In the past year, without exchanging a word, S-RM cyber experts have found themselves seated next to the Head of Transformation for a multi-national supermarket chain, the CFO for a global climate consultancy, and the Director of IT for a renowned university.
This is just a small selection of the many encounters which our experts have noted over the past year. But, these individuals weren’t clients, and this wasn’t in a meeting room – these encounters happened on public transport in and around Europe. All it took was a passing gaze at their screens or the documents they had sprawled out amongst them to identify who they were and where they worked. Such situations serve as a glaring point of concern for our team of cyber security specialists while offering a goldmine of malicious opportunities for threat actors.
Physical security remains an essential part of our daily lives, whether it's through alarm systems, fences, bodyguards, or bolted doors. However, in today’s digital world, physical security takes on a different form. With the rising threat of mobile phone theft and account compromises, safeguarding yourself now includes using privacy screens on devices and exercising caution when using public charging ports. For purposes of this article, we’ve informally termed this as ‘digital-physical’ security. If you're not attentive to your surroundings, a threat actor could easily collect enough information to access your accounts or perpetrate scams in your name.
Outlined below are a few recent case examples, all resulting from breaches of an individual’s ‘digital-physical’ security. Attributable details have been changed to protect the privacy of our clients.
Passcode peekers
SUMMARY
A high-net-worth client was at a bar in Chicago with friends when his phone was stolen off the table. Within hours, his partner noticed unauthorised transfers from their joint bank account, and the client also discovered that passwords had been changed on many of his other online accounts. Despite best efforts to regain access to the accounts, he was unable to retrieve multi-factor authentication (MFA) codes which were being sent to his mobile phone. Our client was therefore locked out of his accounts. He immediately contacted S-RM to investigate which accounts had been compromised and to get our help regaining access to them.
Forensic investigation
After an initial review, we quickly realised that the threat actors had begun changing passwords to his key accounts, critically his banking and email accounts. They even redirected MFA notifications to another device to maintain control of our client’s data. We worked tirelessly to regain access to his compromised accounts, secure them, and implement measures to prevent future incidents. We worked with the client to piece together what likely happened: the client recalled two individuals lingering near their table, possibly shoulder-surfing as our client used his phone, attempting to observe his passcode. Once the threat actors felt confident they knew the passcode, they seized the first opportunity to steal the device and flee. With knowledge of his device passcode, they were able to access the password manager storing our client’s saved credentials, thereby infiltrating many of his accounts.
The threat actors had begun changing passwords to his key accounts... They even redirected MFA notifications to another device”
A pricey gaze
SUMMARY
A global athletic company contacted us after a photo of their confidential pricing strategy was posted on social media. They requested an immediate investigation to determine the source of the breach: Was it an insider? Was their data-sharing platform compromised?
Forensic investigation
We traced the data to a group of senior executives who had access to this commercially-sensitive information. This allowed us to perform compromise assessments on their accounts and corporate devices to understand if any had been subject to unauthorised access. Our analysis determined that there was no technical breach.
During discussions, one executive recalled working on that document on a flight home a few days prior. We were able to corroborate his travel details, such as timings and geolocation, with findings from our open source intelligence analysis of the account which posted photo. This suggested that the likely source of the breach was an individual sitting near him at the airport or on the flight as he travelled home.
Macchiatos and malicious cables
SUMMARY
We were engaged after a client observed unusual activity on her email and social media platforms. Several phishing messages had been sent from her email, and unauthorised chats were being sent to her family and friends from various social media accounts. The client assured us that no devices had been stolen, and her phone was equipped with a privacy screen so no one should have seen her usernames and passwords. We initiated an investigation to determine the root cause of the suspicious activity within her accounts and implement any remediation as quickly as possible.
Forensic investigation
We forensically preserved a copy of the client’s phone and worked closely with her to establish a timeline of anomalous activities. This allowed us to narrow our focus to a specific few-day period during which unauthorised emails and messages were sent. Through extensive analysis, we traced the source of the breach to an anomalous USB connection. By building a detailed timeline during our investigation, we determined that a malicious USB had been inserted into the device, followed by a series of visits to URLs designed to harvest data and install programs which track the client’s device and usage.
By building a detailed timeline during our investigation, we determined that a malicious USB had been inserted into the device”
After presenting our findings to the client, she recalled charging her phone at what she believed was a secure charging station in a coffee shop. In reality, she had connected to a cable which, while still charging her phone, prompted her to malicious web pages, allowing remote threat actors to run commands on the device and access personal data. This enabled them to log her credentials, compromise her accounts, and carry out unauthorised activities in her email and social media platforms.
Key takeaways
- Be aware of your surroundings – threat actors often conceal themselves well
- Use a privacy screen on all your devices
- Prioritise the use of Face ID or Fingerprint ID where possible, with alphanumeric passwords as a backup
- Avoid public charging ports
- Create a unique password for each account
- Never leave your devices unattended
When using your device in public, always take extra precautions. When not in use, your devices should be securely stored out of sight to minimise the risk of theft or unauthorised access.
Our livelihoods are increasingly tied to our mobile phones, and our work takes place behind a laptop screen more than ever before. Whether you’re on your daily commute, travelling for business, or enjoying dinner with friends, it’s crucial to remain vigilant about how you handle your devices and observe your surroundings. Cyber security risks are ever-present, and the smallest lapse in attention can lead to significant consequences.
Our team is frequently engaged in matters where personal, corporate, financial or reputational damage is a threat due to device or account compromise. In many cases, the breach occurs not through sophisticated hacking techniques but through simple user negligence. While our reactive forensic services can help mitigate the damage after an incident, our proactive services are designed to strengthen your security posture before a compromise or breach occurs. By ensuring that your entire digital environment is secure, we can help you prevent potential threats before they manifest.
We are here to help safeguard your digital assets. If you have any questions or concerns, don’t hesitate to reach out to our Digital Forensics team.
