Axios Codebook

Attacks on companies and sites dip in the summer months, researchers have repeatedly found, and the reason isn't hard to decode: Hackers take summer vacations, too.

The big picture: Cybercriminals love to flaunt their cash and take lavish vacations after successful hacks and online scams — giving U.S. law enforcement a ripe opportunity to arrest or extradite them, experts tell Axios.

• Criminal hackers slow down operations between July and early August, as well as around the end-of-year holidays, says Allan Liska, a ransomware analyst at Recorded Future.
• The number of attacks on public sector entities, including schools and local governments, also tends to slow down in the summer months, says Emsisoft threat analyst Brett Callow.

Between the lines: When criminal hackers leave safe-haven countries, like Russia, U.S. law enforcement gets a rare opportunity to arrest and extradite suspects.

• A Russian entrepreneur believed to be laundering money for the Ryuk ransomware gang was detained while vacationing in Mexico in November.
• In 2017, the U.S. Department of Justice arrested at least five Russian hackers while they were on vacation in Barcelona, Prague and Greece.
• Czech police arrested and extradited a Russian hacker in 2016 while he was eating dinner at a hotel in Prague. (His October jaunt, however, did not fit the summer-vacation pattern.)

Cybercriminals have long been known to share their vacations on social media — often jet-setting to places like Cyprus, Greece and Romania.

• Ramon Abbas, a Nigerian internet scammer known as “Hushpuppi,” spent years boasting about his private jets, designer clothes and dream vacations on Instagram — amassing more than 2 million followers before his arrest in 2020.
• Two Russian hackers were arrested during a vacation in the Netherlands in 2012 after posting several photos on Facebook during the trip.

Details: Hackers who live in countries that don’t have extradition agreements with the U.S. — including Russia, China, Iran and North Korea — take on a bigger risk whenever they leave their country.

• Because hackers who target U.S. businesses are usually located overseas, the government relies heavily on extradition agreements — and law enforcement partnerships with allied countries — to catch suspects behind high-profile hacks.
• Many of the countries that don’t have extradition agreements with the U.S. are safe havens for cybercriminals. For example, Russia tends to turn a blind eye to cybercriminals’ actions as long as they don’t go after Russian companies.

Yes, but: Because of increased awareness about the risk of international travel, many criminal hackers seem to have been traveling less in recent years, Liska tells Axios.

• Fewer Russians have been traveling internationally during the war in Ukraine.
• Nation-state hackers behind espionage campaigns targeting the U.S. also tend to keep such a low profile online that they’re difficult to track — and unlikely to leave their home country.
• "It's not a good idea anymore to leave, and they've been aware of that for a while," Liska says.

The growth of text-based phishing scams hit close to home for Axios last week when several employees got fake text messages claiming to be from company president and co-founder Roy Schwartz.

The big picture: I dug into the recent campaign targeting Axios employees to learn more about how these scams operate — especially as reports about text message scams continue to outpace reports about email scams this year for the first time, per the Federal Trade Commission.

What's happening: Last Friday, several employees shared screenshots in a company Slack channel of the suspicious texts they had received.

• The messages targeted employees across the country and across departments, and each one was addressed to the specific individual.
• Several employees admitted in the Slack channel that they replied to the first message because it seemed legitimate — but so far, no one appears to have engaged with the scammers beyond that initial reply.
• At least one employee said they received the message twice in the week: One from Roy and another pretending to be CEO and co-founder Jim VandeHei.
• Not everyone received the message — neither I (a new employee) nor my editor (a veteran) did.

How it works: I showed the messages to Chester Wisniewski, a researcher at cybersecurity firm Sophos, and he immediately recognized them.

• The scam, he explains, aims to get people to buy gift cards and send back photos of the cards' barcodes. That provides scammers with free, hard-to-trace money.
• This scam has been running for years, but Wisniewski says this is the first example he's seen where the scammers targeted several employees at the same company at once.
• Scammers likely obtained previously leaked phone numbers and employment history about Axios employees and then automated the first text message to a portion of people on the list — which costs little to nothing to do, Wisniewski tells Axios.
• Once someone replied, a human would take over the conversation to make it more believable.

The intrigue: The messages started coming in shortly after Axios announced it was going to be acquired by Cox Enterprises.

• But Wisniewski doubts the scam was tied to the sale — if it had been, the first message would have mentioned the news to get employees engaged.

Threat level: The growth of text-based scams is part of a larger trend of hackers targeting people's phones instead of their email inboxes.

• Teenage hackers gained access to the Twitter accounts of former President Barack Obama, then-presidential candidate Joe Biden and several others in 2020 after calling Twitter employees, pretending to be fellow employees and asking for login credentials.

Be smart: If you receive a similar message or a phone call asking for sensitive company information, don't engage and report the incident to your company's IT pros.

Most of the cybersecurity problems in ex-Twitter security chief Peiter Zatko’s 84-page whistleblower complaint aren’t unique to Twitter — but a handful of claims are worrisome enough to catch regulators' and competitors' attention.

The big picture: Only a handful of specific nightmare scenarios in the complaint will end up having staying power as Washington responds to Zatko's claims.

1. Twitter allegedly can't track and limit employees’ access to its networks. In the complaint, Zatko, who is also known by his hacker name Mudge, said he tried to cut off employees' ability to access — or potentially damage — Twitter's live systems during the Jan. 6 Capitol insurrection to prevent rogue employees from taking them offline.

• He discovered that was impossible.
• “There was no logging of who went into the environment or what they did,” the complaint said.
• The complaint also said that all engineers had "some form of critical access to the production environment."

2. Zatko claimed that Twitter came close to a weeks-long shutdown last spring.

• He said he had warned Twitter's board that the company lacked recovery plans if its data centers went down simultaneously and faced a "'black swan' existential threat."
• “Downtime estimates ranged from weeks of round-the-clock work to permanent irreparable failure,” the complaint said.
• Then, in spring 2021, that failure nearly happened, as "Twitter's primary data center began to experience problems from a runaway engineering process," and a quick move to fallback systems stressed them, too.
• Zatko claimed Twitter then proceeded to misrepresent the stability of its data centers and recovery plans to the SEC.

3. Twitter could have some software licensing headaches ahead.

• Buried in the complaint were allegations that Twitter doesn't have the "proper licenses" it needs for either the data sets or the software it used to build some of its machine learning systems.
• The finding, if true, could make Twitter ripe for additional lawsuits.

The other side: Twitter CEO Parag Agrawal told staff this week that Zatko’s allegations are “foundationally, technically and historically inaccurate,” Reuters reports.

@ D.C.

🐦 Zatko will testify before Senate Judiciary Committee on Sept. 13 about his whistleblower complaint. (Politico)

🔓 CISA released guidelines for critical infrastructure operators to prepare for quantum computing's encryption-breaking capabilities. (CISA)

🗳 The National Security Agency and the U.S. Cyber Command have established a joint team to fight election security threats. (NSA)

@ Industry

💄 Sephora has agreed to pay $1.2 million to California for failing to disclose its data collection processes to the state's consumers. (Wall Street Journal)

🏛 Jack Dorsey's Block, which owns Cash App and Square, is facing a class-action lawsuit over a December 2021 breach of Cash App Investing. (Forbes)

💽 Every company's worst nightmare: They paid the ransom in the ransomware attack, and the hackers still leaked their files. (ZDNet)

@ Hackers and hacks

📲 The hackers behind the Twilio breach were able to steal close to 10,000 login credentials from more than 130 organizations in the last few months. (TechCrunch)

📦 DoorDash also said hackers accessed some customer data, including phone numbers, emails and delivery addresses, through the Twilio data breach. (Bloomberg)

😰 Password management tool LastPass disclosed a data breach in which hackers stole portions of its source code but didn't access customers' encrypted password info. (BleepingComputer)

Love these words of encouragement about getting into the cybersecurity field. It's already tough enough to find talent to fill jobs — let's be kinder and more welcoming!