Wednesday, March 6, 2019

«Social networks are paradise for cyber criminals»

An anonymous hacker speaks to us about his cunning "craft" and explains his most successful scams. According to the hacker, there are many, many opportunities to attack internet users, particularly because the digital world is becoming increasingly vulnerable as usage and the volume of data grows.

Who are cyber criminals particularly interested in?

Firstly, politicians and business people. People with influence, power and often also money. Secondly, people who are naive and careless online. It is fairly easy to persuade them to disclose information that enables us to exploit them or hack them directly.

Is it easy to steal data online?

I would not necessarily use the term "steal" in this context. Lots of information on private individuals and companies is available in the public domain. We live in an age of "pseudo-transparency" where everyone wants to know everything about everyone. But transparency means that there is a lot of information available, which can be good but also very bad. So, if I attempt to obtain data about a "target", I am not actually stealing. Of course, I do have ways of finding out more about a person if I need to.

Cyber risks: How vulnerable am I?

Do the cyber risk check now and calculate your personal risk profile

To the check

How much research do hackers carry out before an attack?

There are many different scenarios, and therefore methods. The "script kiddies" are opportunistic. They conduct very little research and attack the masses. Other hackers carry out targeted, precise attacks with no room for error. With these types of attack, the attacker must always bear in mind that they are playing with fire. You can make an enemy out of governments, the police, banks or companies who would not hesitate to strike back. The virtual world is not a democracy – the law of the jungle prevails.

How do you lure potential targets?

When you tell someone about the dangers of the internet, their first response is usually "you would have to be an idiot to fall for those tricks". But actually we live in a world where being self-centred and pursing your own interests has become the norm. If you subtly flatter, seduce and charm, you can get everything you need from your target person. That's why social networks are paradise for us. We create fake profiles on Facebook, Twitter and LinkedIn to find out more about a target. For example, we pretend to be an attractive women and deliberately visit men's profiles. We can create an impressive number of new contacts within a very short space of time using this simple method. We may also pretend to be a potential business partner, or flirt with the target. Over time, we can obtain personal details such as addresses or even information about a person's financial situation using this method.

What do you do with this information?

We collect this data and increase our knowledge of the target person over weeks or even months. Victims will often talk to us about their fragile relationship, problems with their children or even their extramarital affairs. Any seemingly small piece of information like this which goes against the ethical standards and morals of the general public is a gift from heaven that we can use to blackmail our target. We can also ask victims to send us money or sensitive data under false pretences. It is important to determine the emotional vulnerability of a potential victim and exploit this at the right time.

Do smartphones make your work easier?

Absolutely. It would be a mistake to disregard smartphones, particularly as they often aren't as well protected. The biggest benefit of the smartphone is that the target person always has it with them. If you are able, using a variety of methods, to successfully install spyware then that opens up a whole new world to us. You then have access to their microphone, cameras, passwords for WiFi networks and even the VPN to access their employer's intranet. It is important to focus not only on the target person, but also on the doors that they open up. Often, we can tap into a whole network of contacts.

Are you exclusively active online?

No. Some of us are also active in the "real world". In hotels, for instance, where a lot of interesting targets stay. We prefer hotel rooms that are locked using chip cards. While business people are out of their rooms, we sneak in using fake keys and load malware onto their laptops with a USB stick in a matter of seconds. A less risky method is to get a maid to do this job for us and pay them well in return. Other hackers penetrate companies and load their malware directly into internal company networks.

Some hackers also use the telephone to obtain information. Why?

The telephone is a useful tool for a number of reasons. Firstly, you can play with the sound of your voice, the tone etc. This gives you more flexibility than with email. You also get an immediate response from the person you are speaking to. You can immediately tell if the target is suspicious or feels safe. Generally speaking, people are "programmed" to be friendly and helpful. For example, you could call the mother of the target person and say "I have your son's old number and am unable to get hold of him. Could you please give me his new number?" or you could call the school of your target person's children to find out more about the parents. That also works with sports clubs, associations etc.

Are there other ways of obtaining sensitive data?

Yes, there is what experts call "IoT" or the "internet of things". This refers to devices that are connected to each other, such as TVs, cameras and fridges. Their operating systems are generally less secure – usually for financial reasons, as security has a price. You can use hacking techniques from the 90s for these devices, which is fun for us, unlike with Windows 10 or Mac OSX Mojave, for instance, where finding vulnerabilities has become more difficult and less enjoyable.

What about public spaces?

There is an old attack that still works: "evil twin attack". This involves building a WiFi network similar to that of a public place. When you log on at Starbucks, for instance, the hacker creates an access point called "Starbucks". To get your devices to connect to the fake network, the hacker sends a stronger signal than the real Starbucks network. As soon as you are connected, the hacker becomes the "man in the middle" and can capture the data being transferred. Of course, you need other tricks to spy on encrypted connections.

Have you also targeted contactless payment methods?

Yes, they are also a target. There used to be technology around that did not have sufficient protection and this made it very easy for us to copy a card without any contact. Cryptography has improved since then and so duplicating cards is no longer any fun. However, you can use a hidden antenna to capture the signal emitted by a target person's card and send it from your trouser pocket to a payment terminal, for example in a shop. The connection remains fully encrypted; as the attacker, you have no idea what is being sent, but it is enough for small amounts of up to 40 francs where you do not need the PIN.

How can we make your life more difficult?

If a computer is protected by two-factor authentication, that makes it more complicated because user action is required in order to access it. For example, you might need to confirm your identity by entering a code received by text. There are, of course, always ways to get around two-factor authentication – but we need to keep some secrets. You can also significantly limit potential damage by systematically using different passwords for different accounts.

What are your thoughts on electronic password safes?

If we crack the main password, we can access the entire safe. If you want to keep yourself 100 percent safe, keep all your passwords in your head or write them down in a notebook and leave it at home.

Cyber risks: How can I protect myself?

Would you like to know how to protect yourself from ill-intentioned hackers? Download our cyber security guide and learn how.

To the guide