The CyberNews.com research team recently conducted a hacking experiment with three UK volunteer journalists to show how easy it is for criminals to exploit personal data. Here's how they did it and how to prevent it from happening to you. While most people know that cybercrime is on the rise, many of us are still open to attack. Recent analysis suggests that data breaches cost organizations an average of nearly €4 million on average, with more than €17,000 lost every minute worldwide due to phishing attacks alone. Part of the problem is that many people believe that they are already protecting their personal data and that only attacks involving sophisticated, high-level methods do any harm. About the Author Edvardas Mikalauskas is a senior writer and researcher at CyberNews.com This is wrong: in fact, we are all vulnerable to basic forms of attack and could do more to protect our data. To prove this point, we recently spent six weeks trying to hack three Daily Mail reporters, with their permission of course. They were seasoned journalists, but we were able to show that exploiting their publicly available data was relatively easy to do. The most useful data source for criminals is personal information, which can be used to steal your online identity or crack your login credentials. Individuals often make this data freely available through social media accounts, public profiles, and even past fundraising pages. Almost all of us are guilty of oversharing. In addition to this, hackers can also take advantage of previous data breaches of online services to find the data they need. In our experience, we quickly find phone numbers, email account details, home addresses, dates of birth, full names of family members, pet names, and old passwords. . Some data, such as mobile phone numbers, may be collected by resetting passwords for different accounts. For example, a Facebook reset gave us the last two digits of the attached phone number, PayPal gives six digits total, and so on. These data were more than enough to launch an attack on journalists. Using combined efforts of phishing attacks, brute force password reset, vishing campaigns, and sim swapping, our investigative team attempted to breach the online security of the three journalists through white hat techniques.
What do these techniques look like in practice?
Phishing is a method that exploits our trust in organizations like HMRC or a bank. Malicious actors attempt to fraudulently obtain personal information by posing as these trusted sources, using online communications such as emails and messages. This method often directs users to fraudulent websites asking people to enter login details and other personal information, which is then stolen by hackers. Brute force password reset involves guessing a password by trying possible combinations of characters. Although this is quite a slow method, since the malicious actor would need to know the password parameters (for example, uppercase and lowercase characters, special symbols, password length) to refine the search, c ' is still a form viable to hack accounts. One particularly disturbing method is vishing, which is voice phishing, in which a hacker poses as a trusted source during a targeted direct phone call. Scammers are likely to use caller ID spoofing or an automated system to make the number appear trustworthy, making it harder to trace. The purpose of the communication is to obtain personal information for the purpose of stealing an identity or money. SIM swapping is a type of scam and account takeover that targets weaknesses in two-factor authentication (2FA). In this type of fraud, actors exploit mobile phone service providers and use previously obtained personal data to impersonate the victim. Once security measures are in place, hackers will request that a secondary SIM card be sent to them, which will help them bypass authentication of social media, banking, and email accounts.
How do we hack journalists?
Using the cell phone number obtained for a target, our vishing campaign resulted in a direct phone conversation between one of the journalists and one of our researchers posing as a PayPal representative: an attempt to access his account. The journalist became suspicious at the last moment, and this loophole was finally thwarted just before revealing his personal account data. In the SIM swap experience, our team pretended to be two reporters and talked to their mobile provider to order a secondary SIM card, requesting it be shipped to our address. This method took us more than 20 attempts to secure it because we did not have all the personal data needed for the security check. Finally, we found a customer service employee who trusted us and agreed to send the SIM card. By receiving and using this SIM card, our team could bypass phone authentication to re-establish connections to multiple accounts for quick access to them. At this point, our status as ethical hackers has prevented us from using other methods favored by criminals. We have no doubt that common criminal techniques, such as background checks and blackmail, would have quickly obtained even more information and made it relatively easy to fool these people. So how can you reduce the risk of an attack exploiting your own data?
How to protect yourself better
The most important action is to enable two-factor authentication (2FA) on all of your accounts, which requires two separate approval steps when accessing your accounts. This can be done for your social accounts on Instagram, Facebook, and Twitter, messaging platforms like WhatsApp, as well as your personal bank, file management, and gaming accounts. Any account where personal data is stored must have 2FA. Unless you can remember long, individual, and unique passwords for each of your accounts, using a reputable password manager is imperative to ensuring security. Password managers help users create unique passwords and store them securely for maximum efficiency and privacy. Finally, a simple but effective step to protect your information: keep your social media profiles private. As we pointed out during this hacking experience, the more personal data is freely available, the easier it is for hackers to exploit it. By freely posting personal information, however innocent it may seem at the time, you are increasing the puzzle pieces hackers can collect about your life.