A slew of strange security news stories made headlines this week, from scams to hacks. The Threatpost team breaks down the top stories that made everyone scratch their heads, including:
–Cartoon Network streaming websites being hacked to play Brazilian stripper videos.
– A Catholic church in Brunswick, Ohio was scammed out of a whopping $1.75 million as a result of a business email compromise (BEC) attack.
-A scammer pretending to be Jason Statham tricked a vulnerable and unsuspecting fan out of “a significant amount” of money.
Below is a lightly edited transcript of the podcast.
Lindsey O’Donnell: Welcome to the news wrap Threatpost podcast for the week ended May 3, you’ve got Lindsey O’Donnell here with the Threatpost team, including Tom Spring and Tara Seals. Hi, everyone.
Tom Spring: Hello.
Lindsey: So it’s been a pretty weird week news wise. I didn’t think that we would see topics like Jason Statham or the Catholic church or certainly not Brazilian strippers.
Tara Seals: Right. Very strange news week on the Threatpost news site.
Tom: Yeah, it was definitely not your average news week.
Lindsey: Tara, I think you had the weirdest story this week about the Cartoon Network being compromised to show Brazilian strippers. Can you tell us a little bit more about what happened there?
Tara: Yeah, absolutely. Actually, it was a single Brazilian male stripper. But he’s kind of an internet celebrity, I suppose, which I did not realize before researching the story, but his name is Ricardo Milos. And he’s really well known for sort of getting out there, posting videos, gyrating, and his red bandana on his forehead and an American flag thong. So, you know, that’s kind of awesome. The internet loves this. And so they’ve sort of adopted him and made him into the subject of countless memes, which if you do a quick search, a lot of them will come up. So these hackers that compromised the Cartoon Network sites, in various regions around the world, and he was sort of their go-to guy for that.
Tom: So just to be understand this, this was a hijacking of the actual streams that were being pushed through Cartoon Network’s websites, it had nothing to do with any of the live TV or any cable-television-based video.
Tara: Correct. Yeah, this was their digital properties, in 16 different territories around the globe. And so apparently, a pair of hackers were able to compromise whatever Cartoon Network uses for their website management platform and it was kind of a one and done thing. So they compromise that and then are able to roll out their own video content streams, to the various portals around the world.
Tom: It’s just so weird — I mean if you’re a hacker, and you’re able to gain that type of access to the Cartoon Network’s back end — and this is your goal? I mean, you think about all of the ransomware, DNS attacks, you think about all the mean and nasty things you could possibly do. This definitely is sort of mean and nasty, but it has a very odd twist to it.
Lindsey: Yeah, were they just like trolling or was there any sort of idea of what the motivation was behind this?
Tara: I don’t know — I picture a couple of teenagers somewhere saying ‘this is going to be awesome guys, let’s do this,’ type of thing. I mean, it definitely seems more like a lark than any sort of political agenda, or somebody with a vendetta against Cartoon Network. And typically, when we see these website attacks, they do tend to fall into the hacktivist category. But, you know, there was nothing political here, there was nothing particularly pointing towards any sort of motive whatsoever. So it just seems as though it was just more of a nuisance, ‘let’s see if we can do this’ kind of thing.
Lindsey: Yeah, well, I had never heard of Ricardo Milos until I watched the video that you used as a demonstration in your article.
Tara: Your life is richer for it now.
Lindsey: Exactly. I was definitely getting vibes that were similar to, if you remember the article I wrote a while back, about the hackers that were defacing the Wall Street Journal and hijacking printers and other vulnerable IoT devices and showing messages that told people to subscribe to PewDiePie. So I feel like that is kind of a similar incident.
Tara: Yeah, that PewDiePie story that you did, you know, obviously got a lot of attention. And it was a similar thing. It just kind of seemed to be sort of run of the mill, internet kids out there rallying around to a cause and taking down major media sites.
Lindsey: And I mean, the other interesting thing about this particular incident is that, am I correct in remembering that they didn’t notice it until after a whole weekend?
Tara: Yeah, it was a couple of days at least, which is just kind of incredible. I’m not really sure why they didn’t pick up on it. I don’t know. You know, obviously asleep at the switch there on the weekends.
Tom: The timing is perfect to try to try to strike while nobody’s at the wheel. But I wonder sometimes with these, you’ve got people who find these vulnerabilities, they report these vulnerabilities and they’re so frustrated because nobody will listen to them about their vulnerability. I have no clue as to what was behind this or what motivated it but you know, I do speak with a lot of researchers, who never resort to this, by the way, but they submit bugs to these companies, and they’re just ignored and ignored and ignored, and I wonder whether or not they were just like, okay, you don’t want to listen to me about the bug in your back-end system… we’ll just run some Brazilian stripper videos on your network and see how you like it.
Tara: It’s entirely possible Tom. That’s a really good point. Maybe they’re just like ‘oh really, well, you can just see what we can do then’ kind of thing — just kind of disgruntled.
Lindsey: True. I mean, I guess it could have been worse.
Tara: Well what’s interesting though is that you know, Cartoon Network actually did see some damage out of this. [The hackers] ran the stripper video but also, there were other types of content too like Arabic memes and some other Brazilian means, which is kind of interesting. But the main thing is that when they were remediating this, when they were trying to clean it all up, it actually knocked their digital video players offline for at least a day and a half. And, you know, when you’re not getting those eyeballs, you’re not getting the advertising revenue. And I would imagine that would have a significant financial impact for Cartoon Network and Turner who owns them. So you know, it’s not insignificant, we’re kind of laughing about it, but you know, there was actual corporate damage done here too.
Tom: Well, the reputational damage too, I mean, any parent that has kids that park them, you know, on an iPad with the Cartoon Network running on their digital device, phone tablet, what have you. They’re going to be horrified. You know? I mean, it’s not it’s not too funny when you’ve got, a kid going ‘mommy, daddy, what’s this?’
Tara: Right. Good point.
Lindsey: Yeah, speaking of big financial implications that result from cyberattacks, we had two strange scams that happened and that were in the news this week. One of them I wrote about, which was a church that got scammed out of one point $1.75 million, and all because of a BEC attack. And then the other one Tara wrote about, which was basically someone who is pretending to be Jason Statham tricking a fan to give him or her a significant amount of money.
Tara: Lindsey, the one that you wrote about with the Catholic church, at least there wasn’t rampant gullibility necessarily there – that seems like a pretty well crafted, well researched attack even though it’s just so strange, one parish in Ohio forking over $1.75 million. That just seems crazy, right?
Lindsey: Yeah. I mean, that one was hard to write about. I’m sure the other scam type of article was as well. But this church had forked out, it was basically working on a $4 million church renovation project. And what happened was that two email accounts of church employees were compromised, and the hackers who had compromised them then pretended to be those employees and convinced other church employees over email to divert the payments that were related to this project to a fraudulent account that was owned by them – so yeah, exactly Tara, very well crafted, sophisticated. It’s not like they were blatant about what they were doing, this was took a lot of social engineering and thought and planning. And the worst little detail about this story for me was that the priest said that the construction company called the church asking why they hadn’t paid their monthly payment on the construction project for the past two months. And that was totaling, you know, the $1.75 million. So they basically were like, ‘What are you talking about?’ They were absolutely shocked and kind of caught off guard.
Tara: It’s terrible. And it was for a renovation project. Is that right?
Lindsey: Yeah, so it was just for renovating the church. As I said, overall, it was $4 million. So I guess the damage could have been much worse if they hadn’t been notified about this, but still a pretty significant loss.
Tom: Well, those hackers are going to Hell.
Lindsey: Right. I also just feel like BEC scammers are getting trickier and trickier. Last week the FBI released their internet crime report for 2018. And there are some pretty crazy stories that they listed out as part of the report for some of the scams that they had caught or been notified of. I know in one case, there was a BEC victim who received an email purporting to be from their closing agent for a real estate transaction. And that actually resulted in them initiating transfer of $50,000 to a fraudulent bank account. So it just kind of goes to show, this can really happen to anyone.
Tara: And it seems as though there’s a lot of recon that goes into this, right, the Catholic church example that you wrote about, somebody would have to know that this Vision 20/20 renovation project was going on. They would kind of have to have some sort of detail as to who the construction company was, who the bank was, to be familiar with the inner workings of how that church operates. So that kind of begs the question of, is this an inside scam kind of thing or just somebody in the community who thinks, ‘well, the Catholic Church has a lot of money.’ It just it seems as though it takes a lot of savvy to put something like this together.
Lindsey: Yeah. I will say a lot of information is kind of online at this point, too. So that really makes everyone’s job easier. I know at RSA, there was this really interesting session on BEC scams and how they’re really growing and getting more tricky. And they demonstrated how you could find anything from email addresses to addresses to just an array of information that can be used for social-engineering purposes, so it’s just way too easy now at this point.
Tara: Yeah, absolutely.
Lindsey: You know, when we’re looking at the Jason Statham trick that Tara, you wrote about, that was definitely a scam that was seemed to be a lot more targeted towards someone who could fall for it a lot easier.
Jason Statham
Tara: Yeah, when I was writing this up, I cycled through a series of emotions. Because at first I was thinking, ‘Oh, god, that poor woman I feel so sorry for her,’ but then I’m also thinking, ‘how could she not know this was a scam.’ It’s incredible the level of gullibility on the part of the victim here, which, you know, I don’t want a victim shame, but it does seem a little bit crazy. What happened [started with] a fan page on Facebook, not the official Jason Statham fan page, but just a random fan page, that somebody had set up. A woman in Manchester, England, was a fan of him, she clicked the like, and she was perusing the page when she got a Facebook message, purporting to be from Jason Statham himself. And so this person lured her into believing that he was the real deal. They carry on this correspondence for months and months and months. And then he says the film company’s not paying him for his latest project, and he’s falling on hard times. And can she help him out? Which resulted in her wiring him tens of thousands of dollars.
Tom: It’s crazy. I don’t know. I kind of want to know more about this person who actually fell for the scam. I mean, I don’t want to, like you said, blame the victim here. But in this day and age to do something like that, it just takes a particular type of person to be able to fall for a scam like that.
Tara: Well, and especially because if you look at the exchanges. So, you know, the scammer actually asked her to switch over to WhatsApp, and the police are actually in possession of whole reams and reams and reams of these WhatsApp conversations that they had. And there are grammatical mistakes, he does not sound like an educated person behind this, you know, and certainly doesn’t seem celebrity-like in any way shape or form if you know what I mean. So that’s sort of an initial red flag, in addition to just sort of what are the chances that Jason Statham would single out, you know, a Manchester housewife to be the love of his life. And so, obviously there’s a lot here that just, it’s very confusing as to why she fell for it. However, there are some possible explanations – it did say in the article that she had recently lost her mother. And I guess her fiance as well. So she was going through hard times emotionally, which obviously will make you more vulnerable and needy and perhaps more open to things like this because you just you want to believe it’s true.
Lindsey: Right? I feel like that emotional piece of it that, you know, this the scammer was able to tap into must have had some part to play in that too. And, you see that across a bunch of different scams. I don’t know if you guys have heard the scams where scammers will call grandparents and basically say, we’ve got your son here in Mexico, we need you to wire-transfer us this amount of money.
Tara: Yeah, it’s really sad. And I mean, the types of people that carry out this type of crime, it’s just absolutely reprehensible. It makes me fear for humanity to be honest.
Tom: They’re kind of connected – the Catholic church [scam] and the celebrity fake correspondence. It just comes up, chalk it up to, what’s the old expression? ‘You don’t know who you’re talking to on the internet, it could be a dog or whatever,’ I forget what it is, but you really don’t – you have to be really extremely careful. And I wonder whether or not there’s an older generation that just doesn’t get that, you know?
Lindsey: Right, exactly. Well, who knows what other crazy news we’ll get next week. You know, this week kind of topped everything.
Tara: I like the wacky news week. You need one of those every once in a while.
Lindsey: I agree. Well, Tom, Tara, maybe we should wrap this up. Thanks for coming on to talk about the biggest stories from the week.
Tom and Tara: Thanks Lindsey.
Lindsey: Great and catch us next week on the Threatpost news wrap.
Click here for direct download.
