Richard has been with the firm since 1992 and was one of the founding partners
I've Been hacked!
A phrase all to often heard today on social media, and in some cases several times in a row, but how does this
happen? And how can you prevent it? These questions are easily answered;
It's your fault, it's always your fault.
Having said that, it's not completely your
fault, and actually the reasons are manifest but protecting yourself isn't hard, and the first step is knowledge.
Definitions
Hacking: The act of gaining unauthorised access to a computer, network, or other system.
Hacker: The person hacking.
Bad Actor: A generic term for one or more people intent on doing you harm.
Attack Vector: The method used to effect a compromise.
Compromise: The act of making someone's computer, network, or other system vulnerable to hacking.
Phishing: The act of creating a false or misleading email, website, phone call, or other form of communication
designed to trick someone into revealing confidential information.
Social Engineering: The act of pretending to be someone else with the goal of obtaining confidential
information.
Malware: A piece of software designed to cause damage, gain unauthorized access, or disrupt a system. This includes remote access, trojans and keyloggers.
Brute-force: The process of trying every combination of password until one works.
Exploit: A piece of software or malware that has been designed to exploit a vulnerability in a computer, network, or operating system.
Attack Vectors (How it's done)
There are a fairly limited set of attack vectors for everyday hacking and compromise which depends on the target, so we will look at each target and establish the route or vector to compromise.
Email
Compromising your email account is fairly simple, and the route to this is phishing, and malware.
Online Accounts
Anything like Youtube, Facebook, Instagram, Google, Microsoft, etc. These sites are secured using passwords, and
obtaining the password is the easiest route to compromise, and that's done either via phishing or brute-force.
Your Computer
Gaining remote access to your computer is quite a challenge, but with a little effort its achievable, the route to
this is phishing, and malware.
Your Network
To hack a network (a LAN or WAN) you need to first compromise one or more devices on that network, the route to this
is phishing or exploits.
Server
To hack a hosted server (online) is fairly simple, and most often the route to compromise is through exploits, but
can occasionally be phishing
Phishing, Brute-force, and Exploits
Phishing/Social Engineering; is the most effective way to break someone's password and takes almost
no time to execute. You simply forge an email to someone, tell them their password is due to expire, or someone has
accessed their account, or that their mailbox is full, or some other made up reason
and provide them a link to login. This link doesn't take them to their email, but to a fake email login page that
captures the password, then redirects to the proper page, or gives an error, or tell them it's all ok and not to
worry.
Whatever the scam, people are fallible, and even though you might say now that you'd never fall for anything so
obvious, on a busy day with other things going on, it's easily done.
What would you do if your ISP called you up and asked you to check the label on the back of your router, so they can
check you've been sent the correct one? Or so they know if your router will support faster speeds before they
offer you a free upgrade? - Many people would give them the information. But that wasn't your ISP, and you've just
given someone the password to access it remotely.
What would you do if someone arrived at your company from your telephone provider and said they were there to carry
out a routine service, you'd ask them to wait then show them to the room with the equipment. But they aren't from
your telephone provider, and they've just installed a device that gives them remote access to your entire network
from the car park.
What would you do if your mate Mark, sent you an invitation to see his recent post about his holiday, you'd follow the
link, login to the social media platform, and take a look. That email wasn't from Mark, and you've now given someone
your social media password, that you probably used more than once.
Hopefully, you're starting to understand what phishing is and how to avoid it. For what it's worth, GEN provides a
wide range of training to companies on how to avoid phishing. We tell them and show them, then wait a couple of
months, and then send our own phishing emails. In most cases, more than half will succeed. We have to expose peoples
failure in a group environment in order to achieve the goal. Harsh? Maybe, but in the many years we've been doing
this, it's the only
way that consistently works.
Brute-force is a method of guessing passwords, and it's done by sending thousands or millions of
login
attempts to your email server, trying various passwords, common passwords, list passwords, likely passwords and
eventually just random
passwords until one works. If you're a GEN email customer, then this can't happen because after 8 bad passwords, the
IP is blocked. If there are more bad password attempts from other IPs, the account is locked. However, most other
email providers don't provide such comprehensive brute force protection.
An exploit involves leveraging a specific vulnerability in software to cause something adverse to
happen, such as gaining access to a router by exploiting a vulnerability in one of its services, or gaining access
to a website by exploiting a vulnerability in its software
across the board and these can be exploited easily in most cases.
Data Breaches, there are many and in many cases passwords or at least the hashes are included. With a
password and an email address, it's easy to start trying that email and password on common websites. If you've used
the same password (and you should NEVER use the same password, but people do), then a data breach from some company
you used once can be all it takes to lose it all.
Malware, is the installation of software that is malicious. Not all malware is malicious, but its all
intended to do something that you generally don't want to be done. Malware itself can be categorised into
RAT's, which provide remote access
Trojans, which receive commands from the internet and carry out various tasks, usually to other hosts on the
internet
Keyloggers, which as the name suggests capture keystroke and upload these to a server somewhere
Viruses, which attempt to infect as many computers as possible
Ransomware, which encrypts your files and demands a ransom to give you a method to decrypt
Spyware, which lingers and is designed to extract or monitor activity, like email traffic, web usage, etc.
Adware, which lingers and periodically interferes with your browser
Malware is installed via three main routes:
self inflicted, where you go to a website and download something expecting it to be what you want, but actually
its not.
Phishing, where you receive an email with some made up important action, you follow a link and its downloads
something.
Compromise, your computer or device is compromised remotely, perhaps you're connected to a coffeeshop wifi, and
also in the coffee shop is a bad actor who intercepts your DNS requests and forces a malware download.
Whatever the method, the result is the same, compromise.
Amplification and Escalation
Once a bad actor has access to your email account, they can go to any website, hit login, bang in your email, hit
'forgot password' and a password reset link is promptly emailed to you. They receive that email because they have
access to your account, and quickly delete it so you'll
never receive it. Now they have access to another website, then another, and another, and so it goes on. This way an
email compromise
can quickly escalate into a data breach.
If a bad actor manages to compromise a router, which isn't that hard to be honest especially with cheap routers, then
from that point they have access to your LAN, and can easily setup port redirection to map an internet
port to a port on your computers/server/devices. From this they can exploit further devices that would otherwise
have been out of reach. A border compromise such as this is the most severe kind of compromise simply due to the
scope of amplification.
If someone manages to compromise a hosted server, then again amplification is possible because that server may well
contain email addresses, passwords, phone numbers, etc which can be downloaded and then used in additional phishing
to expand the scope of the
hack.
Payment Theft
Once malware is installed on your computer, or, your server is compromised with card details, then siphoning off card data is the next step. Some common malware is designed to search
your entire system looking for numbers and associated expiry/cvv and if found to upload the file(s) to a bad actors server. This is probably the most common payment theft vector, and catches out many people.
If done correctly, you'd never know your machine was compromised, would go about your daily business, paying for things online and every time you do, payment information is harvested and uploaded. Check your card payments often, and
report any that you don't recognise.
Payment Redirection
So your email is hacked, and you're not the finance director, so what's the problem? Well, the problem is that once
your email is hacked, everyone you've received an email from, or sent an email to is also now in the hands
of a bad actor, and with that they can start emailing 'as you', phishing other companies, contacts and employees to
get access to more email accounts. Eventually, someone in the finance team will be hit, and from there, because
finance departments
email people who pay the bills, the bad actor can now impersonate the company and instruct customers to pay their bills
into another account, providing a nice handy link to make it easier. Any responses can be quickly removed before
they
are noticed by the real finance department, and that's how it's done. We regularly see this kind of activity when investigating cyber crime.
Extortion
Comes in three main flavours, baseless, based and automated. In baseless extortion, you receive an email telling you that someone else
has something valuable, maybe video, images, recordings, files, etc and unless you pay them they will release them
somewhere, or email them somewhere. The threats are various, but the theme is consistent, pay us, or we'll do something that
will adversely affect you. These are baseless, because the bad actor doesn't have any videos or images or
recordings or anything else,
and in most cases they don't even know your name, but the emails can be threatening, and for a small percentage of users, compelling.
Based extortion is far more serious because a bad actor has compromised you, your email, your server, your online
accounts, etc and with this access has downloaded personal or company information that has a tangible value,
like
a list of customers with their purchases, addresses, phone numbers, email addresses, passwords and dare I say it,
credit card numbers. This kind of threat always comes with evidence just to make sure you're aware its real. We see this all the time when investigating data breaches, and in the majority of cases we can tie it back to an initial email compromise many months earlier.
A third type of extortion is an automated one known as Ransomware, where malware encrypts files and a key is required to decrypt them, which is only attainable after paying a 'ransom' hence the name. In almost all cases the means to
decrypt the files is available, and we are able to restore all the data safely.
In any of these cases, obviously, don't pay, ever. These bad actors do what they do because some people do pay, and it
just fuels the fire, and, in the cases when we're only contracted post-payment, we often find the stolen data still available for sale on the web. They are criminals, trust them not.
So, when you have a baseless extortion threat, ignore it, delete it and move on with your day, but if you have a
based or automated extortion, contact a cybersecurity provider immediately, and they will do a number of things;
Identify the source of the breach, how did they obtain said information
Seal and Secure the breach, prevent any more leakage or damage
Assess the value of the information breached, and its collateral value
Asses how much of the information can be recovered or restored in the case of ransomware
Tell you not to pay anyone, ever
With this information, you can begin damage limitation and take steps to inform customers, colleagues, and clients of
the situation, asking them to change passwords etc, which is the right thing to do.
Protection
Protecting yourself from compromise is not a simple action, many websites will just say "Use 2FA" or "Strong
Passwords" but that's not really going to cut it, and you need to be more comprehensive in the scope of your
protective action.
Email
Get a 'proper' email account from a proper email provider, not Gmail, Hotmail, outlook, or any other 'free' account
and not 'O365' or 'G Suite/Google Workspace' or any other mass market provider that gives you the bare minimum. A proper email account
comes with features, protections and support. Pick a
provider who supports encryption and encourages its use, is based in the UK (or wherever you are), has adaptive firewalls, and has 24/7
human support (not a worthless chatbot).
Passwords
Yes ok, use 2FA where you can and don't use Google authenticator or an App, get a couple of YubiKeys and use those to
protect your accounts. I know it's a pain, but you soon get used to it, and it kills brute-force and password attacks.
Get Bitwarden (or another good password manager, but not one that's had their own data-breach like LastPass), set it
up and use it to (a) generate unique strong passwords for all your accounts, and (b) use it to
store those passwords and sync them to all your devices. USE A REALLY STRONG MASTER PASSWORD, AT LEAST 20 CHARACTERS
WITH UPPER, LOWER, NUMBERS AND SYMBOLS.
Get rid of any website that only wants to email you to log in; those are weak, and you don't need them since
any email compromise gives complete access here without even having to go through a password reset.
Border
Don't use cheap Chinese routers and gateways, use a proper ISP who provides proper equipment, and to that I mean, if
the router they supply can be purchased for less than £200 then find another ISP. Yes its more expensive, but the router in most cases is the only thing keeping an entire state of bad actors away from your network.
Servers
Properly Manage your server, ensure all updates are applied, and understand CVEs and how they may impact your setup.
If you're using cloud servers, use a proper provider that offers an adaptive firewall and not a cheap one.
Computers
If you're using Windows, its a major target so always keep it up to date no matter how annoying it is to be doing it
all the time, and use some strong endpoint protection like WebRoot, TrendMicro, etc.
If you're using macOS or Linux, then the risk is much lower, but still keep them up to date and consider periodic av
scans just in case.
Worth Mentioning
If your email account suddenly becomes unavailable, this is a red flag, and with a proper email provider you should contact them right away They'll be able to tell you if the password has been changed and how long ago. In most
cases it will be some sort of email protection, maybe you've got an old tablet with an incorrect password that you've recently turned on and its blocked your IP, but check anyway. A good provider will be able to reset the password again
and provide it securely, and at the same time block any suspect IP's manually.
Never mess with the settings in your router, even if you 'think' you know what you're doing. Most premium routers have firewalls that need to be setup correctly to be effective, and don't just magically work. If you poke holes
in the firewall using port redirect or port triggering then you're exposing yourself to risk, and whatever you've port forwarded to is also at risk. With a proper ISP, ask them to make the changes for you, and they'll ask you a series
of questions before making the change to ensure the maximum protection is in place.
Trust no one, well at least no one that emails you or instant messages you, treat them all as potential bad actors and think carefully before following any links
Outsourcing
Consider outsourcing your protection to a provider, who will take care of your servers and computers, run audits for
you, check for CVEs, handle updates and upgrades, and analyse audit trails. It's not as expensive as you might
imagine
with a small business paying only double digits a month for such a service, and the hassle it will save is
substantial. Remember, if you are a small business GEN are still (at the time of authoring) providing First-Hour-Free (FHF) on cybersecurity to
check that out risk and cost free.
16 Votes
Comments (4)
Aaron D
· 2024-10-09 16:18 UTC
WFT Ken Angular
Did you try and spam the comments and had some spammy link removed
Ken Aguilar
· 2024-09-30 12:31 UTC
Judging based on your blog, it seems to me you are related to Technical Support Outsourcers which are one of the Hackers targets.
You can read more about how a Support Outsourcersa Can Be a Breeding Ground for Hackers through this blog
a
Jason Sharland
· 2024-09-06 11:49 UTC
So many people fall for this sort of crap and its just lack of education. Thanks for the free handout - will defo use that in the training.
Ziggy A
· 2024-08-24 15:46 UTC
Right, so its my fault is it probably so but this was a good read and I think its going to help prevent me from making the same mistakes twice. I did find the grammar quite hard at some places though just the tech stuff.
×
--- This content is not legal or financial advice & Solely the opinions of the author ---