Let me start off by mentioning, I’m not a hacker. The extent of my knowledge in coding is having a general understanding of HTML (which is helpful). But other than that, I’m just slightly above average “technically” speaking. But even me, an “average-ish” Joe can tap into the digital heartbeat of both business and personal data by using social engineering techniques to target the man behind the machine. And while plenty of organizations and individuals are taking steps to become more vigilant of attacks, so many aren’t doing enough. I’m not a hacker, but if I were to hack you, this is how I would it.
Step 1. Phishing Email
Sending an email claiming to represent somebody else is nothing new. I think we all have become immune to emails from your Nigerian relative. However, what if you received an email from your boss’s wife, or the technical team claiming that “suspicious activity has been detected” and your password needs to be confirmed. Of course the email would be flowered up and nicely written. For example something like…
<First Name> <Last Name>,
This is Carter Brown from <Your Company Here> technical security team. We are investigating an irregular access of your account. Please take a look at the log below and indicate if you were attempting to log-in. If so, no action is required. If the log-in attempt was not made by you, use the link below to reset your credentials immediately.
User: <Last Name, First Name>
Date: 06/17/17 08:16 GMT
Location: Mexico City, Mexico
Operating System: Windows XP
IP Address: 123.45.678.910
Step 2. Link Manipulation
Within email clients, a user can hyperlink everything. You can see a link that reads “http://www.paypal.com/accountrecovery.” However, when you open it up, it takes you to a totally different (often times, similar looking) link. This is link manipulation technique is very easy, and anybody can do it.
Step 3. Page Spoofing
Remember when I said I have a general understanding of HTML? Well I can make it so that when a user accesses a page, it looks identical (if not almost identical) to the page the user is used to seeing. And I would manipulate the login process so that it works the same way.
Step 4. Data Gathering
So again, with my basic HTML knowledge, creating a form on the same spoofed website is easy. The form filled out will give me your username and password; and that’s it!
How do you stop it?
These tricks aren’t difficult to implement, but they are very effective at compromising data, costing valuable resources and tarnishing a company’s reputation. At Core Orange, we want to show how much smarter your people are than the bad guys with our unique approach to Cyber Security Awareness Training.
Marketing Lead; Core Orange Technology