Next time you want to post photos of your holiday in the Caribbean or the French Riviera on Instagram or check into your favourite luxury hotel on Facebook, think again. With cybercriminals keeping tabs on the social media footprint of the well-heeled, you may be at the risk of virtual extortion.
Take the case of the daughter of a well-known MNC CEO based in India who recently posted her vacation and hotel details on Facebook. Cybercriminals hacked into the security video of the hotel she was staying in and retrieved footage of some of her intimate moments. “They told the CEO to pay up $250,000 or they would post the footage online,” says a cybersecurity expert who took up the case when the police failed to act.
However, the ransom eventually had to be paid since the network was too big to track down. While companies continue to be the primary targets of cybercriminals, social media platforms like Facebook, Twitter, and Instagram have made it easy for hackers to track and target high net worth individuals (HNIs) and their family members.
Sivarama Krishnan, leader, Cyber Crime, Price water house Coopers (PwC), says there have been at least 12 cases of digital ransom in the last year, where private information, like location, or pictures, have been collected from social media accounts of CXOs or their family members. No such cases had come to light in 2014.
A major reason for this rise is the fact that people are doing and sharing more online. “It might start with a random friend request accepted unthinkingly. But by doing that you may be exposing your entire contact list as well as giving out your email id, Twitter contacts, and Instagram pictures in the process,” says Jayant Saran, who leads eDiscovery and digital forensic services for Deloitte. He estimates extortion cases at 100, but says they may be intentionally hidden owing to the profile of the people involved. Devendra Parulekar, partner and national leader, information security at E&Y, adds that there have been instances of predators first befriending relatives of the actual target on Facebook to reach out to the target.
Prasanna J, director of AVS Labs, a Bengaluru-based cybersecurity lab, adds that information like an individual’s birth date, mother’s maiden name and email id are sometimes enough to access their bank accounts and Facebook makes it easier to do that. He personally knows of 3-4 cases where money of HNIs was siphoned off through information obtained on social media. “The ransom is usually anything between Rs 1 crore and 5 crore. Many just pay the money so that the case stays off the radar,” he says.
A cyber security analyst recalls an instance of holiday snaps posted on a CEO’s Facebook account being morphed. There was yet another one where a married Indian VIP last year, was told that video footage of him being physically intimate with a foreign woman would be circulated to his Facebook friends if he didn’t pay a few crores.
In many such cases, the social media platform has cooperated with experts. “They have helped us track the net work and get a few people arrested. But some hacker net works are really strong to crack,” says Prasanna. Facebook did not respond to TOI’s emails on the issue.
Another increasingly common extortion method is he use of ransomware, a malicious software which encrypts data such as bank details and personal family photos, rendering them unusable. Then an ominous message from the attacker pops up, demanding a ransom to unlock the computer or decrypt the data.
Parulekar says three companies in Bengaluru have been hit in the last three weeks after particular systems or servers of individuals computers were locked down for ransom. A Bengaluru office lost Rs 20 lakh a week ago through this.
“Big corporates usually have systems and resources in place to avoid any form of ransomware but individuals and HNIs are vulnerable,” adds Parulekar. Krishnan points out that since anti-virus on mobile is used by less than 20% as against PCs, attacks through smartphones are going to rise as their penetration grows in India. “Malwares can be sent to mobile through apps,” he adds. Through app permissions, one inadvertently tends to give full access to private information. Besides, mobile apps and mobile games too constitute a security threat in some cases.
Since targeted individuals typically operate at the CXO level, corporates are ramping up their budgets to secure their network. A Gartner report says security spending (hardware, software and services) in India was expected to reach $1.11 billion in 2015, up 8.3% from $1.02 billion in 2014.In fact, Cisco global chairman John Chambers had told TOI in a recent interaction that cybersecurity was one of the biggest challenges for CEOs.
Sources say Wipro’s security budget has gone up from Rs 20 crore to Rs 120 crore within a year. PwC, on the other hand has taken its cyber expert strength up from 60 in April 2015 to 320 now. Accenture too has hired more experts on its team. But like in the real world, prevention is better than cure so don’t befriend strangers or click on unknown emails.