Let's say I was a cybercriminal or Blackhat hacker (The idea of being a black hat hacker is humorous to me, it would be a stretch for me to even be a Grey hat but let's go with the story) and I am starting my week with considering my latest target to loot. After a bit of a search on google, I decided to attack a mid-sized enterprise in Australia. I look up the company sites and do a quick recognisance on what they have as a publicly facing facility. They have the usual with websites, customer portal login, contractor's portal login, remote access server for staff, email servers and enough ports open to internal systems that would give several options of attack.
I decide that I want to investigate further and that I would look up all the company staff on social media to determine who would be good targets and collect further information that could be useful in determining a user’s account or password. I could start with pet’s names, children or loved ones and which targets would give me good systems access if I were to guess the correct combination. Some people do really make it easy for us to get in. Now please listen to me, if only once listen to me now. DO NOT use a pet’s name, family member or loved one’s name combined with yours or their birthdate. This is the easiest information to find on Facebook or LinkedIn.
Before its time to move on to the actual attack stage, I look at all the recent ICT related job advertisements you have posted. This tells me what server platform you use, the firewall, application suite and any protections in many cases as you ask people to apply if they have those skills. So, I know what vulnerabilities I should narrow it down too during my attack (thanks for saving me days trying to footprint your systems).
Now there would be a few more steps like scrapping DNS and so to ensure I have as much information I want before doing a deeper look at your systems but let's say that I am ready to take things to the next level. You and your organisation have absolutely no Idea I have been researching your systems and if I am being honest there is no real way as I (the malicious actor/Cybercriminal) haven't really touched your systems, no active scans that would alert you that someone was poking around. Just normal everyday traffic that would look nothing unusual. However, I know who the primary targets are, email addresses, family members, pets, birthdates and if I have made some real effort in my information gathering I will know what the staff general habits are. When you are online, what information you normally share and who my weak link in the chain is – My primary targets.
At this point I have two main paths I could take, the first would be to attack your systems the good old fashion way, scan your systems find holes in your armour or gather information together to generating passwords that you may use. Which in many cases you could just guess based on what can be found with your Facebook page. People truly do share too much on social media and an attack can be based entirely from information that has been found here, it could even help me find when a good time to attack is (you have just posted that you are on holidays for three weeks so you won’t notice that I am poking around in your things. It’s unlikely that the IT team would notice either as many IT departments are stretched so thin that they don’t know who is out of the office and shouldn’t be working – we can’t really blame them it’s just how things are these days).
This direct method would be a risky option and could get me caught before I even get started so option two would be a much better option. Social engineering is one of the most used methods to gain access to desired systems, I could go down the phishing path and have you click on the link to update your password or login to fix your storage space issue on your mailbox or your user profile. I could even ask you to login to your Apple account or google account to verify your info as a suspicious login has taken place (Not yet anyway, that will happen after you give me access without even realising). In this instance, you will see all the normal screens and won't even know I have done anything.
How about I call you saying I am from your IT support helpdesk or external provider and I need you to reset the password now (then tell me what it is, so I can test it 😊) Thanks for holding the door open for me to walk right in. So, I am now into your systems from one of the options and I can move around the systems why you are on leave. I would then gather any information that would be useful for me or that I could sell on the dark web to someone who could have a bit more fun with your details (maybe even use the current passwords to login to your other accounts as you probably use the same one on everything – I really hope you don’t but I am sure there would be a least one of you).
I would now cover my tracks so that you would not even know I had been in your systems (many companies never know they have been hacked until it’s too late). How would you know that I had been there, no logs to indicate I had, no missing information, not even a whisper that something was wrong? The only way you know that you have suffered a breach is if information that is used in another attack or financial fraud is linked back to your company or a data dump is found for sale by authorities on the dark web or worse you arrive at the office one day and the entire systems are encrypted by a ransomware virus.
I would do this if I thought this method was my best bet to make money from your organisation, many organisations do pay and the price is great for me in the range of $2k-200k depending on your business and how valuable I think you will class your information as and the consequences if you can’t get it back. If you pay I would be super helpful if not you would never get the information back.
So, what Is my point? Practice safe internet usage, don’t use the same passwords in multiple places, don’t use your pets or loved ones as part of your passwords. Use a catch phrase that is long, forget all the letter, number, symbol combination that we have preached for years. A long simple passphrase will take so long to crack that it would not be worth my effort to get in and when I finally did it wouldn’t matter anyway as you have probably changed jobs or retired (that’s how long it would take me to crack it).
Don’t put all of your information on social media, some things should always be confidential so use some self-control and not overshare. Minimise the specifics you put on job adverts (don't make my job as a criminal to easy) and honestly just consider emails or phone calls when you receive them don't just trust that something is legitimate as in many cases these days they are more likely a scam than real.
Okay so final note – I am not really a malicious cybercriminal I am one of the good guys (or at least it try to be) out there trying to help you all protect your systems from the real bad guys and girls who definitely don’t have your best interest at heart. Do yourself a favour and practice good security, it will be a better result for all of us except that cybercriminal, no new Ferrari for them this month.