NEW YORK — The data breach last month that MGM Resorts is calling a cyberattack is expected to cost the casino giant more than $100 million, the Las Vegas-based company said.
The incident, which was detected on Sept. 10, led to MGM shutting down some casino and hotel computer systems at properties across the U.S. in efforts to protect data.
MGM said that reservations and casino floors in Las Vegas and other states were affected as customers shared stories on social media about not being able to make credit card transactions, obtain money from cash machines or enter hotel rooms. The company announced the end its 10-day computer shutdown on Sept. 20.
The incident bore all the hallmarks of an extortionary ransomware attack, which MGM has not confirmed. If so, it could be the costliest ransomware attack on record, said Brett Callow of the cybersecurity firm Emsisoft. In 2019, the Norwegian aluminum manufacturer Norsk Hydro suffered $70 million in losses after refusing to pay ransomware criminals.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” MGM CEO Bill Hornbuckle said in a Thursday letter to customers. “We also believe that this attack is contained.”
Hornbuckle added that no customer bank account numbers or payment card information was compromised in the incident. But hackers stole other personal information, including names, contact information, driver’s license numbers, Social Security numbers and passport numbers belonging to some customers who did business with MGM prior to March of 2019, he said.
MGM has no evidence that the hackers and criminals have used the data to commit account fraud or identity theft, Hornbuckel said, noting the company will also reach out to impacted consumers via email and offer free identity protection and credit monitoring services.
“We regret this outcome and sincerely apologize to those impacted,” he added.
In a filing with the Securities and Exchange Commission, MGM said it believes that September’s data breach will have a negative impact on its third-quarter financial results, particularly in Las Vegas — but minimal impact in the fourth quarter and operational results for the year.
In addition to the estimated $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization and rent for its Las Vegas Strip resorts and other regional operations, MGM expects to incur charges totaling less than $10 million covering one-time expenses like legal fees and technology consulting.
MGM wasn’t the only casino giant to get hit by hackers last month. Caesars Entertainment disclosed a Sept. 7 cyberattack. The Reno-based company said that its casino and online operations were not disrupted.
Caesars was widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data. According to a Thursday Wall Street Journal report, which cited a unnamed person familiar with the matter, MGM refused to pay hackers’ September ransom demand.
An MGM spokesman would neither confirm nor deny the report.
Both casino operators currently face a combined nine federal lawsuits over the cyberattacks, the Las Vegas Review-Journal reported this week.
Beyond the casino world, Clorox disclosed a cyberattack recently, saying it had identified “unauthorized activity” on some of IT systems in August. The maker of bleach and other household products said the attack has caused large-scale disruption of operations, including notable product shortages and order processing delays.
In a Wednesday announcement, Clorox said its net sales are expected to fall between 23% and 28% for the first quarter of 2024.
___
Associated Press writers Frank Bajak in Boston and Ken Ritter and Rio Yamat in Las Vegas contributed to this report.
NEW YORK — The data breach last month that MGM Resorts is calling a cyberattack is expected to cost the casino giant more than $100 million, the Las Vegas-based company said.
The incident, which was detected on Sept. 10, led to MGM shutting down some casino and hotel computer systems at properties across the U.S. in efforts to protect data.
MGM said that reservations and casino floors in Las Vegas and other states were affected as customers shared stories on social media about not being able to make credit card transactions, obtain money from cash machines or enter hotel rooms. The company announced the end its 10-day computer shutdown on Sept. 20.
The incident bore all the hallmarks of an extortionary ransomware attack, which MGM has not confirmed. If so, it could be the costliest ransomware attack on record, said Brett Callow of the cybersecurity firm Emsisoft. In 2019, the Norwegian aluminum manufacturer Norsk Hydro suffered $70 million in losses after refusing to pay ransomware criminals.
“While we experienced disruptions at some of our properties, operations at our affected properties have returned to normal, and the vast majority of our systems have been restored,” MGM CEO Bill Hornbuckle said in a Thursday letter to customers. “We also believe that this attack is contained.”
Hornbuckle added that no customer bank account numbers or payment card information was compromised in the incident. But hackers stole other personal information, including names, contact information, driver’s license numbers, Social Security numbers and passport numbers belonging to some customers who did business with MGM prior to March of 2019, he said.
MGM has no evidence that the hackers and criminals have used the data to commit account fraud or identity theft, Hornbuckel said, noting the company will also reach out to impacted consumers via email and offer free identity protection and credit monitoring services.
“We regret this outcome and sincerely apologize to those impacted,” he added.
In a filing with the Securities and Exchange Commission, MGM said it believes that September’s data breach will have a negative impact on its third-quarter financial results, particularly in Las Vegas — but minimal impact in the fourth quarter and operational results for the year.
In addition to the estimated $100 million loss on adjusted property earnings before interest, taxes, depreciation, amortization and rent for its Las Vegas Strip resorts and other regional operations, MGM expects to incur charges totaling less than $10 million covering one-time expenses like legal fees and technology consulting.
MGM wasn’t the only casino giant to get hit by hackers last month. Caesars Entertainment disclosed a Sept. 7 cyberattack. The Reno-based company said that its casino and online operations were not disrupted.
Caesars was widely reported to have paid $15 million of a $30 million ransom sought by a group called Scattered Spider for a promise to secure the data. According to a Thursday Wall Street Journal report, which cited a unnamed person familiar with the matter, MGM refused to pay hackers’ September ransom demand.
An MGM spokesman would neither confirm nor deny the report.
Both casino operators currently face a combined nine federal lawsuits over the cyberattacks, the Las Vegas Review-Journal reported this week.
Beyond the casino world, Clorox disclosed a cyberattack recently, saying it had identified “unauthorized activity” on some of IT systems in August. The maker of bleach and other household products said the attack has caused large-scale disruption of operations, including notable product shortages and order processing delays.
In a Wednesday announcement, Clorox said its net sales are expected to fall between 23% and 28% for the first quarter of 2024.
___
Associated Press writers Frank Bajak in Boston and Ken Ritter and Rio Yamat in Las Vegas contributed to this report.
Clorox Co. shares fell in the extended session Wednesday after the company slashed its outlook stemming from the impact of a cybersecurity attack over the summer.
Clorox CLX, +1.21%
shares fell about 3% after hours, following a 1.2% gain to close the regular session at $131.83. At Wednesday’s close, Clorox shares were down 6.1% for the year, while the S&P 500 index SPX
has gained 11.1%.
The company forecast a loss of 75 cents to 35 cents a share, or a loss of 40 cents to break-even per share on an adjusted basis, for the quarter ending Sept. 30.
Clorox said sales are expected to decrease by 28% to 23% from the year-ago first quarter of $1.74 billion, or in a range between $1.25 billion and $1.34 billion.
Analysts surveyed by FactSet had forecast first-quarter earnings of $1.29 a share on revenue of $1.77 billion.
In a statement late Wednesday, Clorox said the reduced outlook was “due to the impacts of the recent cybersecurity attack that was disclosed in August, which caused wide-scale disruption of Clorox’s operations, including order-processing delays and significant product outages.”
The company said shipment and consumption trends prior to the cyberattack factored in its prior forecast.
In early August, Clorox forecast sales in 2024 would be flat to 2% higher than 2023’s $7.39 billion, and adjusted earnings between $5.60 and $5.90 for the year, while analysts had expected $5.62 a share on revenue of $7.4 billion at the time.
Analysts currently forecast, on average, adjusted earnings of $5.78 a share on revenue of $7.5 billion.
Based on the company’s current assessment, Clorox said it expects “to experience ongoing, but lessening, operational impacts in the second quarter as it makes progress in returning to normalized operations,” and restocking retailers.
Analysts also forecast second-quarter earnings of $1.18 a share on revenue of $1.77 billion.
Clorox said it was “in the process of assessing the impact of the cybersecurity attack on fiscal-year 2024 and beyond,” and said it would provide an update during its first-quarter earnings call scheduled in November.
You arrive home and toss your car keys on a table near your front door. It’s an ordinary habit that is all today’s thieves need to launch a “relay attack” to capture the signal from your key fob, unlock your car and drive it away. And it’s just one of the high-tech methods more criminals are adopting to steal cars.
Experts say in recent years, car thieves have increasingly targeted keyless entry vehicles by breaching the computer systems that are built into the cars’ communication network.
Less than a minute to reprogram a key fob
The latest method capturing the attention of car security experts is the “CAN bus attack.” “CAN” stands for “controller area network,” and the “CAN bus” is the auto industry term used to describe the message-based electronic system that allows various parts of the vehicle to communicate with each other.
“Probably the most common one that I do see is actual key programmers that you can just plug into the vehicle’s diagnostic port or onto the CAN bus network,” said Steve Lobello, owner of S&A Security in the Chicago suburb of River Grove, Illinois.
“It’s basically the nervous center in the vehicle where everything has to process,” said Lobello. “You can pretty much do things such as delete keys, program, new keys, and just basically speak to the vehicle.”
Lobello says the tablets that locksmiths and security specialists use to reprogram key fobs have been stolen or can be bought online legally by thieves looking for a way to hack into targeted cars.
We won’t reveal exactly how he did it, but Lobello used one of these tablets to demonstrate how quickly he could gain access to a vehicle’s main frame and reprogram a key.
It took him less than a minute.
High value target
Ivy Stryker of Farmington, Michigan, became a victim of the CAN bus attack not once but twice. The first time, his car was parked against a brick wall at an apartment complex.
“It’s about 1 a.m., my phone goes off, my iPads are going off, alarm sounds everywhere,” said Stryker. He ran outside to find another vehicle next to his and a stranger inside his car. “A guy’s popping out the top of the moonroof.”
Stryker had no illusions about how tempting his Dodge Charger Hellcat would be to thieves and had a security system installed to protect it.
“When I was looking at the thing, I already knew that it was one of the most, if not the most stolen car,” said Stryker.
According to a recent report from the Highway Loss Data Institute, the Charger SRT Hellcat ranked as the No. 1 targeted car built between 2020 and 2022. It’s 60 times more likely to be stolen than any other car built in that same time period.
“If you own a Hellcat, you better check your driveway,” Matt Moore, the organization’s senior vice president, said in a statement on the institute’s website. “These numbers are unbelievable.”
Car thefts in general are up across makes and models nationwide. More than one million cars were stolen in 2022, the highest number since 2008, according to the National Insurance Crime Bureau (NICB), the insurance industry association that tracks annual vehicle thefts.
That’s about two vehicles stolen every minute.
Trying to stay one step ahead
“The criminal organizations and the suspects are always looking for what the security protocols are and how to defeat them,” said NICB President & CEO David Glawe.
“We work with the insurance industry and the manufacturers to identify these vulnerabilities and to try to slim this gap,” said Glawe. “But we’re always having to stay one step ahead of the criminals, and they’re always trying to stay one step ahead of us.”
For years the bureau has publicized the number cars stolen due to keys being left inside vehicles — 287,024 between 2019 and 2021. But that represents just a fraction — 11% — of the total number of cars — more than 2.6 million — that were stolen during the same time.
“We have the real raw information of stolen vehicles. But how they’re stolen, it comes down to the local law enforcement,” said Glawe. “When you document and report, you have to put that in a police report. If that’s not captured by an algorithm or report, it’s hard necessarily to track.”
NICB told us they don’t break down exactly how the vehicles were stolen, and we learned the auto industry doesn’t track this data either.
Automakers provide few answers
Concerned that keyless entry systems “may be contributing to rising rates of vehicle theft,” in July 2022 U.S. Senator Ed Markey, a Democrat from Massachusetts, sent letters to 17 carmakers urging them to “…take all necessary steps to ensure that keyless entry systems, once a security innovation that deterred thieves, do not become a security liability for them to exploit.”
In the dozen responses that came back, while automakers all stated a commitment to theft prevention, none could provide the exact number of their vehicles that had been stolen or details on the method car thieves used to steal them.
Some industry experts suggest automakers should be tracking this data to help combat the rise in vehicle thefts.
“I think it’s incredibly important because unless the industry has a knowledge of how vehicles are being compromised, then, you know, nothing’s going to be done about it,” said former detective Clive Wain, who now works as head of police liaison for Tracker UK, a company that specializes in recovering stolen cars in the United Kingdom.
Wain says a spike in hot-wiring thefts during the 1980s put pressure on auto manufacturers to enhance vehicle security. That led to the modernization of vehicle locking mechanisms, and the introduction of “smarter” key systems and vehicle immobilizer technology.
Since then, Wain says, organized criminal groups have developed capabilities to download data from these key transponder fobs, and by downloading data via the vehicles’ onboard diagnostic device, they could clone and upload that data onto a “donor” key for that specific make and model of vehicle.
“Circa 2015, in the U.K., as some manufacturers were introducing ‘keyless entry’ vehicles, instances of electronic compromise started to surface where this technology had been compromised. The most prevalent method progressively has become the ‘relay attack,’” said Wain. ”More recently, we have seen the significant emergence of ‘CAN bus’ compromise attacks.”
Tracker UK makes a practice of collecting monthly high-tech car theft data.
Their numbers show that in July 2023, keyless car theft reached an all-time high in the U.K., accounting for 98% of all stolen vehicles the company helped recover in that one-month period.
“As quickly as manufacturers start to [update vehicle locking] technology for security purposes, that technology is being reverse-engineered — almost within a matter of days or weeks,” said Wain. “I think manufacturers have known about the vulnerability for some years, but it takes many, many years to develop technology on a production line and it’s a costly process.”
Wain says while keyless entry technology was initially developed and introduced in more high-end makes and models, it has now been extended to most mainstream vehicles, making them much more vulnerable to this kind of attack and compromise.
Steve Lobello agrees.
“A little more than 90% of vehicles are vulnerable,” he said. “All this information [on breaching a car’s technology] is already out there. It’s readily available on YouTube and social media.”
“It’s not like [thieves] need to go to school to learn how to use this thing,” he added. “YouTube is their school.”
The growing threat of high-tech car theft is why Lobello suggests his clients install an after-market security system (he recommends one called IGLA). These systems, which can cost as much as $1,200, create a firewall to fend off CAN bus attacks, and require the driver to enter a pre-programmed code using a combination of existing factory buttons in sequence to start the car. Even if a thief manages to plug into a vehicle’s CAN bus, without the secondary button code authentication, the car will shut down and be immobilized.
Lobell installed one of the systems in Ivy Stryker’s Dodge Charger, and the investment paid off:
thieves who attempted to steal it were thwarted – two times. In one of those cases, when the car wouldn’t start, the criminals resorted to using a second car to push the Dodge. They made it 17 miles before giving up and ditching the car on the side of the road. Stryker later tracked it down via GPS.
Stryker believes automakers should be the ones stepping up to solve the problem.
“It’s too easy now. The onus should be on the manufacturer,” said Stryker. “It should be their responsibility to tighten up their security as much as possible.”
In a statement, Stellantis, which makes the Dodge Charger, told CBS News that their vehicles “…meet or exceed all applicable federal standards for safety and security. …Notwithstanding, we urge all motorists to take due care in securing their vehicles.”
Experts say consumers don’t have to install expensive after-market security systems to minimize the risk of being “carhacked.” Other precautions can include storing keys in a metal container, signal-blocking pouch or “Faraday Box,” to prevent relay attacks.
The National Insurance Crime Bureau recommends a “layered approach,” adding on physical protection like steering column locks, alarms and tracking devices. Ironically, high-tech thieves may be deterred when confronting low-tech protection measures.
It was past midnight when Alessandra Millican and a friend entered the Bellagio hotel room that was costing them hundreds of dollars a night, but unexpected noises made them stop cold.
“We started hearing grunts,” she said. “It’s somebody waking up — we were halfway through the room and we realized there’s somebody sleeping in here.”
If Clorox products seem harder to come by these days, blame hackers.
The bleach and household cleaners manufacturer said in a statement posted on its website Monday that it is “continuing to operate at a lower rate of processing” because of a recent cyberattack that damaged portions of the company’s computer network. The August breach disrupted operations as the company “took certain systems offline” as a security measure.
“We expect the ramp-up to full production to occur over time but do not yet have an estimate for how long it will take to resume fully normalized operations,” Clorox said. In the meantime, the company will continue to process orders manually as it reintegrates its systems that were taken offline during the attack, according to the statement.
The transition back to automated order processing will take place beginning the week of September 25, the company said, adding that production had already resumed at a “vast majority” of its manufacturing sites.
Clorox also owns brands Burt’s Bees, Pine SOL and Fresh Step, but it’s unclear whether its output of those products has also been affected by the attack.
Clorox did not immediately respond to a request for comment.
Clorox isn’t the only company to fall victim to a cyberattack recently. Last week, a group of hackers exploited MGM Resorts’ systems, stealing Social Security numbers and driver’s license numbers from a “significant number” of loyalty program customers of Caesars Entertainment, the hospitality and casino giant said. The ransom attack also targeted the resort’s operations, with hotel guests reporting they couldn’t access their rooms with their digital keys or make room charges. As a result, the hotel owner has lost between roughly $4 and $8 million per day, the Las Vegas Review-Journal reported.
This latest hack may also have an impact on Clorox’s first-quarter financial results, the company said in an SEC filing. The company’s stock dipped roughly 2% by the time the market closed on Monday.
Thanks for reading CBS NEWS.
Create your free account or log in for more features.
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
LAS VEGAS — A persistent error message greeted Dulce Martinez on Monday as she tried to access her casino rewards account to book accommodations for an upcoming business trip.
That’s odd, she thought, then toggled over to Facebook to search for clues about the issue on a group for MGM Resorts International loyalty members. There, she learned that the largest casino owner in Las Vegas had fallen victim to a cybersecurity breach.
Martinez, 45, immediately checked her bank statements for the credit card linked to her loyalty account. Now she was being greeted by four new transactions she did not recognize — charges that she said increased with each transaction, from $9.99 to $46. She canceled the credit card.
Unsettled by the thought of what other information the hackers may have stolen, Martinez, a publicist from Los Angeles, said she signed up for a credit report monitoring program, which will cost her $20 monthly.
“It’s been kind of an issue for me,” she said, “but I’m now monitoring my credit, and now I’m taking these extra steps.”
MGM Resorts said the incident began Sunday, affecting reservations and casino floors in Las Vegas and other states. Videos on social media showed video slot machines that had gone dark. Some customers said their hotel room cards weren’t working. Others said they were canceling their trips this weekend.
The situation entered its sixth day on Friday, with booking capabilities still down and MGM Resorts offering penalty-free room cancelations through Sept. 17. Brian Ahern, a company spokesperson, declined Friday to answer questions from The Associated Press, including what information had been compromised in the breach.
By Thursday, Caesars Entertainment — the largest casino owner in the world — confirmed it, too, had been hit by a cybersecurity attack. The casino giant said its casino and hotel computer operations weren’t disrupted but couldn’t say with certainty that personal information about tens of millions of its customers was secure following the data breach.
The security attacks that triggered an FBI probe shatter a public perception that casino security requires an “Oceans 11”-level effort to defeat it.
“When people think about security, they are thinking about the really big super-computers, firewalls, a lot of security systems,” said Yoohwan Kim, a computer science professor at the University of Nevada, Las Vegas, whose expertise includes network security.
It’s true, Kim said, that casino giants like MGM Resorts and Caesars are protected by sophisticated — and expensive — security operations. But no system is perfect.
“Hackers are always fighting for that 0.0001% weakness,” Kim said. “Usually, that weakness is human-related, like phishing.”
Tony Anscombe, the chief security official with the San Diego-based cybersecurity company ESET, said it appears the invasions may have been carried out as a “socially engineered attack,” meaning the hackers used tactics like a phone call, text messages or phishing emails to breach the system.
“Security is only as good as the weakest link, and unfortunately, as in many cyberattacks, human behavior is the method used by cybercriminals to gain the access to a company’s crown jewels,” Anscombe said.
As the security break-ins left some Las Vegas casino floors deserted this week, a hacker group emerged online, claiming responsibility for the attack on Caesars Entertainment’s systems and saying it had asked the company to pay a $30 million ransom fee.
It has not officially been determined whether either of the affected companies paid a ransom to regain control of their data. But if one had done so, the experts said, then more attacks could be on the way.
“If it happened to MGM, the same thing could happen to other properties, too,” said Kim, the UNLV professor. “Definitely more attacks will come. That’s why they have to prepare.”
___
Parry reported from Atlantic City. Associated Press videographer Ty O’Neil in Las Vegas contributed.
A cyberattack by hackers on the computer systems for MGM Resorts International has impacted its casinos and hotels in several states. Elise Preston has more.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
Opinions expressed by Entrepreneur contributors are their own.
You know how you can’t do anything these days without proving who you are? Whether opening a bank account or just hopping onto a car-sharing service. With online identity verification becoming more integrated into daily life, fraudsters have become more interested in outsmarting the system.
Criminals are investing more money and effort to overcome security solutions. Their ultimate weapon is deepfakes — impersonating real people using artificial intelligence (AI) techniques. Now, the multi-million question is: Can organizations effectively employ AI to combat fraudsters with their tools?
According to a Regula identity verification report, a whopping one-third of global businesses have already fallen victim to deepfake fraud, with fraudulent activities involving deepfake voice and video posing significant threats to the Banking sector.
For instance, fraudsters can easily pretend to be you to get access to your bank account. Stateside, almost half of the companies surveyed confessed to being targeted with the voice deepfakes last year, beating the global average of 29%. It’s like a blockbuster heist but in the digital realm.
And as AI technology for creating deepfakes becomes more accessible, the risk of businesses being affected only increases. That poses a question: Should the identity verification process be adjusted?
Luckily, we’re not at the “Terminator” stage yet. Right now, most deepfakes are still detectable — either by eagle-eyed humans or AI technologies that have already been integrated into ID verification solutions for quite some time. But don’t let your guard down. Deepfake threats are evolving quickly — we are already on the edge of witnessing persuasive samples that can scarcely arouse any suspicion, even upon deliberate scrutiny.
The good news is that the AI, the superhero we’ve enlisted to fight against good old “handmade” identity fraud, is now being trained to spot fake stuff created by its fellow AI buddies. How does it manage this magic? First of all, AI models don’t work in a vacuum; human-fed data and clever algorithms shape them. Researchers can develop AI-powered tools to remove the bad guys of synthetic fraud and deepfakes.
The core idea of this protective technology is to be on the lookout for anything fishy or inconsistent while doing those ID liveness checks and “selfie” sessions (where you snap a live pic or video with your ID). An AI-powered identity verification solution becomes the digital Sherlock Holmes. It can detect both changes that occur over time, like shifts in lighting or movement, and sneaky changes within the image itself – like tricky copy-pasting or image stitching.
Fortunately, AI-generated fraud still has some blind spots, and organizations should leverage those weak points. Deepfakes, for instance, often fail to capture shadows correctly and have odd backgrounds. Fake documents typically lack optically variable security elements and would fail to project-specific images at certain angles.
Another key challenge criminals face is that many AI models are primarily trained using static face images, mainly because those are more readily available online. These models struggle to deliver realism in liveness “3D” video sessions, where individuals must turn their heads.
One more vulnerability organizations can use is the difficulty in manipulating documents for authentication compared to attempting to use a fake face (or to “swap a face”) during a liveness session. This is because criminals typically have access only to one-dimensional ID scans. Moreover, modern IDs often incorporate dynamic security features that are visible only when the documents are in motion. The industry is constantly innovating in this area, making it nearly impossible to create convincing fake documents that can pass a capture session with liveness validation, where the documents must be rotated at different angles. Hence, requiring physical IDs for a liveness check can significantly boost an organization’s security.
While the AI training for ID verification solutions keeps evolving, it’s essentially a constant cat-and-mouse game with fraudsters, and the results are often unpredictable. It is even more intriguing that criminals are also training AI to outsmart enhanced AI detection, creating a continuous cycle of detection and evasion.
Take age verification, for example. Fraudsters can employ masks and filters that make people appear older during a liveness test. In response to such tactics, researchers are pushed to identify fresh cues or signs of manipulated media and train their systems to spot them. It’s a back-and-forth battle that keeps going, with each side trying to outsmart the other.
In light of all we’ve explored thus far, the question looms: What steps should we take?
First, to achieve the highest level of security in ID verification, toss out the old playbook and embrace a liveness-centric approach for identity checks. What’s the essence of it?
While most AI-generated forgeries still lack the naturalness needed for convincing liveness sessions, organizations seeking maximum security should work exclusively with physical objects — no scans, no photos — just real documents and real people.
In the ID verification process, the solution must validate both the liveness and authenticity of the document and the individual presenting it.
This should also be supported by an AI verification model trained to detect even the most subtle video or image manipulations, which might be invisible to the human eye. It can also help detect other parameters that could flag abnormal user behavior. This involves checking the device used to access a service, its location, interaction history, image stability and other factors that can help verify the authenticity of the identity in question. It’s like piecing together a puzzle to determine if everything adds up.
And one final tip – requesting that customers use their mobile phones during liveness sessions instead of a computer’s webcam would be helpful. This is because it is generally much more difficult for fraudsters to swap images or videos when using a mobile phone’s camera.
To wrap it up, AI is the ultimate sidekick for the good guys, ensuring the bad guys can’t sneak past those defenses. Still, AI models need guidance from us humans to stay on the right track. But when together, we are superb at spotting fraud.
BANGKOK — One of Myanmar’s biggest and most powerful ethnic minority militias has arrested and repatriated more than 1,200 Chinese nationals allegedly involved in criminal online scam operations, an official of the group said Saturday.
The arrests were carried out in territory controlled by the United Wa State Army, or UWSA, in eastern Shan state in raids on Tuesday and Wednesday, Nyi Rang, a liaison officer from the militia, told The Associated Press.
He said in a text message that the arrested people were handed over to Chinese police at the border gate in Panghsang — also known as Pangkham city — the capital of Wa-administered territory on the border with China’s Yunnan province.
Cybercrime scams have become a major issue in Asia, as many of the workers employed to carry out the online scams are themselves victims of criminal gangs, who lure them with fake job offers and then force them to work in conditions of virtual slavery.
The Office of the U.N. High Commissioner for Human Rights said in a report last month that the gangs have forced hundreds of thousands of people in Southeast Asia into participating in scam operations that include false romance ploys, bogus investment pitches and illegal gambling schemes.
The report said that at least 120,000 people in strife-torn Myanmar and roughly 100,000 in Cambodia “may be held in situations where they are forced to carry out online scams.”
It said the online scam centers in Myanmar are allegedly located in the towns in southeastern Kayin state along the Thai border and Kokang Self-Administered Zone, and the Wa-administered city of Mong La in Shan state on the Chinese border.
Wa liaison officer Nyi Rang said that the online fraud operations aren’t allowed in the territory administered by the UWSA and its political arm, the United Wa State Party, and similar arrests had been made previously.
The UWSA’s online media outlet, WSTV, said Friday on its Facebook account that a total of 1,207 Chinese nationals who were arrested by the Wa state police for online fraud were handed over to the Chinese police. China’s state Xinhua news agency, citing Beijing’s Ministry of Public Security, reported the same figure of those turned over Wednesday, and said they included 41 fugitives from justice.
The United Wa State Army is the biggest and strongest ethnic armed organization among the major ethnic minority groups in Myanmar, with an army of approximately 30,000 well-equipped soldiers and sophisticated weaponry including heavy artillery and helicopters, from China, with which it maintains close relations.
The Wa administer their territory with no interference from Myanmar’s central government in two separate enclaves in northeastern and southern parts of Shan state, the former bordering China and the other Thailand.
China also maintains good relations with Myanmar’s military rulers, who took power after the army ousted the elected government of Aung San Suu Kyi in February 2021.
In July, Chinese Ambassador Chen Hai urged Myanmar’s Foreign Affairs Minister Than Swe during a meeting in the capital Naypyitaw to work together with other neighboring countries to suppress and root out online gambling and scam centers operating in the border areas of Myanmar and rescue trapped Chinese citizens.
Chen Hai visited Naypyitaw at least three times between June and August to discuss China-Myanmar border security matters.
The U.N. report about Southeast Asian cybercrime said the online fraud gangs were also active in southeastern Kayin state on the Thai border.
Shwe Kokko, a small town in northern part of Kayin state’s Myawaddy township, is notorious for casino complexes that allegedly host major organized crime operations, including online scamming, gambling and human trafficking. The complexes were developed by Chinese investors in cooperation with the local Border Guard Forces, which are militias affiliated with Myanmar’s army.
BANGKOK — One of Myanmar’s biggest and most powerful ethnic minority militias has arrested and repatriated more than 1,200 Chinese nationals allegedly involved in criminal online scam operations, an official of the group said Saturday.
The arrests were carried out in territory controlled by the United Wa State Army, or UWSA, in eastern Shan state in raids on Tuesday and Wednesday, Nyi Rang, a liaison officer from the militia, told The Associated Press.
He said in a text message that the arrested people were handed over to Chinese police at the border gate in Panghsang — also known as Pangkham city — the capital of Wa-administered territory on the border with China’s Yunnan province.
Cybercrime scams have become a major issue in Asia, as many of the workers employed to carry out the online scams are themselves victims of criminal gangs, who lure them with fake job offers and then force them to work in conditions of virtual slavery.
The Office of the U.N. High Commissioner for Human Rights said in a report last month that the gangs have forced hundreds of thousands of people in Southeast Asia into participating in scam operations that include false romance ploys, bogus investment pitches and illegal gambling schemes.
The report said that at least 120,000 people in strife-torn Myanmar and roughly 100,000 in Cambodia “may be held in situations where they are forced to carry out online scams.”
It said the online scam centers in Myanmar are allegedly located in the towns in southeastern Kayin state along the Thai border and Kokang Self-Administered Zone, and the Wa-administered city of Mong La in Shan state on the Chinese border.
Wa liaison officer Nyi Rang said that the online fraud operations aren’t allowed in the territory administered by the UWSA and its political arm, the United Wa State Party, and similar arrests had been made previously.
The UWSA’s online media outlet, WSTV, said Friday on its Facebook account that a total of 1,207 Chinese nationals who were arrested by the Wa state police for online fraud were handed over to the Chinese police. China’s state Xinhua news agency, citing Beijing’s Ministry of Public Security, reported the same figure of those turned over Wednesday, and said they included 41 fugitives from justice.
The United Wa State Army is the biggest and strongest ethnic armed organization among the major ethnic minority groups in Myanmar, with an army of approximately 30,000 well-equipped soldiers and sophisticated weaponry including heavy artillery and helicopters, from China, with which it maintains close relations.
The Wa administer their territory with no interference from Myanmar’s central government in two separate enclaves in northeastern and southern parts of Shan state, the former bordering China and the other Thailand.
China also maintains good relations with Myanmar’s military rulers, who took power after the army ousted the elected government of Aung San Suu Kyi in February 2021.
In July, Chinese Ambassador Chen Hai urged Myanmar’s Foreign Affairs Minister Than Swe during a meeting in the capital Naypyitaw to work together with other neighboring countries to suppress and root out online gambling and scam centers operating in the border areas of Myanmar and rescue trapped Chinese citizens.
Chen Hai visited Naypyitaw at least three times between June and August to discuss China-Myanmar border security matters.
The U.N. report about Southeast Asian cybercrime said the online fraud gangs were also active in southeastern Kayin state on the Thai border.
Shwe Kokko, a small town in northern part of Kayin state’s Myawaddy township, is notorious for casino complexes that allegedly host major organized crime operations, including online scamming, gambling and human trafficking. The complexes were developed by Chinese investors in cooperation with the local Border Guard Forces, which are militias affiliated with Myanmar’s army.
LYON, France — A century after it was founded, the world’s only global crime-fighting organization faces an existential question: Does the world still need it?
Rising geopolitical tensions including between the United States and Russia and China are challenging the agency’s operating model, which relies on voluntary information-sharing among its members’ police forces.
Add to that persistent claims that its famed Red Notice alert system is subject to political manipulation and accusations of complicity in torture against Interpol’s Emirati president, Ahmed Naser Al-Raisi, and the crime-fighting organization faces a perfect storm.
In an interview with POLITICO, Interpol Secretary General Jürgen Stock said the institution faces numerous difficulties, including over its funding situation. But he argued an agency that spans the globe is needed now more than ever amid international child sexual abuse, environmental crime andmafia groups like Italy’s ‘Ndrangheta.
“The challenges are huge. I cannot say we are sufficiently resourced,” Stock said as the agency marks 100 years since it was founded in Vienna.
“We are overwhelmed by cases of online child sexual exploitation. We are overwhelmed by cases of cybercrime … We are overwhelmed by drug trafficking,” he said. Such international operations are extremely resource-intensive, added the German former high-ranking police official.
His pitch is that the global community can only tackle these kind of crimes through cooperation. “That is why a global platform is more important than ever. Can you consider if Interpol would not exist? People would say, we need such an agency.”
He cited looming recession and the energy crisis as the main drags on Interpol’s funding push. Asked how much Interpol seeks, Stock did not name a figure, but said tens of millions of euros would be needed to sustain new systems for data and biometric analysis that have not been fully funded.
With 195 member countries as of 2022, the agency’s total revenue in 2022 was €195 million, of which €86 million was “voluntary contributions” — money that member countries contribute to support certain projects.
One of the complaints dogging Interpol is that its funding model is heavily reliant on members’ goodwill. Corporations including Philip Morris and associations like FIFA used to also donate large sums until Stock put an end to the practice in 2014 — a decision he said led to a “difficult couple of years.”
Yet Interpol remains beholden to its government donors including the European Union, its largest single contributor, to pony up cash to support projects or bolster the agency’s capacity to analyze large data sets, for example.
In March 2017, the agency received €50 million from the United Arab Emirates. Months later, its members elected as its president Emirati Major General Ahmed Nasser al-Raisi, who faced complaints lodged in France and Turkey a few months before his nomination over accusations of torture, which allegedly took place in 2018. The UAE’s foreign ministry rejected the complaints as “without foundation.”
Asked about the claims against al-Raisi, Stock said they “are aware of the accusation,” adding that it is an “ongoing matter” and that it would be “inappropriate and immature” to comment further. He also defended the UAE donation, saying Interpol was “not a rich organization” and that the UAE did not decide precisely how the money would be spent.
In March 2017, the agency received €50 million from the United Arab Emirates | Warren Little/Getty Images for XCAT
In addition, Red Notices — which signal that a person is wanted by a member country, but is not an arrest warrant — face criticism that they can be manipulated by repressive regimes pursuing political opponents. A 2022 report from the European Parliament said political use of Red Notices was a persistent “problem,” citing the example of a Ukrainian opera director who was arrested in Italy following a Red Notice issued by Russia.
Stock acknowledged that Russia’s war against Ukraine has “had an impact on police cooperation,” but argued the Red Notice system was sound. “We are checking intensively whether the request is in line with Interpol’s procedures,” he said, adding that Interpol is not a “quasi-court.”
While critics say Interpol is hamstrung by its inability to pursue state-backed criminals and terrorists, Stock argued that it’s precisely the agency’s studied neutrality — which does not allow any member to compel any other to do anything — that allows it to be effective in what it can do.
Stock’s term as Interpol secretary-general, essentially its chief executive, ends in late 2024. Stephen Kavanagh, Interpol’s executive director for police services and, as of Wednesday, a candidate to be Stock’s successor, argued that Interpol’s staying power through 100 years was due to its low profile.
“The reason we are surviving despite the scale of global conflict is because we don’t try to exert power over our members. We can’t order countries to investigate or not investigate — which allows us to be effective in bolstering cooperation,” Kavanagh said.
Cybercriminals are leveraging AI-driven voice simulation and deepfake video technology to deceive individuals and organizations, Bloomberg reported. In a recent incident, a CEO transferred $249,000 in funds after receiving a call that sounded like it came from a trusted source, only to discover it was generated by AI.
Udi Mokady, chairman of the cybersecurity firm CyberArk Software, had a surprising encounter with such an attack. In a Microsoft Teams video message in July, Mokady was taken aback when he came face-to-face with an eerily convincing deepfake version of himself, a move that was later revealed to be a prank by one of his coworkers.
“I was shocked,” Mokady told Bloomberg. “There I was, crouched over in a hoodie with my office in the background.”
While smaller companies may have tech-savvy employees who can spot deepfakes, larger organizations are more vulnerable to such attacks, as there may not be as intimate work relationships or technological understanding to spot whether someone is, well, real.
“If we were the size of an IBM or a Walmart or almost any Fortune 500 company there’d be legitimate cause for concern,” Gal Zror, research manager at CyberArk who carried out the stunt on Mokady, told Bloomberg. “Maybe Employee No. 30,005 could be tricked.”
Cybersecurity experts have warned of the consequences of a human-like AI copy of an executive who unearths vital company data and information such as passwords.
In August, Mandiant, a Google-owned cybersecurity company, disclosed the first instances of deepfake video technology explicitly designed and sold for phishing scams, per Bloomberg. The offerings, advertised on hacker forums and Telegram channels in English and Russian, promise to replicate individuals’ appearances, boosting the effectiveness of extortion, fraud, or social engineering schemes with a personalized touch.
Deepfakes impersonating well-known public figures have also increasingly surfaced. Last week, NBC reviewed over 50 videos across social media platforms wherein deepfakes of celebrities touted sham services. The videos featured altered appearances of prominent figures like Elon Musk, but also media figures such as CBS News anchor Gayle King and former Fox News host Tucker Carlson, all falsely endorsing a non-existent investment platform.
Deepfakes, along with other rapidly expanding technology, have contributed to an uptick in cybercrime. In 2022, $10.2 billion in losses due to cyber scams were reported to the FBI — up from $6.9 billion the year prior. As AI capabilities continue improve and scams are becoming more sophisticated, experts are particularly worried about the lack of attention given to deepfakes amid other cyber threats.
“I talk to security leaders every day,” Jeff Pollard, an analyst at Forrester Research, told Bloomberg in April. “They are concerned about generative AI. But when it comes to something like deepfake detection, that’s not something they spend budget on. They’ve got so many other problems.”
LOS ANGELES — U.S. officials said Tuesday that the FBI and its European partners infiltrated and seized control of a major global malware network used for more than 15 years to commit a gamut of online crimes including crippling ransomware attacks.
They then remotely removed the malicious software agent — known as Qakbot — from thousands of infected computers.
Cybersecurity experts said they were impressed by the deft dismantling of the network but cautioned that any setback to cybercrime would likely be temporary.
“Nearly ever sector of the economy has been victimized by Qakbot,” Martin Estrada, the U.S. attorney in Los Angeles, said Tuesday in announcing the takedown. He said the criminal network had facilitated about 40 ransomware attacks alone over 18 months that investigators said netted Qakbot administrators about $58 million.
Qakbot’s ransomware victims included an Illinois-based engineering firm, financial services organizations in Alabama and Kansas, along with a Maryland defense manufacturer and a Southern California food distribution company, Estrada said.
Officials said $8.6 million in cybercurrency was seized or frozen but no arrests were announced.
Estrada said the investigation is ongoing. He would not say where administrators of the malware, which marshaled infected machines into a botnet of zombie computers, were located. Cybersecurity researchers say they are believed to be in Russia and/or other former Soviet states.
Officials estimated the so-called malware loader, a digital Swiss knife for cybercrooks also known as Pinkslipbot and Qbot, was leveraged to cause hundreds of millions of dollars in damage since first appearing in 2008 as an information-stealing bank trojan. They said millions of people in nearly every country in the world have been affected.
Typically delivered via phishing email infections, Qakbot gave criminal hackers initial access to violated computers. They could then deploy additional payloads including ransomware, steal sensitive information or gather intelligence on victims to facilitate financial fraud and crimes such as tech support and romance scams.
The Qakbot network was “literally feeding the global cybercrime supply chain,” said Donald Alway, assistant director in charge of the FBI’s Los Angeles office, calling it “one of the most devastating cybercriminal tools in history.” The most commonly detected malware in the first half of 2023, Qakbot impacted one in 10 corporate networks and accounted for about 30% of attacks globally, a pair of cybersecurity firms found. Such “initial access” tools allow extortionist ransomware gangs to skip the initial step of penetrating computer networks, making them major facilitators for the far-flung, mostly Russian-speaking criminals who have wreaked havoc by stealing data and disrupting schools, hospitals, local governments and businesses worldwide.
Beginning Friday in an operation officials dubbed “Duck Hunt,” the FBI along with Europol and law enforcement and justice partners in France, the United Kingdom, Germany, the Netherlands, Romania and Latvia seized more than 50 Qakbot servers and identified more than 700,000 infected computers, more than 200,000 of them in the U.S. — effectively cutting off criminals from their quarry.
The FBI then used the seized Qakbot infrastructure to remotely dispatch updates that deleted the malware from thousands of infected computers. A senior FBI official, briefing reporters on condition he not be further identified, called that number “fluid” and cautioned that other malware may have remained on machines liberated from Qakbot.
It was the FBI’s biggest success against cybercrooks since it “hacked the hackers” with the January takedown of the prolific Hive ransomware gang.
“It is an impressive takedown. Qakbot was the largest botnet” in number of victims, said Alex Holden, founder of Milwaukee-based Hold Security. But he said it may have been a casualty of its own success in its staggering growth over the past few years. “Large botnets today tend to implode as too many threat actors are mining this data for various types of abuse.”
Cybersecurity expert Chester Wisniewski at Sophos agreed that while there could be a temporary drop in ransomware attacks, the criminals can be expected to either revive infrastructure elsewhere or move to other botnets.
“This will cause a lot of disruption to some gangs in the short term, but it will do nothing from it being rebooted,” he said. “Albeit it takes a long time to recruit 700,000 PCs.”
Losses from digital theft have doubled over the past two years, according to the FBI. Sharyn Alfonsi shows how cyber scammers are using AI, apps and social engineering to target seniors.
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.
This is an updated version of a story first published on May 21, 2023. The original video can be viewed here.
More Americans than ever rely on alarm systems, gates or doorbell cameras to help protect their families. But statistically, you are now more likely to be the victim of theft online than a physical break in at home.
A new report from the FBI reveals that Americans lost more than $10 billion last year to online scams and digital fraud.
As we first reported in May, people in their 30s – who are among the most connected online – filed the most complaints. But we were surprised to learn the group that loses the most money to scammers… is seniors.
Tonight, we will show you how cyber con artists are using artificial intelligence, widely-available apps and social engineering to target our parents and grandparents.
Susan Monahan: It’s like a death in the family, almost.
Tamara Thomas: Well, she worked so hard, you know.
Susan Monahan: For my money. I sure have.
Susan Monahan and her daughter, Tamara, are talking about how the 81-year-old was conned out of thousands of dollars in what law enforcement calls a “grandparent scam.”
Tamara Thomas and her mother Susan Monahan
60 Minutes
Sharyn Alfonsi: Tell me about the call that you got.
Susan Monahan: There was a young adult on the line saying, “Grandma, I– I need your help,” in a frantic voice, scared, saying– “I was driving and suddenly there was a woman stopped in front of me. She’s pregnant, and I hit her.” And “they’re gonna take me to jail,” and, and, “Grandma, please don’t call my mom and dad, because I don’t want them to know.” And I said, “Brandon, it doesn’t sound like you.” He said, “Oh, I have a cold, Grandma.”
Sharyn Alfonsi: You think it’s your grandson?
Susan Monahan: I do. And he said, “Grandma, a friend of mine has an attorney that we can, that we can use, and that we can do something about me going to jail.” And I said, “Yes, of course.”
Monahan said the scammer – pretending to be a helpful attorney – got on the line. It was June of 2020, during the pandemic, and he promised to keep her grandson out of jail, if she could get $9 thousand for bail to him quickly.
Sharyn Alfonsi: What other instructions were you given?
Susan Monahan: I needed to make an envelope that was addressed to this certain judge, that he was gonna coordinate this through, and write on there and they gave me the name, the address, and everything else for this envelope.
Sharyn Alfonsi: Did it sound pretty legitimate?
Susan Monahan: Oh, absolutely. He had the legalese.
Monahan is a tax preparer – with an MBA. The scammer kept her on the phone as she rushed to the bank.
Sharyn Alfonsi: What’d he say?
Susan Monahan: He said, “when you go there, make sure you tell them that it’s for home improvements, ’cause they might question the fact that you’re withdrawing $9,000.”
Minutes after Monahan got home with the cash… a courier showed up to take it. This is video from the doorbell camera. You can hear Monahan on the phone with the scammer as she hands off the money.
Susan Monahan: He said to move your butt ’cause they’re on a deadline.
Courier: OK, have a great day.
She says as soon as the courier left and the adrenaline left her body… she was filled with a sick feeling she’d been scammed.
Tamara Thomas: It’s just devastating.
Sharyn Alfonsi: What did they do to your mom? Beyond the money, beyond taking $9,000 from her?
Tamara Thomas: Well, it’s your livelihood. I’m sorry. It just gets you, like, in your gut.
The Federal Trade Commission reports scams like these… skyrocketed 70% during the pandemic when seniors, home alone, went online to shop or keep in touch with family.
Ester Maestre, Ron Attig, Steve Savage, Judy Attig (left-right) talk about digital theft.
60 Minutes
Sharyn Alfonsi: How much money were you scammed out of?
Ester Maestre: $11,300.
Steve Savage: $14,000.
Judy Attig: $7,600.
Judy Attig and her husband Ron, a retired ironworker, were victims of the same “grandparent scam” as Susan Monahan. That’s the view from their doorbell camera… as the same courier took off with $7,600 of their savings.
Sharyn Alfonsi: $7,600 hits hard.
Ron Attig: Oh yeah–
Judy Attig: Well, that was for, you know, if we wanted to go on a trip or something. It was terrible. I was a mess.
Steve Savage, a retired scientist, was scammed when he opened a fake email from the Geek Squad.
Steve Savage: The email said that, “Your bank account is being charged $399 for another year.” And I’m like, “Wait a minute, I don’t remember it being anywhere close to that.”
The customer service number went to a scammer posing as a representative of the company. Savage was duped out of $14 thousand.
Ester Maestre was scammed too. The retired nurse says an alarm sounded on her iPad with a message to call “tech support.” She did.
Ester Maestre: He said that, “last night between 4 and 9 p.m. your bank account has been hacked.”
Sharyn Alfonsi: And your heart probably stopped.
Ester Maestre: Oh, you know, I felt so nervous. But he said, “I am going to transfer you to another guy who’s a security at Chase Bank.”
That fake bank employee told her hackers might be able to access her bank account and instructed her to immediately withdraw money and deposit it into a new account for safe keeping. Maestre did and lost $11 thousand.
Sharyn Alfonsi: And have you been able to recover any of your money?
Ester Maestre: Nothing.
Sharyn Alfonsi: Nothing.
Ester Maestre: I’m the one that pulled the money out of the bank, so I won’t be reimbursed.
Sharyn Alfonsi: If your house gets broken into, you call the police. If this happens–
Scott Pirrello: There’s no one to call.
Scott Pirrello, a deputy district attorney who runs San Diego’s Elder Justice Task Force, walks with Sharyn Alfonsi.
60 Minutes
Scott Pirrello is a deputy district attorney who runs San Diego’s Elder Justice Task Force and connected us to the victims you just heard from. He says studies show only one in every 20 seniors who’ve been scammed, report it. Often, they’re embarrassed.
Scott Pirrello: Most people who have not experienced this think, “Well, these people must have dementia or Alzheimer’s.” It’s not the case. Our victims are sharp as a tack. We had a woman, 66 years old, she came home, she got a message on her computer from Microsoft and the message said that she had a virus on her computer. And then that virus had somehow infected her financial accounts. Within a matter of weeks this victim had lost $800,000.
Sharyn Alfonsi: Oh my gosh.
Scott Pirrello: The scariest part of these scams is that these victims have no recourse. They’re left bewildered.
Sharyn Alfonsi: What typically happens?
Scott Pirrello: The seniors that have the courage to report that this has happened are being told that, “I’m sorry, there’s nothing we could do.” And that is the reality, that a local police detective in Kansas City doesn’t have the reach to go investigate a case that’s being operated from the Caribbean, or from Nigeria, or Ghana.
Investigators have also traced scams to Europe, Southeast Asia and Canada.
To combat them, San Diego’s Elder Justice Task Force has taken a new approach. Investigators collect every local fraud case, then, collaborate with federal authorities to connect them.
Scott Pirrello: If we have a victim that lost $12,000 here in San Diego, there is without question, dozens of other victims to the same scam and millions of dollars in losses. And then once we identify that the scam is part of something much larger, then we can deliver that to our federal partners with the reach to go around the country. Because these are networks. These are transnational, organized, criminal networks.
In 2021, Pirrello helped the FBI bring down a network of criminals who stole millions of dollars from elderly victims.
Remember those doorbell videos from the grandparents scam? The courier, a 22-year-old Californian, was the starting point for the FBI’s case. She’s serving time for her role but the FBI says the scams ringleaders, two Bahamian-nationals, based in Florida… fled the country before they could be arrested.
Ethical hacker Rachel Tobac is CEO of Social Proof Security
60 Minutes
Rachel Tobac: If you don’t know how a criminal thinks, then you really don’t know how you can protect yourself online.
Rachel Robac is what’s called an “ethical hacker.” She studies how these criminals operate.
Rachel Tobac: So ethical hackers, we step in and show you how it works.
Tobac is the CEO of Social Proof Security, a data protection firm that advises Fortune 500 companies, the military and private citizens on their vulnerabilities. We hired her to show us how easy it is to use information found online to scam someone. We asked her to target our unsuspecting colleague, Elizabeth.
Tobac found Elizabeth’s cellphone number on a business networking website. As we set up for an interview, Tobac called Elizabeth but used an AI-powered app to mimic my voice… and ask for my passport number.
Elizabeth: Yes, yes, yes I do have it. OK, ready? It’s…
Tobac played the AI-generated voice recording for us…. to reveal the scam.
AI Voice: Elizabeth, sorry, I need my passport number because the Ukraine trip is on. Can you read that out to me?
Rachel Tobac: Does that sound familiar?
Elizabeth: Yes. And I gave her– wow.
Rachel Tobac: I have–
Elizabeth: I was duped–
Rachel Tobac: –your passport–
Elizabeth: –sitting over there.
Sharyn Alfonsi: What did it say on your phone?
Elizabeth: Sharyn.
Sharyn Alfonsi: How did you do that?
Rachel Tobac: So I used something called a spoofing tool to actually be able to call you as Sharyn.
Elizabeth: Oh, so I was hacked, and I failed, failed the hacking–
Sharyn Alfonsi: No.
Rachel Tobac: But everybody would get tricked with that. Everybody would. It says Sharyn. “Why would I not answer this call? Why would I not give that information, right?”
Tobac showed us how she took clips of me from television, and put it into an app… that cloned my voice. It took about five minutes.
Sharyn Alfonsi: I am a public person. My voice is out there. Could a person who’s not a public person like me be spoofed as easily?
Rachel Tobac: Anybody can be spoofed. And oftentimes attackers will go after people, they don’t even know who these people are. But they just know this person has a relationship to this other person. And they can impersonate that person enough just by changing the pitch and the modulation of their voice that, I believe that’s my nephew and I need to really wire that money.
Tobac says hackers no longer need to infiltrate computers through a back door. She says 95% of hacks today happen after a user clicks on a text, a link, or gives personal information over the phone.
Sharyn Alfonsi: You were able to hack my colleague Elizabeth, who is a tech-savvy millennial. What does that tell you?
Rachel Tobac: Anybody can be hacked. Anybody can fall for what Elizabeth fell for. In fact, when I do that type of attack, every single time, the person falls for it.
She said hackers… armed with basic information, like a relative’s name found online… or an app that can mimic a voice or change the caller ID … can create a convincing story.
Rachel Tobac: If you were to receive a phone call, a text message, an email, and it’s asking for something sensitive, urgent, or with fear, that’s when the alarm bells have to go off in your head. They want me to give something to them. I’m gonna take a beat, and I’m gonna check that this person is who they say they are. I call it being politely paranoid.
Sharyn Alfonsi: Politely paranoid.
Rachel Tobac: Be politely paranoid.
Tobac has worked as a consultant for Aura…a Boston-based technology company that created software to protect the identity, passwords, finances and personal data for entire families in one app.
Hari Ravichandran: Here you can see a full footprint of everything that’s happening inside the family.
Sharyn Alfonsi and Hari Ravichandran
60 Minutes
Hari Ravichandran is the CEO of Aura… he says their software can re-route scam calls away from grandparents.
Hari Ravichandran: If the parent is getting a call, and we are identifying using AI that the call is a potential scam call, then they can route that call to me.
Sharyn Alfonsi: Does this stop the call from getting in?
Hari Ravichandran: It does. It, so–
Sharyn Alfonsi: So it just blocks the call?
Hari Ravichandran: When the call comes in, it will have a recording that says, “Let me know who you are: What’s your intent?” if it’s an unknown person. If it’s a known person that’s already in your contacts, it’ll go right through.
Ravichandran says AI is also used to monitor finances and alert users of problems in real time.
Hari Ravichandran: If I see a charge from my mom for $10 at Starbucks, that feels OK. But if there’s a $500 charge from Starbucks, something’s off kilter. So we try to figure out with AI, contextually, what’s different. But if something’s off pattern, then you can look at that, and say, “OK. Well, something’s off here. I need to go take care of this.”
San Diego Deputy District Attorney Scott Pirrello says more help is needed from law enforcement and the banking and retail industries to protect seniors. The FBI reports over the past two years, the losses from digital theft have doubled.
Scott Pirrello: The trends and– and the data are horrifying. We have the senior population is growing exponentially every year. We have this dynamic of under-reporting and then we have the technology coming. People are convinced that AI is playing a part in maybe pretending it’s the grandchild’s voice. We’re all just next on the conveyor belt and we all need to do a better job.
FBI statement:
The FBI is proud of the work accomplished through the Elder Justice Task Force and the brave victims willing to speak out. Help us protect our seniors by reporting elder fraud incidents to ic3.gov.
Produced by Oriana Zill de Granados and Emily Gordon. Broadcast associate, Elizabeth Germino. Edited by Robert Zimet.
Palo Alto Networks Inc. shares rallied Friday after hours as the cybersecurity company topped expectations with its latest earnings, as well as with its forecasts for profit and billings, outlining that new reporting rules and AI-backed adversaries are driving adoption.
The stock PANW, +1.02%
was rallying more than 9% in the extended session, following a 1% gain in the regular session to close at $209.69.
Palo Alto Networks forecast first-quarter adjusted earnings of $1.15 to $1.17 a share on revenue of $1.82 billion to $1.85 billion and billings of $2.05 billion to $2.08 billion. Analysts were estimating $1.11 a share on revenue of $1.93 billion and billings of $2.04 billion for the first quarter.
For the year, the company expects $5.27 to $5.40 a share on revenue of $8.15 billion to $8.2 billion on billings of $10.9 billion to $11 billion. Analysts tracked by FactSet had been projecting $4.98 a share on revenue of $8.38 billion and billings of $10.81 billion for the year.
The company defines billings as “total revenue plus the change in total deferred revenue, net of acquired deferred revenue, during the period,” and is a metric used to account for subscriptions.
On the extended call with analysts, Nikesh Arora, the company’s chairman and chief executive, said that while strong fourth-quarter results did not come as a surprise, what did come as a surprise was the speed of adoption of its Cortex XSIAM AI-driven security platform, especially now that regulators are going to start requiring quick disclosures for material cyberattacks.
Palo Alto Networks reported fiscal fourth-quarter net income of $227.7 million, or 64 cents a share, compared with $3.3 million, or a penny a share, in the year-ago period. Adjusted earnings, which exclude stock-based compensation expenses and other items, were $1.44 a share, compared with 80 cents a share in the year-ago period.
Revenue rose to $1.95 billion from $1.55 billion in the year-ago quarter, while billings rose 18% to $3.2 billion. Analysts surveyed by FactSet had forecast $1.29 a share in adjusted earnings on revenue of $1.96 billion and billings of $3.18 billion.
The company launched XSIAM in October, and set a goal of booking more than $100 million in the first year. Arora said that in less than a year, XSIAM has already brought in $200 million, indicating that interest in applying AI to enhance security is “very high.”
“Our customers have told us loud and clear that the legacy products powering their stacks are no longer working and they need to reduce by an order of magnitude,” Arora told analysts. “This becomes increasingly important with the new SEC rules detailing that all public companies will be required to report material breaches within four business days.”
On the call, Lee Klarich, Palo Alto Networks chief product officer, told analysts that it wasn’t long ago that the average time between an initial hack and stealing data was about 44 days. Now, that can happen in a matter of hours, which is a huge problem, Klarich said, noting that attackers are adopting AI to perform attacks.
“On average the industry is able to respond and remediate attacks in about six days: That doesn’t work,” Klarich said. “And even more challenging now with the SEC new rules of being able to disclose within four days, none of the math adds up.”
Nvidia Corp. NVDA, -0.10%,
which also has a huge stake in AI, reports results after the bell on Wednesday.
Palo Alto Networks is a new entrant to the S&P 500 index SPX, having gotten the nod in June. As of Friday’s close, Palo Alto Networks shares have gained 50.3% year to date, compared with a 12.4% gain on the ETFMG Prime Cyber Security exchange-traded fund HACK,
a 13.8 % gain on the S&P 500, and a 27% rise on the tech-heavy Nasdaq Composite COMP.
