You don’t need to be a tech wizard to learn how cyber criminals are tricking you.
Get a little insight from Hollywood, security experts Sam Curry of Cybereason and Scott Howitt, chief information security officer at MGM, recommend.
They presented their list of “cyber hustle” movies — with non-tech lessons about digital con artists and their cyber attack strategies — at the RSA cybersecurity conference in San Francisco this week.
1. Now You See Me
This 2013 heist movie Now You See Me features magicians who pull off large-scale tricks and steal millions.
“The closer you look, the less you see,” says magician Danny Atlas, before he not only shows a street crowd the card they were thinking of — a seven of diamonds — but also illuminates a skyscraper with lights in the shape of that card.
Here’s the opening scene:
Cyber Attack Strategies: Now You See Me
The magicians use distraction to provide the illusion of magic — while they steal real money right under your nose.
“This one’s a biggie,” said Curry.
Cyber crooks use distraction to turn your attention away from what’s really going on.
For example, they often use a DDoS attack — a distributed denial of service attack, where they pummel a site with web traffic so it can’t function — to keep people busy while they steal data from another part of the computer network.
“The DDoS parallels are big,” said Curry. “The human distraction element is a big deal.”
“It’s very easy for us to look over here and be super-distracted by, say, a DDoS in our servers,” said Howitt. “And they’re sneaking everything out the back door.”
“Like a five-year-old’s soccer team, all chasing the ball,” said Curry.
A magician tricks people into choosing the 7 of diamonds in Now You See Me (2013). Image: Summit Entertainment
Some experts concluded a massive, global ransomware attack in 2017 called “NotPetya” (among other names) was just a disguise used by attackers who were really out to destroy data.
“Your most precious thing is your attention,” Curry said. “Your most precious gift.”
2. The Original Oceans 11
Frank Sinatra leads a group of former military pals to try to rob five Las Vegas casinos in this 1960 original featuring the “Rat Pack.”.
In one scene, Sammy Davis Jr. drives the money out in a garbage truck, disguised as a nattily-dressed garbage man.
He convinces an officer that he’s just a worker curious about the police presence.
Here’s the clip:
Cyber Attack Strategies: Oceans 11
The thieves hide their treasure in what looks like regular traffic — just like cyber crooks trying to steal valuable data.
“The cop saw what he expected to see,” said Curry. “He just ushered him on through.”
“Totally social engineering the guy,” added Howitt.
File robbers may also hide their spoils deep in a mess of data, unappealing to someone who might be charged with watching the perimeter.
“I don’t think the officer wanted to go elbow-deep,” said Curry.
Thieves hide the money in garbage in the original Oceans 11 (1960). Image: Warner Bros.
Once again, distraction comes into play, as Davis Jr. starts asking questions of the police officer, rather than waiting for instruction.
“He took control of the narrative,” said Curry.
3. Oceans 13
Fast forward to 2007 and the Las Vegas casino robbery movie Oceans 13.
In this scene, conman Brad Pitt convinces a casino executive that he is actually a scientist worried about a quake.
Pitt — in the guise of “Rusty the Scientist” — leaves a “seismograph” on the exec’s desk that turns out to be a hidden camera.
Here’s the scene:
Cyber Attack Strategies: Oceans 13
Like cyber attackers, Pitt is trying to scare the casino guy into action.
He plants the idea that a massive quake could leave the casino in a pile of rubble.
“That’s powerful stuff,” said Curry.
Online tricksters may tell you they will delete all of your data, or that they will reveal private photos.
Fear may lead you to pay the ransom.
Or they may send you a message telling you that you have an important message and you need to click on a link.
A fear of missing our may lead you to click — and download malware that steals your passwords or money.
In Oceans 13 (2007), a conman convinces a casino exec to take a “seismograph” that is really a camera.” Image: Warner Bros.
Pitt’s shyster also uses authority — as a science expert — to manipulate.
“The executive didn’t take two seconds,” said Howitt. “He doesn’t want to admit he doesn’t know.”
“Heaven forbid you question someone who is a position of authority,” added Curry.
If you receive an email from your boss asking you to pay off an account right away, even though your boss is on vacation, you may not question the show of authority — even though scammers use this trick all the time.
4. The Usual Suspects
Spoiler alert!
“I’m about to ruin one of the greatest movies ever for you,” Curry told his audience at the conference.
If you haven’t seen the Usual Suspects (1995), you might want to skip to the last paragraph, the epilogue.
At the end of the movie, a detective finally figures out the truth.
“I think this one’s a fun one. I also think it’s extremely powerful,” said Curry.
Warning: profanity.
Cyber Attack Strategies: The Usual Suspects
Kevin Spacey tells detectives the story they want to hear — making up details as he goes, even naming an attorney after the brand of coffee cup the detective is sipping from.
Attackers online plant fake clues as well, pretending to be from one country when they are really from another.
Cybersecurity experts can be fooled and attribute an attack to the wrong nation-state.
“Attribution and false flag,” said Curry. “Here the police had their story. Boy, did they have it wrong.”
Also, the Usual Suspects detective came up with his idea of the con, and looked for clues to support it, rather than keeping his eyes and mind open.
“He suffered from confirmation bias something fierce,” Curry said.
A crook whipped up a story based on names he saw in a detective’s office in The Usual Suspects (1995), like this mug brand. Image: Gramercy Pictures
Many movie viewers did not see the clues, either, even as the detective held the “Kobayashi” cup to his lips.
Curry and Howitt say it happens in cyber defense, too.
“I see the responder say, ‘I already know what happened.’ They go right to it. They almost bend the fact to the conclusion,” said Howitt.
The movie detective had been so sure of his theory.
“I loved the smugness on his face,” said Howitt. “It’s the same look I see sometimes on incident response teams.”
The lesson — keep an open mind and don’t underestimate the skills of cyber attackers.
Epilogue
Many of these movie crooks use social engineering — conning humans — to lie, cheat and steal.
So do crooks online.
They also use technology to get the job done, but Curry and Howitt say you don’t need to be tech-savvy to see how malicious hackers work.
If Hollywood helps you soak up cybersecurity knowledge, all the better.
“Hopefully, this makes it clear that it’s approachable and understandable,” said Curry.
Main image: Oceans 13. Credit: Warner Bros.