By Kate Kochetkova of Kaspersky Lab
Experience shows that even Internet old-timers fail to protect themselves from targeted hacking. As our everyday life is becoming more and more connected to the Internet and other networks, online security is turning into an urgent necessity.
Almost everybody has an email, social media accounts and online banking. People order goods online and use mobile Internet to identify themselves (for example, in two-factor authentication solutions) and other important things. Unfortunately, none of these systems is fully secure.
The more we interact online, the bigger the target for crafty hackers gets; security specialists call this “attack surface.” The bigger the surface is — the easier to attack. If you take a look at these three stories from the past three years, you will clearly see how this works.
How to steal an account: hack it or just make a telephone call?
One of the most powerful tools used by hackers is “human hacking,” or social engineering. On February, 26, 2016 Fusion editor Kevin Roose decided to check if it’s really THAT powerful. Social-engineer hacker Jessica Clark and security expert Dan Tentler accepted his challenge.
Jessica promised to hack Kevin’s email with a phone call and she successfully fulfilled this task. First, her team has made a 13-page long profile, which covered what kind of a man Roose is, what he likes and dislikes, and so on. All the data was taken from public sources.
Having prepared, Jessica spoofed Kevin’s mobile number and called his phone company. To add to the tension, she turned on a video of babies crying in the background.
Jessica introduced herself as Roose’s wife. Legend has it that she and her “husband” were going to apply for a loan, but the young and frazzled mother forgot the email address they used together. Being accompanied by babies cry, Jessica quickly persuaded the support service to reset the email password and received full access to her target’s email.
<<https://youtu.be/bjYhmX_OUQQ
Dan Tentler solved his task with the help of phishing. First, he noticed that Kevin had a blog on Squarespace and sent him a fake official email from this blogging platform. In the letter Squarespace admins asked users to update SSL certificate for the sake of “security”. Instead of protection, this file gave Tentler access to Kevin’s PC. Dan created several fake popups that asked Roose for specific credentials — and all was done.
Tentler gained access to Kevin’s banking data, email and online-stores login credentials, as well as credit card data and social security number. Moreover, Dan acquired photos of Roose and his screen, which had been taken automatically every two minutes for 48 hours of hack.
How to rob a software engineer in one night
In the spring of 2015 software developer Partap Davis lost $3,000. In a few short night hours an unknown hacker got access to his two email accounts, phone number and Twitter account. The culprit smartly bypassed two-factor authentication system and cleaned out Partap’s Bitcoin wallets. As you can imagine, Davis had a very unpleasant morning.
It is worth noting that Patrap Davis is a quite experienced Internet user: he always chooses reliable passwords and never clicks on malicious links. His email is protected with Google’s two-factor authentication system, so when he logs in from a new computer, he has to type in six digits that are texted to his mobile phone.
Davis kept his savings on three Bitcoin wallets that were protected with another two-factor authentication service, provided by Authy mobile app. Though Davis used all of these reasonable security measures, they did not save him from targeted hacking.
After the incident Davis got very angry and spent several weeks to find the criminal. He also reached and enlisted editors at The Verge to this quest. All together they managed to find out how the hack was performed.
As his main email Davis used Patrap@mail.com address. All letters were forwarded to a less memorably named Gmail address (as Patrap@gmail.com was already taken).
For several months, anyone who felt like it could buy a special script on Hackforum that let the owner to target a weakness in Mail.com’s password reset page. Apparently, this script was used to bypass two-factor authentication and change Davis’s password.
After that the hacker requested for a new password from Davis’s AT&T account and then asked customer service to forward Davis’ incoming calls to a Long Beach number. The support service received the email confirmation and agreed to give control over the calls to the culprit. With such a powerful tool in hand, it was not so hard to bypass Google two-factor authentication and get access to Davis’ Gmail account.
As SMSs were still sent to Davis’ old phone number, the hacker used Google accessibility function for people with weak sight. It offered to read the confirmation code out loud over the phone. So, Gmail was hacked and only the Authy app stood between the hacker and his reward.
To overcome this obstacle, the criminal simply reset the app on his phone using a mail.com address and a new confirmation code, again sent by a voice call. When literally every security measure was at his hands, the hacker changed passwords from one of Davis’s Bitcoin wallets, using Authy and mail.com address, and transferred all money out.
Money on the other two accounts remained untouched. One of the services simply does not allow to withdraw funds in 48 hours after the password was reset. The other asked to provide a scan of Davis’s driving licence, which the hacker couldn’t get his hands on.
Ominous trolling ruins real lives
As Fusion newspaper wrote in October 2015, the destruction of the Straters family life started with pizza. Several years ago all local cafes and restaurants overwhelmed their yard with unbidden pizza, pies and other food of all kinds. Paul and Amy Strater had to apologize and decline the order.
Soon after bouquets arrived, accompanied with large quantities of sand and gravel, tow trucks and other unwanted goods and services. These turned to be only the tip of the iceberg as the next three years were a real nightmare.
Paul Strater, a senior broadcast engineer at a local TV station, and his wife Amy Strater, a former hospital administrator, were victims of an unknown hacker or a group of hackers who did not get along with their son Blair. Authorities received bomb threats signed with their name. Hackers used Amy’s account to publish an elementary school attack plan. The covering note included the “I Will Shoot Up Your School” headline. Police became frequent guest at their house, which did not improve their relationships with neighbors who had to wonder what the heck was going on.
Criminals even managed to hack Tesla Motors official account and posted a message, which encouraged fans to call the Straters and receive a free Tesla car. That was the “on the phone weekend” for Straters, as Amy and Blair received up to five calls per minute from Tesla admirers, who wanted to acquire a car on “promo.” One man even visited the Straters’ house and and demanded that the owners open their garage door, as he suspected that his free Tesla was being hidden back there.
Paul tried to disrupt a siege: he changed passwords for all of his accounts and instructed managers of local restaurants not to deliver anything to their address unless it was prepaid in full. He also reached Oswego Police Department and asked them to call ahead to verify that an emergency was real, before sending in reinforcements. Somewhere in the course of all these troubles Paul’s and Amy’s marriage broke up.
Attacks did not stop. Amy’s social media accounts were hacked and used to publish a series of racist claims. Soon after that she lost her job. She was fired despite she had proactively told her bosses that somebody is continuously turning her and her family life into nightmare.
In time Amy regained control over her LinkedIn, and managed to delete her Twitter account. But for some time Amy could not find a job in her profession because of this background. She had to work at Uber to make ends meet, but that was not enough and she was at risk of losing her home.
“When you Google her name, you used to see all of her scholarly articles, and the good things she’s done” said her son Blair to the Fusion. “Now it’s: hacker, hacker, hacker.”
Some people blame Blair Strater, who was in various cybercriminals circles and did not find friends in one, or several of them. Anyhow, in the case of Straters family parents pay for their son’s “sins,” as they had nothing to do with those hackers at all.
OK, is there any way to safety?
These stories show that it’s almost impossible to protect yourself from targeted hacking. So if you have something that you want to hide, don’t let it go online. Fortunately, the majority of people are not interested for the qualified culprits. You and I need protection from those cybercriminals who aim at wide public. There are a lot of such “specialists” on the Internet, and fortunately, they use more simple methods.
So we recommend you the following:
Get to know why phishing works and how to avoid it.
Set up secure and unique passwords for all accounts.
Stop using public Wi-Fi for important operations and find out what’s right and wrong to do online with finances.
Install a decent security solution to all your devices. Yep, your smartphone and tablet also need protection. Of course, we can’t but recommend our award-winning solution — Kaspersky Internet Security — Multi Device.