Archer

It’s time to hack yourself 

What if you had to hack yourself? How would you do it?

We asked social engineering experts to show us how the bad guys do it — and what you need to do yourself.

Social engineering is the manipulation of a person to make them do something they may not otherwise do, like give up sensitive information or click on a poisonous link.

It’s a very popular attack method and the basis for many cyber attacks around the world.

Watch here:

How Would You Do It?

Marjorie works at a bank with pretty darn good security.

How would you take over her computer?

“Hackers looking to do — and particularly social engineers — they’re looking to build a picture a profile of somebody, so that when we make that approach for the scam or the con, it’s believable,” said social engineering expert Jenny Radcliffe, founder and director of Human Factor Security.

Birthday Bash

Radcliffe hacked her ‘Marjorie’ like this.

She saw a post on social media celebrating Marjorie’s 50th birthday.

That gave Radcliffe Marjorie’s full date of birth.

Radcliffe looked up businesses near Marjorie’s home address and found a nice little pub.

She then sent Marjorie an email pretending to be from the pub, noting the date of her birthday and offering her a nice discount for a birthday celebration.

Marjorie clicked on the link — perfect for downloading malware onto Marjorie’s computer.

“We can even look inside people’s webcams, can listen in to conversations, but almost certainly be able to see passwords for bank applications, any website she’s on,” Radcliffe told Archer News in an interview. “Certainly, read e-mails, look at photographs. And that can be used for coercion, blackmail and bribery.”

An example of a phishing-style email.Image: Archer News

Social Engineering Tricks

Radcliffe does this kind of social engineering for work to show businesses how to defend themselves.

You can learn some tricks, too, even if you think you don’t have anything worth hacking.

“Everyone’s worth hacking, everyone’s connected to something,” Radcliffe said. “Or has some information they want to keep private or has some detail of their company or their spouse’s company that’s worth having.”

“I think that idea that, ‘It won’t happen to me, I’m not important enough,’ is actually really, really one of the most worrying things because it stops people being vigilant,” she added.

 

Jenny Radcliffe speaks at the 2019 CyberChess cybersecurity conference in Riga, Latvia, in October. Image: Archer News

What Should You Do?

Search yourself, Radcliffe and cybersecurity expert Kieren Lovell advised.

“I think first thing, you should actually check yourself to see what your own digital footprint is. Because a lot of people don’t actually know what they have put out on the Internet,” said Lovell, who is head of the computer emergency response team, or CERT, at TalTech in Estonia and a social engineering instructor at the University of Cambridge.

Check yourself, because that’s what attackers are doing to see how they can fool you — or impersonate you — online.

What should you look for?

“Be in the mindset of a ex jealous girlfriend or boyfriend,” Lovell said.

A nation-state looking for control and secrets. A spy, a thief or a blackmailer.

“That motivation aspect is key,” Lovell said to Archer News in an interview at the CyberChess security conference in Riga, Latvia, this month. “Work out how this data can be used and utilized.”

 

Kieren Lovell speaks at the CyberChess cybersecurity conference in Riga, Latvia, in October 2019. Image: Archer News

Ways In

Lovell runs an exercise with universities, pitting them against each other to see who can social engineer the others and get them to click on email links.

“In doing the exercises like I do, where you have a look at somebody or yourself and work out how you could do it, you start to learn that creativity,” he said. “Then you can start to spot it when other people are doing it.” 

It could be a fake discount at your favorite pub that you happened to mention on Twitter.

A fake vet bill for your pup that you showed and named in a Facebook post.

A fake job offer for the skills you laid out on LinkedIn.

Or even a very realistic fake notice about a security vulnerability, like the email that stung Lovell himself.

“They pretended to be a cybersecurity team from another university and sent me a vulnerability using the procedures that we all use to share data amongst ourselves,” Lovell said.

“A link to a reported vulnerability site, but it was spoofed,” he explained. “Clicked the link, malware downloaded straight away.”

It was ransomware, his files encrypted.

 

An example of a phishing-style email about a job offer. Image: Archer News

Malintent

Thanks to Radcliffe’s work, Marjorie now understands more about how she can be hacked.

And so do the rest of us, no matter where we live or work.

“We just need to be a little bit more careful about what’s out there,” Radcliffe said. “And think about what someone with malintent could do with that information.”

 

Main image: Airport facial recognition. Image: izusek/iStock



Leave a Reply