Experience shows that even Internet old-timers fail to protect themselves from targeted hacking. As our everyday life is becoming more and more connected to the Internet and other networks, online security is turning into an urgent necessity.
Almost everybody has an email, social media accounts and online banking. People order goods online and use mobile Internet to identify themselves (for example, in two-factor authentication solutions) and other important things. Unfortunately, none of these systems is fully secure.
The more we interact online, the bigger the target for crafty hackers gets; security specialists call this “attack surface.” The bigger the surface is — the easier to attack. If you take a look at these three stories from the past three years, you will clearly see how this works.
How to steal an account: hack it or just make a telephone call?
One of the most powerful tools used by hackers is “human hacking,” or social engineering. On February, 26, 2016 Fusion editor Kevin Roose decided to check if it’s really THAT powerful. Social-engineer hacker Jessica Clark and security expert Dan Tentler accepted his challenge.
Jessica promised to hack Kevin’s email with a phone call and she successfully fulfilled this task. First, her team has made a 13-page long profile, which covered what kind of a man Roose is, what he likes and dislikes, and so on. All the data was taken from public sources.
Having prepared, Jessica spoofed Kevin’s mobile number and called his phone company. To add to the tension, she turned on a video of babies crying in the background.
Jessica introduced herself as Roose’s wife. Legend has it that she and her “husband” were going to apply for a loan, but the young and frazzled mother forgot the email address they used together. Being accompanied by babies cry, Jessica quickly persuaded the support service to reset the email password and received full access to her target’s email.
Dan Tentler solved his task with the help of phishing. First, he noticed that Kevin had a blog on Squarespace and sent him a fake official email from this blogging platform. In the letter Squarespace admins asked users to update SSL certificate for the sake of “security”. Instead of protection, this file gave Tentler access to Kevin’s PC. Dan created several fake popups that asked Roose for specific credentials — and all was done.
Tentler gained access to Kevin’s banking data, email and online-stores login credentials, as well as credit card data and social security number. Moreover, Dan acquired photos of Roose and his screen, which had been taken automatically every two minutes for 48 hours of hack.