I've Been Hacked!

The Curious Codex

             16 Votes  
100% Human Generated
2024-08-24 Published, 2024-08-29 Updated
2947 Words, 15  Minute Read

The Author
GEN UK Blog

Richard (Senior Partner)LinkedIn

Richard has been with the firm since 1992 and was one of the founding partners

 

I've Been hacked!

hacked

A phrase all to often heard today on social media, and in some cases several times in a row, but how does this happen? And how can you prevent it? These questions are easily answered;

It's your fault, it's always your fault.

Having said that, it's not completely your fault, and actually the reasons are manifest but protecting yourself isn't hard, and the first step is knowledge.

Definitions

  • Hacking: The act of gaining unauthorised access to a computer, network, or other system.
  • Hacker: The person hacking.
  • Bad Actor: A generic term for one or more people intent on doing you harm.
  • Attack Vector: The method used to effect a compromise.
  • Compromise: The act of making someone's computer, network, or other system vulnerable to hacking.
  • Phishing: The act of creating a false or misleading email, website, phone call, or other form of communication designed to trick someone into revealing confidential information.
  • Social Engineering: The act of pretending to be someone else with the goal of obtaining confidential information.
  • Malware: A piece of software designed to cause damage, gain unauthorized access, or disrupt a system. This includes remote access, trojans and keyloggers.
  • Brute-force: The process of trying every combination of password until one works.
  • Exploit: A piece of software or malware that has been designed to exploit a vulnerability in a computer, network, or operating system.

Attack Vectors (How it's done)

There are a fairly limited set of attack vectors for everyday hacking and compromise which depends on the target, so we will look at each target and establish the route or vector to compromise.

Email

Compromising your email account is fairly simple, and the route to this is phishing, and malware.

Online Accounts

Anything like Youtube, Facebook, Instagram, Google, Microsoft, etc. These sites are secured using passwords, and obtaining the password is the easiest route to compromise, and that's done either via phishing or brute-force.

Your Computer

Gaining remote access to your computer is quite a challenge, but with a little effort its achievable, the route to this is phishing, and malware.

Your Network

To hack a network (a LAN or WAN) you need to first compromise one or more devices on that network, the route to this is phishing or exploits.

Server

To hack a hosted server (online) is fairly simple, and most often the route to compromise is through exploits, but can occasionally be phishing

Phishing, Brute-force, and Exploits

Phishing/Social Engineering; is the most effective way to break someone's password and takes almost no time to execute. You simply forge an email to someone, tell them their password is due to expire, or someone has accessed their account, or that their mailbox is full, or some other made up reason and provide them a link to login. This link doesn't take them to their email, but to a fake email login page that captures the password, then redirects to the proper page, or gives an error, or tell them it's all ok and not to worry. Whatever the scam, people are fallible, and even though you might say now that you'd never fall for anything so obvious, on a busy day with other things going on, it's easily done.

What would you do if your ISP called you up and asked you to check the label on the back of your router, so they can check you've been sent the correct one? Or so they know if your router will support faster speeds before they offer you a free upgrade? - Many people would give them the information. But that wasn't your ISP, and you've just given someone the password to access it remotely.

What would you do if someone arrived at your company from your telephone provider and said they were there to carry out a routine service, you'd ask them to wait then show them to the room with the equipment. But they aren't from your telephone provider, and they've just installed a device that gives them remote access to your entire network from the car park.

What would you do if your mate Mark, sent you an invitation to see his recent post about his holiday, you'd follow the link, login to the social media platform, and take a look. That email wasn't from Mark, and you've now given someone your social media password, that you probably used more than once.

Hopefully, you're starting to understand what phishing is and how to avoid it. For what it's worth, GEN provides a wide range of training to companies on how to avoid phishing. We tell them and show them, then wait a couple of months, and then send our own phishing emails. In most cases, more than half will succeed. We have to expose peoples failure in a group environment in order to achieve the goal. Harsh? Maybe, but in the many years we've been doing this, it's the only way that consistently works.

Brute-force is a method of guessing passwords, and it's done by sending thousands or millions of login attempts to your email server, trying various passwords, common passwords, list passwords, likely passwords and eventually just random passwords until one works. If you're a GEN email customer, then this can't happen because after 8 bad passwords, the IP is blocked. If there are more bad password attempts from other IPs, the account is locked. However, most other email providers don't provide such comprehensive brute force protection.

An exploit involves leveraging a specific vulnerability in software to cause something adverse to happen, such as gaining access to a router by exploiting a vulnerability in one of its services, or gaining access to a website by exploiting a vulnerability in its software across the board and these can be exploited easily in most cases.

Data Breaches, there are many and in many cases passwords or at least the hashes are included. With a password and an email address, it's easy to start trying that email and password on common websites. If you've used the same password (and you should NEVER use the same password, but people do), then a data breach from some company you used once can be all it takes to lose it all.

Malware, is the installation of software that is malicious. Not all malware is malicious, but its all intended to do something that you generally don't want to be done. Malware itself can be categorised into

  • RAT's, which provide remote access
  • Trojans, which receive commands from the internet and carry out various tasks, usually to other hosts on the internet
  • Keyloggers, which as the name suggests capture keystroke and upload these to a server somewhere
  • Viruses, which attempt to infect as many computers as possible
  • Ransomware, which encrypts your files and demands a ransom to give you a method to decrypt
  • Spyware, which lingers and is designed to extract or monitor activity, like email traffic, web usage, etc.
  • Adware, which lingers and periodically interferes with your browser

Malware is installed via three main routes:

  • self inflicted, where you go to a website and download something expecting it to be what you want, but actually its not.
  • Phishing, where you receive an email with some made up important action, you follow a link and its downloads something.
  • Compromise, your computer or device is compromised remotely, perhaps you're connected to a coffeeshop wifi, and also in the coffee shop is a bad actor who intercepts your DNS requests and forces a malware download.

Whatever the method, the result is the same, compromise.

Amplification and Escalation

Once a bad actor has access to your email account, they can go to any website, hit login, bang in your email, hit 'forgot password' and a password reset link is promptly emailed to you. They receive that email because they have access to your account, and quickly delete it so you'll never receive it. Now they have access to another website, then another, and another, and so it goes on. This way an email compromise can quickly escalate into a data breach.

If a bad actor manages to compromise a router, which isn't that hard to be honest especially with cheap routers, then from that point they have access to your LAN, and can easily setup port redirection to map an internet port to a port on your computers/server/devices. From this they can exploit further devices that would otherwise have been out of reach. A border compromise such as this is the most severe kind of compromise simply due to the scope of amplification.

If someone manages to compromise a hosted server, then again amplification is possible because that server may well contain email addresses, passwords, phone numbers, etc which can be downloaded and then used in additional phishing to expand the scope of the hack.

Payment Theft

Once malware is installed on your computer, or, your server is compromised with card details, then siphoning off card data is the next step. Some common malware is designed to search your entire system looking for numbers and associated expiry/cvv and if found to upload the file(s) to a bad actors server. This is probably the most common payment theft vector, and catches out many people. If done correctly, you'd never know your machine was compromised, would go about your daily business, paying for things online and every time you do, payment information is harvested and uploaded. Check your card payments often, and report any that you don't recognise.

Payment Redirection

So your email is hacked, and you're not the finance director, so what's the problem? Well, the problem is that once your email is hacked, everyone you've received an email from, or sent an email to is also now in the hands of a bad actor, and with that they can start emailing 'as you', phishing other companies, contacts and employees to get access to more email accounts. Eventually, someone in the finance team will be hit, and from there, because finance departments email people who pay the bills, the bad actor can now impersonate the company and instruct customers to pay their bills into another account, providing a nice handy link to make it easier. Any responses can be quickly removed before they are noticed by the real finance department, and that's how it's done. We regularly see this kind of activity when investigating cyber crime.

Extortion

Comes in three main flavours, baseless, based and automated. In baseless extortion, you receive an email telling you that someone else has something valuable, maybe video, images, recordings, files, etc and unless you pay them they will release them somewhere, or email them somewhere. The threats are various, but the theme is consistent, pay us, or we'll do something that will adversely affect you. These are baseless, because the bad actor doesn't have any videos or images or recordings or anything else, and in most cases they don't even know your name, but the emails can be threatening, and for a small percentage of users, compelling.

Based extortion is far more serious because a bad actor has compromised you, your email, your server, your online accounts, etc and with this access has downloaded personal or company information that has a tangible value, like a list of customers with their purchases, addresses, phone numbers, email addresses, passwords and dare I say it, credit card numbers. This kind of threat always comes with evidence just to make sure you're aware its real. We see this all the time when investigating data breaches, and in the majority of cases we can tie it back to an initial email compromise many months earlier.

A third type of extortion is an automated one known as Ransomware, where malware encrypts files and a key is required to decrypt them, which is only attainable after paying a 'ransom' hence the name. In almost all cases the means to decrypt the files is available, and we are able to restore all the data safely.

In any of these cases, obviously, don't pay, ever. These bad actors do what they do because some people do pay, and it just fuels the fire, and, in the cases when we're only contracted post-payment, we often find the stolen data still available for sale on the web. They are criminals, trust them not.

So, when you have a baseless extortion threat, ignore it, delete it and move on with your day, but if you have a based or automated extortion, contact a cybersecurity provider immediately, and they will do a number of things;

  • Identify the source of the breach, how did they obtain said information
  • Seal and Secure the breach, prevent any more leakage or damage
  • Assess the value of the information breached, and its collateral value
  • Asses how much of the information can be recovered or restored in the case of ransomware
  • Tell you not to pay anyone, ever

With this information, you can begin damage limitation and take steps to inform customers, colleagues, and clients of the situation, asking them to change passwords etc, which is the right thing to do.

Protection

Protecting yourself from compromise is not a simple action, many websites will just say "Use 2FA" or "Strong Passwords" but that's not really going to cut it, and you need to be more comprehensive in the scope of your protective action.

Email

Get a 'proper' email account from a proper email provider, not Gmail, Hotmail, outlook, or any other 'free' account and not 'O365' or 'G Suite/Google Workspace' or any other mass market provider that gives you the bare minimum. A proper email account comes with features, protections and support. Pick a provider who supports encryption and encourages its use, is based in the UK (or wherever you are), has adaptive firewalls, and has 24/7 human support (not a worthless chatbot).

Passwords

Yes ok, use 2FA where you can and don't use Google authenticator or an App, get a couple of YubiKeys and use those to protect your accounts. I know it's a pain, but you soon get used to it, and it kills brute-force and password attacks.

Get Bitwarden (or another good password manager, but not one that's had their own data-breach like LastPass), set it up and use it to (a) generate unique strong passwords for all your accounts, and (b) use it to store those passwords and sync them to all your devices. USE A REALLY STRONG MASTER PASSWORD, AT LEAST 20 CHARACTERS WITH UPPER, LOWER, NUMBERS AND SYMBOLS.

Get rid of any website that only wants to email you to log in; those are weak, and you don't need them since any email compromise gives complete access here without even having to go through a password reset.

Border

Don't use cheap Chinese routers and gateways, use a proper ISP who provides proper equipment, and to that I mean, if the router they supply can be purchased for less than £200 then find another ISP. Yes its more expensive, but the router in most cases is the only thing keeping an entire state of bad actors away from your network.

Servers

Properly Manage your server, ensure all updates are applied, and understand CVEs and how they may impact your setup. If you're using cloud servers, use a proper provider that offers an adaptive firewall and not a cheap one.

Computers

If you're using Windows, its a major target so always keep it up to date no matter how annoying it is to be doing it all the time, and use some strong endpoint protection like WebRoot, TrendMicro, etc.

If you're using macOS or Linux, then the risk is much lower, but still keep them up to date and consider periodic av scans just in case.

Worth Mentioning

If your email account suddenly becomes unavailable, this is a red flag, and with a proper email provider you should contact them right away They'll be able to tell you if the password has been changed and how long ago. In most cases it will be some sort of email protection, maybe you've got an old tablet with an incorrect password that you've recently turned on and its blocked your IP, but check anyway. A good provider will be able to reset the password again and provide it securely, and at the same time block any suspect IP's manually.

Never mess with the settings in your router, even if you 'think' you know what you're doing. Most premium routers have firewalls that need to be setup correctly to be effective, and don't just magically work. If you poke holes in the firewall using port redirect or port triggering then you're exposing yourself to risk, and whatever you've port forwarded to is also at risk. With a proper ISP, ask them to make the changes for you, and they'll ask you a series of questions before making the change to ensure the maximum protection is in place.

Trust no one, well at least no one that emails you or instant messages you, treat them all as potential bad actors and think carefully before following any links

Outsourcing

Consider outsourcing your protection to a provider, who will take care of your servers and computers, run audits for you, check for CVEs, handle updates and upgrades, and analyse audit trails. It's not as expensive as you might imagine with a small business paying only double digits a month for such a service, and the hassle it will save is substantial. Remember, if you are a small business GEN are still (at the time of authoring) providing First-Hour-Free (FHF) on cybersecurity to check that out risk and cost free.


             16 Votes  
100% Human Generated

Comments (4)

Aaron D · 2024-10-09 16:18 UTC
WFT Ken Angular

Did you try and spam the comments and had some spammy link removed

Ken Aguilar · 2024-09-30 12:31 UTC
Judging based on your blog, it seems to me you are related to Technical Support Outsourcers which are one of the Hackers targets.

You can read more about how a Support Outsourcersa Can Be a Breeding Ground for Hackers through this blog

a

Jason Sharland · 2024-09-06 11:49 UTC
So many people fall for this sort of crap and its just lack of education. Thanks for the free handout - will defo use that in the training.

Ziggy A · 2024-08-24 15:46 UTC
Right, so its my fault is it probably so but this was a good read and I think its going to help prevent me from making the same mistakes twice. I did find the grammar quite hard at some places though just the tech stuff.

×

--- This content is not legal or financial advice & Solely the opinions of the author ---


Index v1.028 Standard v1.114 Module v1.062   Copyright © 2024 GEN Partnership. All Rights Reserved, Content Policy, E&OE.   ^sales^  0115 933 9000  Privacy Notice   299 Current Users, 531 Hits