The Beekeeper and cybersecurity | Kaspersky official blog

Credit to Author: Nikolay Pankov| Date: Mon, 01 Apr 2024 10:31:18 +0000

Did you know that cybersecurity and… beekeeping are like two peas in a pod? If not, you probably missed the introduction, back in 2019, of our bee-hive-oristic engine, which protects ATMs from physical break-ins through integration with an actual beehive (while also providing the ATM’s owners with honey, beeswax, and propolis). To implement the engine, we proposed training ATM maintenance workers and cash-in-transit personnel in applied beekeeping for information security.

So, when the new movie with Jason Statham, The Beekeeper, came out earlier this year, I knew right away it had to be about cybersecurity. And wouldn’t you know it, I was right. Now, let’s break down the cybersecurity cases shown in “The Beekeeper”. Sure, there’ll be spoilers, but come on, you don’t watch a Statham movie for the plot twists now do you? It’s all about the action, right?

The main character, Adam Clay, is a retired beekeeper — in the sense that he’s a former member of a beekeeper special-ops unit. The Beekeepers are a secret organization that answers to nobody, keeps order in the country, and follows the philosophy drawn from the book “Beekeeping for Beekeepers”. After retirement, Clay moves in with a sweet old lady, Eloise Parker, and devotes himself to his favorite pastime: beekeeping. That’s right, Adam is a beekeeper. Literally. Breeding bees in his free time. (Look, I didn’t write the movie, OK?) Of course, as usually happens in any Jason Statham movie, some bad guys show up, mess with Adam’s loved ones, and then spend the rest of the movie trying to mess with the man himself — to no avail. All this happens against a backdrop of some sinister cybercrimes, which actually seem way more realistic than the action sequences.

Vishing: robbery over the phone

The first to get stung is poor Eloise. One day, when she opens her list of banking transactions, she receives a well-crafted warning that her computer’s hard drive is infected with two viruses. Very conveniently, the warning displays a tech-support number to help her get rid of the malware.

Of course, it’s scammers on the line — using their social engineering tricks to rob the poor woman blind. Here’s how they do it: first, they convince her to visit the website friendlyfriend.net and download a certain app (which actually gives them control of the victim’s computer). Then, as an apology for the inconvenience, the fraudsters promise to wire $500 to Eloise, but “accidentally” transfer $50,000 and ask her to return the excess. She seems to consider contacting the bank, but the guy on the phone convinces her he’ll lose his job if she does, and persuades her to transfer the money directly. This is how the scammers get Eloise to enter her “password for all accounts”, which they promptly intercept and use to drain not only all her savings and retirement funds but also two million dollars from the charity fund she runs.

Lessons from the vishing attack

Gotta hand it to the writers, they did their homework on online scams. The attack depicted in the movie combines real-life fake tech-support and vishing tactics with a clever twist — the “accidental” overpayment. Eloise is portrayed as a completely inexperienced user (precisely the type scammers target in real life), and she makes a bunch of mistakes we can learn from.

  • Don’t call phone numbers that pop up in random windows. Best case, it’s a shady ad; worst — a scam.
  • Don’t install software just because some stranger tells you to — especially if they admit it’s for remote access; double especially if the website is called friendlyfriend.net and the advertising slogan reads “A remote desktop solution that makes sense”. That definitely doesn’t make sense.
  • If you know you have remote access software on your computer, don’t enter any sensitive information — especially your payment passwords.
  • Having a single password for all your bank accounts is a very bad idea; use unique passwords for everything.

In any case, Eloise should have been wary of the promise to be transferred $500. Nobody gives money away. The right move would have been to hang up and call a family member —  in her case best would have been her daughter, who works in law enforcement. And her daughter should have installed a reliable protective solution on the computer in advance. That would have stopped the “viruses” along with the pesky pop-up windows.

Beekeepers’ showdown

It wouldn’t be a Jason Statham movie if he didn’t spend most of it violently killing bad guys, and so, as expected, that’s just what he does — specifically wasting the cybercriminals, their guards, and actually anyone else who gets in his way. But at some point, it turns out that the call-center network scamming all these retirees is run by some high-ranking villains who know about the Beekeepers and have connections in the intelligence agencies. These agencies pressure the Beekeepers to stop Clay, so the latter send his former colleague, Anisette, who took over Adam’s job after he retired. She dies heroically, and the Beekeepers conduct their own investigation and then decide to stay out of it. Hey, listen, I told you already — I didn’t write this stuff.

What’s interesting about these inter-hive disputes is how Adam decides to upgrade his arsenal at the expense of his deceased colleague. For this, he cuts off her finger, breaks into her beekeeping facility (which also houses a weapons cache), and uses her fingerprint to open several biometric locks. Besides weapons and ammo, Clay also gets her password (DR07Z, printed on a piece of paper) and hacks into the Beekeepers’ information systems. So much for the super-secrecy of this organization. Using the Beekeepers’ systems, he finds the addresses of the call centers, prints them out on a dot matrix printer, and goes back to his warpath.

Silly as it may seem, there’s a serious lesson here: don’t rely solely on biometrics, and protect important things (and data) with at least two-factor authentication. Plus, of course, use strong passwords (five characters is just way too short) and store them in a dedicated password manager.

Misuse of cyberweapons

By the end of the film we see the whole picture of the crime. Turns out the mastermind of the operation is the CEO of a company developing software for intelligence agencies. He uses some “classified algorithmic data-mining software package developed by the intelligence community” to find lonely retirees with substantial savings. When cornered, he flat-out admits he taught the software “to hunt for money, not terrorists”. What utter gibberish.

However, the idea behind this plot twist is bang on the money — all these mass surveillance and espionage tools governments develop, along with other cyberweapons, could easily fall into the wrong hands and be used to attack innocent people. And that’s no longer fiction — just look at the WannaCry attack. The EternalBlue exploit and DoublePulsar backdoor used in it were supposedly stolen from intelligence agencies and made publicly available.

So, this seemingly nonsensical action flick actually teaches us that dangerous tools can be used in mass cyberattacks at any moment. Therefore, it pays well to be prepared for anything and use reliable security tools both on personal devices and for corporate protection.


https://blog.kaspersky.com/feed/