5 Questions Hackers Ask Before Their Attack

We all have read the memos: “Beware of Phishing attacks, follow these tips to stay safe …”

  1. Look out for misspellings, and bad grammar.
  2. Beware of generic; non-personalized titles.
  3. Do not open attachments from people you do not know.

While these are good tips for general email safe-keep, they are largely ineffective. Why? Because the most critical attacks won’t appear to be from a stranger. They won’t be non-personalized or contain misspellings. The most dangerous attacks are specifically targeted to an individual or individuals within a company.

These attacks are crafted after tons of research on the intended victim. The attackers are sneaky, highly personal, smart – and have very good English. And once successful, obtaining a single wire transfer, or personal social media account won’t cut it. They use Phishing to infiltrate the digital heartbeat of a company – leaving them open to malware, ransomware, and data theft. Phishing is the starting point for a staggering 91% of attacks cyber attacks.

To set up these malicious emails, the hackers must find pertinent information to legitimize the attack.

Below are few questions a Hacker might ask; and where he/she would look for answers.

 

1. Who works together in the company?

Hackers want to “build trust” with their victims, so an email from a stranger often won’t cut it. However, an email appearing to be from a colleague’s personal email that was “sent from iPhone,” or a company’s IT department might be enough. Even better, sending a spoofed email address coming from a colleague’s company email is effective.

Found on: LinkedIn, Company Website 

 

 2. Which colleagues are located in separate parts of the country/ world?

Because of the internet, people can collaborate while being many miles apart. This means a hacker can be communicating with their target’s colleague without the heist being blown by an in-person discussion. This can also prove effective because of work-hours and time-zone differences.

Found on: LinkedIn, Company Website

 

3. What are the current company objectives?

Company objectives are important to identify so that a hacker can build a story around their attack. Like a salesperson, they will recognize the pains that individuals face while customizing and personalizing the messaging to make the victim feel absolutely comfortable moving forward.

Found on: Press Releases, White-papers, Job Postings, Company Website

 

4. What is some relevant and recent industry news?

Like understanding the company objectives, the hacker needs to have good knowledge of the industry they are targeting – especially when deploying a multilayer attack. Without deep authenticity, the attack can fall in the realm of an obvious red-flag.

Found on: Blog Articles, Twitter, Facebook, Google Alerts

 

5. What type of software does the company use?

This is important for the hacker so they know what data can be compromised. Does your team use cloud computing applications like SalesForce, for example? Bad guys would love to have those credentials.  Even without using a Cloud-based service, obtaining certain login credentials can help create a point of entry for a greater intrusion power.

Found on: Job Postings, Company Website

 

To stay safe, remain mindful of what information is out on the web. Check emails and URLs thoroughly, and be sure to report things that seem “phishiy,” always.
Understanding how a hacker performs his tricks, helps keep the would-be victim from falling for them. At Core Orange, our training strategy teaches people the tricks the bad guys use so they have a full understanding on how to prevent them.

I’m not a hacker – But if I were to hack you.

Let me start off by mentioning, I’m not a hacker. The extent of my knowledge in coding is having a general understanding of HTML (which is helpful). But other than that, I’m just slightly above average “technically” speaking. But even me, an “average-ish” Joe can tap into the digital heartbeat of both business and personal data by using social engineering techniques to target the man behind the machine. And while plenty of organizations and individuals are taking steps to become more vigilant of attacks, so many aren’t doing enough. I’m not a hacker, but if I were to hack you, this is how I would it.

 

Step 1. Phishing Email

Sending an email claiming to represent somebody else is nothing new. I think we all have become immune to emails from your Nigerian relative. However, what if you received an email from your boss’s wife, or the technical team claiming that “suspicious activity has been detected” and your password needs to be confirmed. Of course the email would be flowered up and nicely written. For example something like…

<First Name> <Last Name>,

Good morning,

This is Carter Brown from <Your Company Here> technical security team. We are investigating an irregular access of your account. Please take a look at the log below and indicate if you were attempting to log-in. If so, no action is required. If the log-in attempt was not made by you, use the link below to reset your credentials immediately.

http://yourcompany_com.co/passwordreset

User: <Last Name, First Name>

Date: 06/17/17 08:16 GMT

Location: Mexico City, Mexico

Operating System: Windows XP

IP Address: 123.45.678.910

 

Step 2. Link Manipulation

Within email clients, a user can hyperlink everything. You can see a link that reads “http://www.paypal.com/accountrecovery.” However, when you open it up, it takes you to a totally different (often times, similar looking) link. This is link manipulation technique is very easy, and anybody can do it.

Step 3. Page Spoofing

Remember when I said I have a general understanding of HTML? Well I can make it so that when a user accesses a page, it looks identical (if not almost identical) to the page the user is used to seeing. And I would manipulate the login process so that it works the same way.

Step 4. Data Gathering

So again, with my basic HTML knowledge, creating a form on the same spoofed website is easy. The form filled out will give me your username and password; and that’s it! 

How do you stop it?

These tricks aren’t difficult to implement, but they are very effective at compromising data, costing valuable resources and tarnishing a company’s reputation. At Core Orange, we want to show how much smarter your people are than the bad guys with our unique approach to Cyber Security Awareness Training.

 

Stay Safe,

Cabral Clements

Marketing Lead; Core Orange Technology