software to imitate the voice of the German boss of a British utility company. Using the software, they called the company’s UK CEO and persuaded him to transfer $243,000 to a supplier in Hungary. Thanks to the slight German accent and the impersonator’s typical speech pattern, the CEO suspected nothing – until the criminal hackers got too greedy and wanted to use the same scheme a second time, which eventually blew the whole thing up.

However, law enforcement agencies were unable to identify the cybercriminals or recover the money. It could be the beginning of a ghostly era of AI-powered deepfake attacks.

When it comes to loot, cyber criminals usually only care about cash or cryptocurrency. In France, the authorities were 2019 captured by a gang of five, who had tapped a total of nearly 120,000 liters of petrol at petrol stations around Paris. The criminals gained access through a special device that allowed them to hack into a specific manufacturer’s fuel pumps. The hack was made possible because the default password for the pumps was not changed by the gas station employees – the code “0000” then no longer presented too much of a challenge for the attackers. The criminal hackers were then able to reset the gasoline prices and remove any limits on fill quantities.

The gang relied on a division of labor in their machinations: One hacker activated the pump remotely, while the others only had to drive a large van (including an extra tank in the back) to its associated pump and get up to 2,800 gallons of fuel for free in one. “duty cycle” drained. The cyber gang then distributed the stolen fuel at bargain prices on social media — even placing ads for it. Police believe the gang “earned” about $170,000 this way.

Weak credentials are an overarching security issue. This is shown time and again when electronically controlled street signs and traffic information panels are hacked.

Acquired in Auburn Hills, Michigan, USA two unknown perpetrators a gigantic street scene at night with the aim of turning the highway below into a hardcore porn cinema. According to the police, the two hackers only needed 15 minutes for the entire operation – so the password wouldn’t have been particularly difficult to guess in this case either.

A 24-year-old IT specialist in Jakarta, Indonesia, also pushed for a similar, albeit much more spontaneous, porn craze. while he himself bored in rush hour traffic jams, he briefly recognized login details on a display board. Of course, he immediately hacked into the huge screen and streamed pornographic content of an explicit nature across the expansive screen. Since Indonesia is a conservative Muslim country, the action received little approval from the authorities: the coitus-obsessed IT professional faces six years in prison.

The reality show “Die Höhle der Löwen” has also been successful on German television for years. Barbara Corcoran is an entrepreneur, a member of the jury for the original American “Shark Tank” and was recently Victim of an email scamin which she had to deal with the loss of almost $ 400,000.

A cybercriminal masquerading as Corcoran’s assistant sent an email containing a fake invoice to Corcoran’s accounting department, which overlooked the fact that the email address was incorrect. Therefore, questions about the transfer to a German bank account went directly to the criminals – who, of course, approved the process. It wasn’t until the accounting department sent an email (to the correct address) to inquire if the transfer had arrived that everything came out.

The person in charge of the finance department was allowed to keep his job, although the nearly $400,000 initially seemed lost. In the meantime, however, the amount being picked up. For Corcoran, it should have been “peanuts” anyway: “I lost $388,700 through a fake email campaign. At first I was mad, but then I realized it was just money,” the deceived Entrepreneur said when she was still assumed they were taking her money off.

Criminal hackers can be incredibly smart. Sometimes this doesn’t work as well as the example of Keith Cosbey indicates. He was CFO of Choicelunch – a company that supplies meals to several schools in California.

The CFO apparently broke into his main competitor LunchMaster’s network and gained access to students’ personal data. He then sent the captured data anonymously to the California Department of Education — noting that LunchMaster clearly doesn’t take data protection very seriously.

Ultimately, the hacking CFO was fatal to the next FBI investigation, which exposed the processes. Cosbey has been arrested and will probably be allowed to deal with ready meals in the coming years, just on a completely different level.

March 12, 2019 was a quiet night in DeSoto and Lancaster suburbs of Dallas, Texas. Until at half past one the tornado warning sirens suddenly went off and the night turned into an inferno of noise for an hour and a half. Without ever having had a real tornado.

Known as “Tornado Alley” in Texas, and from March through May, the height of hurricane season, many residents understandably panicked at first. In the wake of the incident, authorities reported that unauthorized persons access the network with malicious intent. A similar incident had already occurred in April 2017, when 156 tornado warning sirens went off around Dallas — including in the middle of the night and for no reason. This incident was also attributed by the authorities to criminal hackers. There is no clue as to the identity of the potential siren serial hackers.

Serious security vulnerabilities in home security devices and baby monitors are nothing new: With techniques such as credential stuffing and driven by lax password protection, cybercriminals can use such devices to spy on individuals or businesses.

A hacker, apparently bored at the sight of a sleeping baby, kept shouting loudly”wake up babyinto the microphone, triggering the concerned parents, who were amazed at the loud voices from the nursery. When the hacker saw them, he yelled numerous obscenities at them through the baby monitor. These and other incidents have since caused it, that IoT-based “jokes” are much less common.

This post is based on an article from our US sister publication, CSO Online.