I’m not a hacker – But if I were to hack you.

Let me start off by mentioning, I’m not a hacker. The extent of my knowledge in coding is having a general understanding of HTML (which is helpful). But other than that, I’m just slightly above average “technically” speaking. But even me, an “average-ish” Joe can tap into the digital heartbeat of both business and personal data by using social engineering techniques to target the man behind the machine. And while plenty of organizations and individuals are taking steps to become more vigilant of attacks, so many aren’t doing enough. I’m not a hacker, but if I were to hack you, this is how I would it.

 

Step 1. Phishing Email

Sending an email claiming to represent somebody else is nothing new. I think we all have become immune to emails from your Nigerian relative. However, what if you received an email from your boss’s wife, or the technical team claiming that “suspicious activity has been detected” and your password needs to be confirmed. Of course the email would be flowered up and nicely written. For example something like…

<First Name> <Last Name>,

Good morning,

This is Carter Brown from <Your Company Here> technical security team. We are investigating an irregular access of your account. Please take a look at the log below and indicate if you were attempting to log-in. If so, no action is required. If the log-in attempt was not made by you, use the link below to reset your credentials immediately.

http://yourcompany_com.co/passwordreset

User: <Last Name, First Name>

Date: 06/17/17 08:16 GMT

Location: Mexico City, Mexico

Operating System: Windows XP

IP Address: 123.45.678.910

 

Step 2. Link Manipulation

Within email clients, a user can hyperlink everything. You can see a link that reads “http://www.paypal.com/accountrecovery.” However, when you open it up, it takes you to a totally different (often times, similar looking) link. This is link manipulation technique is very easy, and anybody can do it.

Step 3. Page Spoofing

Remember when I said I have a general understanding of HTML? Well I can make it so that when a user accesses a page, it looks identical (if not almost identical) to the page the user is used to seeing. And I would manipulate the login process so that it works the same way.

Step 4. Data Gathering

So again, with my basic HTML knowledge, creating a form on the same spoofed website is easy. The form filled out will give me your username and password; and that’s it! 

How do you stop it?

These tricks aren’t difficult to implement, but they are very effective at compromising data, costing valuable resources and tarnishing a company’s reputation. At Core Orange, we want to show how much smarter your people are than the bad guys with our unique approach to Cyber Security Awareness Training.

 

Stay Safe,

Cabral Clements

Marketing Lead; Core Orange Technology