At some point in our lives, we’ve all faced deception or betrayal at a deep and personal level. It can be devastating to who we are, or how we perceive ourselves, and can forever change our views on trust, safety and privacy. I say the above because, without knowing it, we can easily betray and deceive ourselves when it comes to privacy and security online.
In the past, I’ve written about how trust is easily exploited in a security system, allowing hackers entry into a network. I’ve also written briefly about how we have a false sense of security when we install a virus scanner that can’t detect the latest ransomware threats.
However, this article is going to look at these threats from a more personal angle. We’re going to be diving into how easy it is for a hacker to disrupt your life by exploiting and deceiving your natural instinct to trust.
My goal here is to not to make people be as paranoid as I am, but to impress upon readers just how easy and unexpected attacks can be. At the end, I’ll give you six steps to help protect yourself and your business from a scenario like this one.
The Setup: Creating the Target
Before we begin, let’s create a fictional target for us to exploit. Let’s call this person Steve. Steve is an executive at a company and is concerned about cybersecurity, as well as his own privacy.
His company appears to have moderate defenses: a decent firewall, password policies, user access restricted by group or need and a few other things we normally see any company run as a typical defense.
So, Steve hires our company to test his defenses. Little does he know that the human element of our testing is the element that will eventually shake him to the core. For the purposes of this article, we’re going to primarily focus on Steve and just how simple it would be to ruin his life.
Who the Heck is Steve Anyway?
Even before we’ve signed a contract, I’m already working on gathering intelligence on Steve. I’m arriving at his office early for meetings just to talk to the receptionist and the people in his employ.
They see and talk to me so frequently that I’m easily reinforcing the notion I belong in their office as an IT authority. I’m building up trust with the people that surround Steve, even though Steve has no idea I’m doing this. At this point in the process, I intentionally have no access to the network, as our goal is to break it from the outside in and also insert ourselves deeply into Steve’s life.
Steve signs the contract and non-disclosure agreements. As we wrap up this meeting, I immediately get to work. Once offsite, I call the receptionist who I’m now on a first name basis with and let her know we’re doing some work and need to use her computer as a test.
Of course, she agrees because she knows me and that I’ve also been hanging out with her boss. From there, I’ve now gained permanent access to the network. I grab Steve’s personal contact information from the company-wide address book. I don’t yet have access to his computer systems directly, but we’ll get there.
Armed with Steve’s personal information, I can now use my data collection utilities to begin automatically scouring the internet for anything Steve related.
I find out that Steve is married to Karen and they have two kids, Mike (age 15) and Sally (age 12). I know where Steve went to high school and college as well as the years he graduated. I find out what his social media (Facebook, Twitter, Instagram, etc.) accounts are. I find out if he posts on any specialty forums due to his hobbies or interests. Then I do the same intelligence gathering on Karen and the kids. When I’m done I have gathered quite a bit of intelligence on Steve and his family, though I have not done anything with it yet.
Planning the Attack on Steve
Because I want to know everything about Steve, I need to figure out what my end result is here. Do I want to dox him and reveal all of the secrets I can gather or maybe hold that information over his head for ransom?
Do I want to disrupt his life and make it very hard for him to use computers, mobile devices and reliably get onto the internet to do things like pay bills and even just communicate? Do I want to break into his financial accounts and attempt to steal money?
Maybe I want to break into his company and steal information from them that I can either sell on the black market or hold for ransom. Let’s do all of them here, shall we?
To achieve this requires stealth, so I cannot just break into all of these things at once. Though as I gain deeper access, it does become easier to break into more of Steve’s assets.
He cannot be aware of my attempts, or we could risk him becoming more paranoid than he already is since he knows we’re working on breaking into his company network.
Given all of the intelligence I have gathered on Steve personally, it would appear that social media is a relatively easy target. If I am able to get into his world on Facebook, I will find a goldmine of information that I wouldn’t normally have access to.
Hey, Steve! Remember Me?: Beginning the Attack
Starting with Steve’s high school (Mustang High, class of 1980), I find a list of his classmates online and then check it against known Facebook accounts. I find classmates that aren’t on Facebook and also don’t appear to be dead and then build them a fake Facebook profile.
I will connect this profile to multiple other fake profiles I’ve created to give it the illusion that it has confirmed friends and is also new but growing. I then send a friend request to Steve with a message that says something to the effect of, “Steve! It’s been ages! I still remember that crazy homecoming. Class of 80 was awesome. I’m just getting into this whole Facebook thing. Hope all is well!”
See what I did there? I gave Steve three points to remember this person by. First is the valid name of someone in his class, the second is a memory and the third is a validation of the class year. Even if Steve doesn’t remember my name or the crazy homecoming story, he will most likely validate me because I’m unwavering in my memory and know a personal detail about the class year.
Usually, this tactic works on most people and is almost never challenged (“Oh yeah? Tell me about that homecoming craziness.”). However, maybe Steve likes to keep his Facebook friends more recent to his life and thus my approach won’t work and he’s denied me.
The Next Easiest Target
We know Steve didn’t care to friend me, the jerk, so we move on to his wife, Karen. Karen also has social media accounts and I can find out the same information on her as well.
I know she went to the same college as Steve. In fact, their marriage and age of the kids tells me that they most likely met in college. I know that Karen is a biologist at a local laboratory, so I know she had to take biology courses in college.
I create another fake Facebook profile, this time putting myself into Karen’s college and her field. I take a calculated risk and tell her about how I thought her and Steve were the perfect couple back then and am happy to see them still together. My own marriage to my husband (I’ve switched genders because it’s easier to be accepted by the same gender) is rocky, so it’s nice to see a couple make it.
If Karen accepts my friend request, I will then have access to more information on Steve. I will find out more about his interests (baseball and classic cars), when they vacation, pictures of his family I could possibly use to threaten him, restaurants he frequents and typically when (Saturday is date night given the amount of time they go out to fancy restaurants sans children). All of this I can use against Steve without him knowing just yet.
Normally, we don’t even need to go this deep, and typically the executives or companies that would hire us to do this kind of work wouldn’t think that it would extend to their families but family is a major vulnerability for most without them even knowing it.
Let’s assume Karen also turns me down and I once again strike out.
Your Kids Are Your Greatest Strength
They can also be your greatest weakness.
Since Steve and Karen didn’t respond, I can now target their kids. I can easily connect with his kid’s social network by pretending to be a peer or an educational or extra-curricular authority.
I won’t go into much detail here for privacy reasons, but let’s say I connect with his son Mike. In that scenario, I am now into Mike’s social network and by extension his fathers.
The Payload
Through my interaction with Mike, I know that he’s home most nights when he doesn’t have baseball practice and he has his own laptop in the house. Once I’ve gained his trust I’m going to leverage that information in a couple of ways to gain access to what I need.
I will send Mike an infected attachment that he will want to open. Whatever I choose, it must be enticing enough for him to want to open it. Let’s say I picked free playoff tickets to the Cubs game. I’ll make up an excuse, for instance, a last minute trip. Once Mike opens the attachment, it will infect the computer with a program that is undetectable to virus scanners and give me remote access.
Next, I’ll use Mike’s laptop to infect the rest of the home network and determine which computer is Steve’s. From here, I can inject an infection directly into Steve’s computer via an email from Mike’s account. Alternatively, I could directly transfer hacking utilities to Steve’s machine or break into his router/firewall and direct the traffic through my own servers.
Now I’ve got Steve. I get to work copying out Steve’s files, password lists, web browser information where his online passwords are stored and set up various infections that will capture his passwords and other login information live. Prior to this, I’ve disabled his virus scanner by creating a massive exceptions list so it will skip all of my infections, if it can even detect them in the first place.
Even if Steve has two-factor authentication enabled, I can probably bypass it because I can simply use his own computer to access those sites.
I now know who he communicates with, the typical passwords he uses, and even the VPN settings he uses to connect to his office which I can then replicate and attempt to attack. At this point, if I was malicious, it would be game over for Steve as I quietly make plans to steal his money and/or ruin him publicly with what I find.
Forgot About This One, Didn’t You?
If you recall, dear reader, when Steve first signed the contract, which could have been months ago at this point, I was able to gain illegal access to the receptionist’s computer. I’ve kept up that relationship, checking in regularly with that person for two reasons:
1. To make it look like I’m doing work only on the network as inevitably the receptionist is going to tell Steve about this and Steve already knows I’ve breached his office but he was expecting that. Typically, staff isn’t informed since we want to test the staff’s training as well.
2. Secretly check on the attacks I’ve been running from that computer into the rest of the network. By now, I know Steve’s computer information and have been attacking trying to get a payload installed.
Because of this initial attack, I was able to infect multiple computers on the network by inserting infected files into company shared drives. The receptionist may not have executive level access do but she does share other common shared folders for collaboration which I can infect, not to mention internal corporate email.
From another infected computer in the company, assuming I didn’t infect Steve’s in the initial attack because he’s on guard, I will send Steve an email with an infected attachment. It bypasses their spam filters because it’s internal communication, with an important message in it so Steve will open it and thus infect his own computer. Since Steve has greater access as an executive, I can then send the IT admins an internal email impersonating Steve with an infection that will bypass the defenses and allow me to access the network as the IT Administrator itself.
The Infection Has Taken Over
I now own literally everything in Steve’s technological life. His home computers, his office computers and the entire company network. It will be a rather memorable meeting with him as I detail how I was able to exploit the trust he and his family have in their technology and friends.
I can tell him his personal passwords directly and also give him copies of pictures or documents that are personal to him. I can log into his own corporate firewalls in front of him and stop access to anyone in the company or even change their passwords and lock them out live.
Now, imagine if I was malicious. Imagine if I wasn’t there to simply test defenses and show my client their vulnerabilities. This happens to people all the time and some right now are even under attack as I type this. Hackers don’t have rules. They don’t have boundaries.
There are no off limits when it comes to families or relatives. They will exploit the weakness for their own gain. If they are hired to attack you, they will do everything and anything for money including inserting illegal documents into your computer and then alerting law enforcement.
We know that major leaders, celebrities and corporate titans are always under siege but so are average people. It’s easier to exploit a thousand unsuspecting people for smaller payoffs than it is to take down larger more public targets for a single payout.
How Do We Stop People Like Me?
If completely shunning technology and joining the Amish really isn’t your thing to keep your private information safe, then here are a few steps that will help you mitigate your risks.
Before we begin, remember that nothing is foolproof and the problem with defending against an attack like this is that many technological defenses can be bypassed because the hacker has gained you or a colleague’s trust. This scenario is the equivalent of opening your door to a robber because you believed their story. Once that person is in, defending yourself becomes harder.
Even the most comprehensive defenses can be exploited by truly experienced hackers but a few simple tips go a very long way to reducing your chances of this level of exposure. Here are a few options:
1. Educate Yourself
Education is of paramount importance. Not just for you, but for everyone around you. Defense of a company or family technology is a team effort and you’re only as strong as your weakest link.
Teach your employees, spouses and children about the dangers of accepting friends or connections into social media you don’t really know. Make sure they understand that free offers coming from friends may not always be real as the friend could be fake or even had their account stolen.
2. Stay Vigilant
Vigilance has to be maintained. People love to get lax in security and defense because it’s too complicated or less enjoyable. Once people skip steps, they become vulnerable.
Having a few simple procedures that you drill into everyone over and over will help to keep the defense live. For example, if someone friends me on Facebook I politely challenge them to ensure they really do know me and not just some generic facts like my age or graduating class year.
3. Protect Sensitive Data
Encrypt everything critical. So this may not apply to your vacation pictures but it does include that Excel file full of passwords. Putting a password on it is better than nothing. This way, I cannot simply copy it to my device and open it.
Yes, the hacker may have installed software on the breached device to capture these passwords as they’re typed in, but if the hacker doesn’t have that skill this will go a long way to preventing deeper hijacking of data. Remember, not all hackers are created equal.
4. Purge Accounts
Get rid of old or inactive accounts. Do you remember that Yahoo! or AOL account you stopped using five years ago because you switched to Gmail? That can come back to haunt you as recent Yahoo! disclosures showed us that roughly 500 million accounts were hacked.
That account could still have valid contacts in it or be protected with a password you still use. That is gold for a hacker as it gives us a list of people to impersonate and a password to try.
5. Stay Alert
Keep up-to-date with the latest hacks. There are tons of articles out there regarding hacking trends to look out for.
Hackers are a rather innovative bunch and for every new piece of social media technology out there, I can guarantee you hackers are working on cracking it to exploit it. Want proof? Look no further than Snapchat which I wrote about rather extensively earlier in the year.
6. Stay Informed
Also keep informed of new security trends. Cybersecurity is a constantly shifting and changing landscape. New products and technologies are always coming out to try and keep us ahead of the hackers and they usually succeed for a short while.
If you don’t have the time or inclination to be constantly keeping up with these trends, then I highly recommend talking to a good (and there are plenty of bad ones out there) cybersecurity professional regularly as it is their job to be on top of these trends.
Concluding Thoughts
You are only as safe you choose to be. You are protected only by the vigilance of your security technology and personal and team practices. This nightmare scenario is reality for many people annually. In most cases, the hackers don’t have to go as deep as I did here to cause serious damage to your life.