Top Techniques Cyber Criminals Use to Hack You (and How to Protect Yourself)

Catch that bad guy red-handed!

I am an “ethical hacker”, also known as a “white hat hacker” or a “penetration tester” which basically means that I am paid by various organisations to break into their computer systems. Once I succeed, instead of ruining their reputation, destroying their infrastructure, or stealing their money and assets, I educate them on their security vulnerabilities and help to remediate them before they are found by a malicious hacker.

If you’re not familiar with the idea of ethical hacking, just know that it is a legitimate career. Ethical hackers are hired every day by banks, universities, large companies, and even small businesses. Ethical hacking, and the whole information security sector, is becoming more of a necessity as cyber crime becomes more abundant in our society.

Now, before we start — let me be very clear. I have not and will not commit cyber crime, nor do I recommend it to anyone. It is illegal, unethical, and it could land you in jail. Nevertheless, for my work, I need to have an in-depth understanding of the techniques used by the bad guys to wreak havoc (and earn money). In this article I will be providing an insight into these techniques.

There is a very common attitude among the average internet user which I hear regularly: “I don’t have anything secret on the web so who cares if I get hacked?” But you may not realise that you have plenty of things that are extremely valuable to a hacker. Bank accounts, personal details, credit cards, identity documents, social media accounts and hacked computers fetch a small fortune on the dark web!

In case you are not aware how big the cyber crime scene is, here’s some facts to blow your mind:

  • The cost of cyber crime is predicted to be 6 trillion(!) dollars annually by 2021. Back in 2015, it was half that. [source]
  • Cyber crime was the second most reported type of crime in 2016 globally. [source]
  • The amount of money that was spent on information security in 2017? $86.4 billion. And it’s set to crack $1 trillion by 2021. To make things even more interesting, there is a huge worldwide shortage of ethical hackers, who help to secure legitimate companies and businesses. [source]
  • Cyber crime makes up around 50% of all crime in the UK. [source]
  • Cyber crime is now a far larger global market than drug trade.

In this article I’m hoping to give a fairly non-technical overview of the most common techniques used by hackers to do their shady business. I will also be telling you the best methods of protecting yourself.


Phishing

Have you ever received an email from a Nigerian prince or a non-existent distant relative who is offering you an absurd amount of money? It was a phishing scam, albeit an extremely unsophisticated one. These unsophisticated phishing emails are generally sent to a huge number of people, in the hundreds of thousands or even millions. Sending this many emails does not take much effort given the right resources. If just 0.01% of people fall for this phishing scam, at $1000 per victim, with 1 million emails, you have just made yourself a tidy $100,000. Not bad for a weekend’s work!

Phishing attacks are not just for Nigerian scammers, they are the most common way that malicious hackers gain access to corporate networks. The more sophisticated phishing attacks are highly targeted and believable. A motivated hacker might spend months enumerating their target before they strike. Let’s give a simple example of how this might work.

Let’s say that I decide that I am a super evil hacker who would really like to have full control of ABC Bank’s network. Fred Jones is the receptionist for ABC Bank. Like most people, he has a LinkedIn and Facebook account. I know Fred works there as a receptionist, because I can see it on his LinkedIn profile. I also know that he has applied for annual leave, because he posted about an upcoming trip to Hawaii with his wife and two kids. His bosses name? No problem… His boss also has LinkedIn.

After 5 minutes of Googling, we are armed with the following information about ABC Bank:

  • Fred Jones is the receptionist
  • Bobby Gertrude is Fred’s boss
  • Fred has applied for annual leave for a trip to Hawaii

With this small amount of knowledge, I could put together a pretty believable phish. First I create a Gmail account, bobby.gertrude@gmail.com, and write an email that goes something like this:

From: bobby.gertrude@gmail.com
Hi Fred,
My corporate email seems to be not working on my phone so I’m sending this from my personal email. Your annual leave should be approved, but we just need a few extra details from you. Do you mind filling out this form for me?
www.leave-request.abcbank.staff-organiser.com
See you Monday,
Bobby Gretrude

Take a close look at that link. The first part looks quite innocent, “www.leaverequest.abcbank”, but the next part is what really matters. “staff-organiser.com”. You see, if I buy the domain “staff-organiser.com”, I can also add anything in front of it. I could create “google.staff-organiser.com”, or “apple.staff-organiser.com”. But in this case, I chose “www.leaverequest.abcbank.staff-organiser.com” because I think Fred might fall for it.

I create a login page which is a clone of the ABC bank’s staff portal. My clone has one important difference, instead of sending the usernames and passwords to the bank for validation, it sends them to me! Once Fred clicks that link (my cloned page) and attempts to log in to sort out his annual leave, I gain his username and password, which allows me to read Fred’s emails, and login to the staff portal. Thanks Fred.

To make things even more believable, I could have masked the link in the email. One thing that many people don’t realise is that the text shown in a hyperlink is not necessarily the location of the link. For example, if you click the link below, it won’t take you to Google as you would expect, it will take you to my Medium profile:

http://www.google.com/

Practice hovering over the link to check the real location of the URL now.


Phishing for credentials is pretty effective, but there are some other nasty things that this email could have done:

  • Linked to a Java applet that allows me to control Fred’s work computer.
  • Attached a macro enabled Microsoft Word document which allows me to control Fred’s work computer.
  • Attached a malicious Microsoft Word document that contains a “subDoc”, which allows me to obtain an encrypted version of his password, which can later be decrypted.

Many corporate environments have a VPN setup which allows their employees to work from home. With Fred’s password, I could probably log in to this VPN and explore the banks network. Otherwise, I could use one of the nastier phishing attacks outlined above to gain control of Fred’s computer, which is already connected to the bank’s internal network.

Once internal network access has been gained, a skilled hacker won’t have much trouble exfiltrating passwords of other users, sensitive documents, emails and more. But that’s for another blog post.

Protecting Yourself Against Phishing Attacks

  • Think before you click. If the email smells phishy, it probably is. Delete it!
  • Nobody will ever email you randomly offering you money, gift cards, iPhones, puppies etc. unless they are trying to scam you.
  • If an email from “someone you know” is coming from an email address you haven’t seen before, call them to verify that it is legitimate.
  • Hover over hyperlinks before you click them to check it’s true destination.
  • Don’t ever send your passwords or personal details via email to anyone.
  • When you’re on a website, you can check that it is legitimate by checking the green lock and organisation name next to the URL. If this is not present, or the organisation name is not what you expect, don’t use the website. It looks a bit different depending on the browser you use:
Firefox
Internet Explorer
Google Chrome

Phishing attacks are just one hacking method, let’s take a look at a different one. Password re-use and weak passwords!


Password Re-use and Weak Passwords

Image source: http://www.securedatamgt.com

If you’re like most people, you probably reuse the same password for multiple services so that it’s easy to remember. Here, I’m going to show you why that’s dangerous, and also how you can use a different password for every service without having to remember them. Story time!

Xavier is a black-hat evil hacker who offers his services to the highest bidder on the dark web. He has been hired to gain access to the email inbox belonging to the CEO of BigCorp, Boris McGee. He must take special precautions to ensure that he is not caught, so a phishing attack might be a bit too noisy.

The first phase of any hacking engagement is enumeration, gathering as much information about the target as possible by searching Google, social media sites and online archives. Xavier stumbles across a few of Boris’ personal social media profiles and takes a look. It turns out Boris is quite a passionate antique coin collector, and a keen poster on cointraderforums.net. His profile on cointraderforums.net reveals his personal email address, boris.mcgee@yahoo.com. It’s not his work email, which is Xavier’s ultimate target, but it’s something.

When large companies fall victim to hackers, we sometimes see a data breach which gets dumped onto the internet for the world to see. These breaches often contain personal details, including email addresses and passwords. Some of these breaches come from huge companies that you might have used in the past. LinkedIn, Dropbox and Adobe to name a few. A malicious hacker will often have a copy of these data dumps saved to their computer. When they come across an account they want to gain access to, an easy place to start is checking whether the account’s email and password is present in any of these dumps.

Unlucky for Boris, he uses Dropbox for sharing photographs of his coins with his coin collector mates. His Dropbox password was breached back in 2012. Xavier has a copy of the Dropbox breach sitting on his laptop, so he can see that in 2012, Boris’ Dropbox password was “c01ns4Lyf2012!”. He has since changed it, so we can’t log in to his Dropbox using this one, but we can make a pretty solid guess at his current password: “c01ns4Lyf2018!”. Xavier tries logging in to cointraderforums.net using Boris’ personal email and the password “c01ns4Lyf2018!”. Login successful.

It’s looking pretty rough for Boris at this stage, there’s a black-hat hacker logged into his cointraderforums.net account, viewing private messages about his coin collection and cats. But it’s about to get a whole lot worse, you see, Boris uses the same password for everything.

Now all Xavier needs to find is Boris’ corporate email. He searches google for “intext:@bigcorp.com”, which reveals 3 email addresses:

  1. bob.stone@bigcorp.com
  2. jane.kelly@bigcorp.com
  3. tim.green@bigcorp.com

Like most companies, it seems that Bigcorp uses the same syntax for all their staff emails to keep things uniform. firstname.lastname@bigcorp.com. So Xavier tries logging into BigCorp’s staff email using “boris.mcgee@bigcorp.com” as the email, and “c01ns4Lyf2018!” as the password.

Bingo.

Of course, due to Boris’ bad password reuse practice, it works. Xavier sends a copy of Boris’ sensitive corporate emails to his client on the dark web and receives a healthy payment for his “services”, but he’s not done there. Xavier is an experienced criminal, and he knows how to play the game.

Xavier then logs into Boris’ bank account and sends a generous donation to an offshore bank account which he hacked last week. He heads down to the local ATM which does not have any security cameras and withdraws the full amount in cash. That should pay his groceries for the next few decades.

Protecting Yourself Against Password Reuse and Weak Passwords

Use Strong, Unique Passwords For Every Service

To be protected from password reuse attacks, you need to use a unique password for every service. The trouble is, these days most of us use a large amount of services, meaning your passwords become extremely difficult to remember. Enter password managers!

Password managers are basically a “vault” for all your secure login details, depending on which password manager you choose, this vault can be stored on your computer, or in the cloud. You only need to remember one single password which unlocks your vault. Once your vault is unlocked, you can view the rest of your passwords which are safely stored inside. Some password managers also have the ability to “auto-fill” login forms in web browsers, similar to the function of your web browser automatically filling out forms for you.

For security’s sake, it is worth installing a password manager, then spending an hour or two changing all your passwords to be random and unique on every service you use, storing your new passwords in the vault as you go. Now when one of your services gets hacked, the rest of your services remain secure.

Some popular password managers include “LastPass”, “Dashlane”, “1Password” and “KeePass”. They all have their pros and cons. My personal choice is LastPass, but only because I’m used to it.

As a general rule of thumb, I recommend that all passwords be a randomly generated string of at least 12 characters, containing lowercase, uppercase, numbers and symbols. The password also shouldn’t be easily guessable or relate to something that is known about you, like your name or date of birth.

Use Multi-Factor Authentication

Most major online websites now have an option to enable at least 2-Factor-Authentication (2FA). This basically means that if anyone tries to log in to your account, it will send you a text, or pop up a notification on your phone to ask whether it is a legitimate login attempt.

If an attacker was able to find your Gmail password, but you have 2FA enabled, you would still remain protected!

NOTE: If a cyber criminal already has your password for say, your bank, but your account is protected by 2FA, a common technique they will try to bypass the protection is to call you pretending to be the bank! They will say something like “I’m just going to SMS you a code to verify your identity”. They then login to the bank with your username and password, a 2FA text is sent to you, you read it to the attacker, and the attacker uses the code to access to your bank account. Too easy! Just know that the bank will never call you out of the blue and ask to verify your identity. If you aren’t 100% sure that a phone call is legit, hang up and call the organisation back on their official number.

If you’re making a call, you can be certain about who you’re calling. If you’re receiving a call, you can’t be certain who you’re talking to.

Ransomware

If you’ve read this far, you would have realised by now that cyber crime is no longer a prankster’s game. Cyber criminals are in it for the money, and what better way to make money than to hold a person’s entire digital life for ransom?

Take a deep breath, time for another story. This time, it’s a real one.

In early 2017, and secretive black-hat hacking group called the Shadow Brokers hacked into the NSA and publicly released their entire arsenal of hacking tools and exploits. Yep. Soon after, someone (likely North Korea) used one of the leaked tools to create ransomware which spread to about 230,000 computers in 150 countries. This ransomware was dubbed “Wannacry”.

When a computer became infected with Wannacry, all of it’s files were encrypted, making them inaccessible to the user. The only way to recover files would be to pay $300 to the cyber criminal. Even then, there was no guarantee.

Obviously, there were many upset users. People lost their family photos and important documents, hospitals were temporarily shut down, airlines and car manufacturers were affected. It was total chaos. Everyone who was infected would be confronted by this scary looking screen:

Aaahhhhh…

The cyber criminal(s) responsible for this have not been caught, and probably never will be. They walked away with over $200,000 USD, but this is loose change compared to the cost of the destruction it caused.

Protecting Yourself Against Ransomware (and Other Nasty Viruses)

Update, update, update!

You know those annoying popups on your PC/Mac asking you to update/restart now? They’re not just a built in feature designed to make your life unpleasant. They actually go a long way to protecting you. Every computer that was hit with WannaCry was at least 1 month out of date. Had they updated, they would have been protected.

Anti-Virus

I’m not going to recommend any particular AV solutions here, but I will say that they do offer extra protection. They’re not bulletproof, but they do provide an extra hurdle for the bad guys.

Think About Your Inputs

Any method of putting data into your computer is also a potential attack vector for the bad guys. You can take precautions to reduce these attack vectors: don’t plug in random USB drives, don’t let other people touch your computer, don’t download random email attachments, don’t visit dodgy websites… you get the idea.


Physical Access

Basically, if a cyber criminal has physical access to your devices, it’s game over. Even if you have a great password, the best Anti-Virus protection and update religiously, it won’t make much difference. Physical access to a device trumps all.

For this reason, companies tend to keep their most critical devices locked in a cage. The more secure companies also have their employees lock their devices away in lockers or filing cabinets every night. You could take a leaf out of this book! This time I’m going to tell a personal story of the night my car was broken into. Another true story.


Before I was an ethical hacker, I was a musician. I was on a short tour on the east coast of Australia, and I was staying the night in a little motel somewhere on the Central Coast. That part of the world is absolutely beautiful, but this motel happened to be smack-bang in the middle of a very sketchy area. My car was parked in the motel car park overnight and (stupidly) my iPad was left inside. It wasn’t visible, but it was there.

I woke up in the morning and reached for my phone to check the time. It was displaying an unusual locked screen, asking for a 4 digit code. If the code was entered incorrectly, it warned, all data on the phone would be wiped. I tried my usual pin code to no avail, I tried every other code that I thought I may have set. Still nothing. I had no other choice than to wipe my phone and start again.

No big deal… Lucky I brought my laptop on tour this time. I could use this to reset my phone. I needed to get my phone up and running before the day began to deal with constant phone calls with venues, accommodation and other band members. I pulled open my laptop and my heart sank. My laptop was also displaying an unfamiliar screen asking for a 4 digit pin code, which had not been set by me.

My brain was spinning with possibilities. Was this ransomware? Did I pick up the wrong laptop? What is going on here? I decided to head out to my car and check my final device — the iPad. Before I even arrived at the car I saw the problem. My car had been broken into.

It all started piecing together in my mind. Someone had stolen my iPad, opened the “Find my iPhone” app, erased my iPhone and laptop (along with all my files), then set a pin code so that I could not access them. But that’s not the worst thing! My iPad was was using the email app, which means that all a cyber criminal would need to do is open the email app to access all my emails.

From here, they could go to any of the services I used (Facebook, Twitter, bank accounts, invoicing apps, etc.) and click “reset password”. The app would send me an email with a password reset link, and because they have access to my emails, they could simply click the link, reset my password, and log in as me. I’ll leave the other possibilities to your imagination.

Timing was of the essence. I needed to regain access to my accounts and reset all my passwords before any damage was caused. But how? I didn’t have access to my own computer or any other internet enabled device because they had all been wiped and locked. No problems, I’ll go to the nearest Apple store and use one of their computers to reset my passwords. Except, I’m in an unfamiliar area with no internet access. I don’t even know where the nearest town is, let alone an Apple store.

I wake up of my band mates and ask to use his phone. I find the nearest computer store and speed down there, calling Apple on the way. By the time I got there, I had been locked out of every service that I use. All my passwords had been changed with one exception. My bank accounts — thank god for two-factor authentication.

Things were looking pretty bleak at this stage, but my options weren’t exhausted yet. I attempt to reset my email password, one of the options is to reset by answering secret questions. Bingo! The attacker neglected to change those. I logged in to my account and changed my password to something new. From here, I could reset passwords on all my services and effectively lock the attacker out. Contact details on my Apple account had been updated to the attackers details, so I was able to report them to police. I never did hear back about that, and I never got my iPad back, but I hope they were caught.

Getting access back to my laptop was a bit more difficult. At that stage, it was a $2000 paper weight. Luckily, the older MacBook Pros had a security flaw which allowed you to bypass the “Find my iPhone” lock by unscrewing the laptop and replacing the RAM. I managed to hack my way back into my own computer this way, but it would not be possible with today’s computers, as this security flaw has been fixed.

I was lucky. My attacker was a run-of-the-mill criminal with a bit of tech know-how, not a hardened cyber criminal or a heavily funded nation state threat actor. If they were, I would never have been able to gain access back to my accounts. My online identity would be forever at the whim of somebody else.

Protecting Yourself Against Physical Access Attacks

You can mostly protect yourself by following this golden rule:

Treat your electronic devices like a wallet full of cash because to a cyber criminal, that’s exactly what they are.

Some other practical tips:

  • Keep your devices under lock and key.
  • When travelling, keep devices on your person.
  • When flying, keep your devices in carry-on.
  • When staying in a hotel, don’t leave your devices in the hotel room.
  • Consider using some kind of physical 2FA account like a YubiKey.

Scam calls

Like Phishing emails, scam calls vary widely in sophistication level. I’m going to tell you the story of someone I know well who fell victim to a scam call. The only things that have been changed in the story are the name of the person, and the name of the bank.

Rob Greene is an intelligent guy. He is roughly 35 years old and owns a successful service-oriented business. He has an average level of knowledge about computers and prides himself on being quite careful with his passwords and pin numbers.

One day at work, he receives a dreaded call from his bank.

Hello Mr. Greene, we have reason to believe that your bank account has been compromised and fraudulent transactions have been made. Can you please confirm that you have recently made a $50,000 purchase from a car showroom in India?”.

Rob’s heart starts beating fast. Where did he go wrong? How did someone get access to his bank account? Would he be able to get his money back?

The phone call continues. “We may be able to recover these funds if we act quickly, could you please confirm your client ID?”, Rob complies with the request. “Thank you sir, and finally, could you please confirm your password?”. Normally, alarm bells would have been ringing, but Rob was stressed. He was at work, clients were waiting for him, he thought $50k had been stolen from him, things were confusing. He complies with the request, and tells the caller his password.

It all seemed so legitimate. The caller didn’t sound like a cyber criminal, they sounded like a friendly bank employee. But they weren’t. As it turned out, nothing had been stolen from Rob, and his account wasn’t compromised. But now it is! Over $100,000 USD were stolen in total, in a number of large transactions to various offshore bank accounts. Some of this was able to be recovered, but some of it wasn’t. The bank actually didn’t have any obligation to give any of it back, because Rob technically gave his password away to a third party, which is against the bank’s terms and conditions. Thankfully, they were a large reputable bank who worked hard to get the money back (and preserve their own reputation), but it took months. In the mean time, Rob was stuck without money. He had to borrow from friends and relatives to pay for groceries and utility bills.

The other thing that made this difficult was that after he reported the theft to the bank, he could no longer tell whether the follow-up calls were legitimate, or just another scam call. Every time he received a phone call, he had to hang up and go to a physical bank branch, where he was able to communicate with confidence about who he was talking to.

How did the attacker fare? It’s difficult to know whether they were caught or not, but probably not. More likely they are extremely rich, living the high life with stolen cash somewhere overseas.

Protecting Yourself Against Scam Calls

  • Never tell anyone your password over the phone. A legitimate company will not ever ask you for your password.
  • If any organisation calls you and asks to verify your identity. Hang up, and call them back on their official number to verify that it is legitimate.
  • Hang-up, stop and think. Scam callers are fast-talking conmen. They know exactly what to say to steer your brain away from realising that you are being conned. Many of these scams can be thwarted by just taking a break away from the call. If something doesn’t quite feel right, don’t feel bad about hanging up. Have a sit down and think it through with a clear head, could it be a scam?

Social Engineering

Social engineering is the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. At least, that’s the bland definition. More simply, it’s conning people. I’ve given a few examples of social engineering above — phishing emails are a form of social engineering, and so are scam calls.

A skilled social engineer doesn’t have too much trouble talking their way into the corporate offices of financial institutions, backstage at concerts and other places they really shouldn’t be. They also wouldn’t have too much trouble talking your utility companies into divulging information about you.

What’s in a social engineer’s toolkit?

  • A professional, charming nature
  • A fluro hi-visibility vest and clipboard (or tablet)
  • A suit
  • An assortment of lanyards with various colours
  • A fake email from the CEO giving you permission to be there

These five things allow them to fit in pretty much anywhere. If a random walks off the street into ABC Bank and says to the receptionist “Hi, can I take a look around your office?”, the receptionist would decline. If the same person walks off the street in a suit and hi-visibility vest, carrying a clipboard and says “Hi, I’m here for the annual fire safety audit, I just need to take a look at the FCU upstairs, it will only take a minute”, the receptionist is likely to oblige. They might even provide a visitor’s pass!

Social engineering is rooted deep in psychological traits of humans that can be exploited. Some guy called Robert Cialdini explored these traits and called them the “6 principles of influence”. These principles are as follows (source).

  1. Reciprocity: People tend to return a favor, thus the pervasiveness of free samples in marketing. The good cop/bad cop strategy is also based on this principle.
  2. Commitment and consistency: If people commit, orally or in writing, to an idea or goal, they are more likely to honor that commitment because of establishing that idea or goal as being congruent with their self-image.
  3. Social proof : People will do things that they see other people are doing.
  4. Authority: People will tend to obey authority figures, even if they are asked to perform objectionable acts.
  5. Liking: People are easily persuaded by other people that they like.
  6. Scarcity: Perceived scarcity will generate demand. For example, saying offers are available for a “limited time only” encourages sales.

How to Protect Yourself From Social Engineering

Here’s the thing about social engineering. These weaknesses are literally built into our human psyche and we are all vulnerable!

One way to mitigate the risk of being exploited is to “out source” our decision making to computers. A good example of this is in some support call centres. In order to view a customer’s personal details, the customer service rep needs to go through a verification screen where they ask the customer to verify themselves. Even the customer service rep cannot see the customer’s data until the identity has been identified, that way, even if the person on the phone is a skilled social engineer who attempts to coerce the customer service rep into divulging information without providing necessary verification, they can’t. The decision is left to the computer, not the human.

The only other way to avoid being exploited by a social engineer is training. You must train yourself (and your staff) about the risks of social engineers, and train them to view information as valuable and secret. Whether or not to divulge information needs to be a cold emotionless decision, and must strictly follow security protocols — no matter how charming and convincing the person is!

Man-in-the-middle (MiTM) Attacks

Diagram of a classic MiTM attack

Every time you do anything on the internet, the data you send is piped through a bunch of different computers before it actually arrives at your destination. If an attacker wishes to view everything that you are doing on the internet, all they need to do is put themselves between you and the internet. This is called a “man in the middle” attack. Let me show you how this might work. Time for a purely fictional story.

Joe is an IT administrator at a highly secretive nuclear research facility. This nuclear research facility has caught the attention of an enemy state, who has sent Hahn (one of their secret agent hackers) over to investigate. This research facility is located in a small country town, mostly filled with farmland, but there is one great coffee place not far from the facility.

Hahn has been scoping the town for a few days, and he has noticed a man who comes into the coffee shop at lunch every day with an RFID tag on a lanyard around his neck, orders a double espresso, sits at the same table, and makes full use of the free wifi on his laptop for an hour or so before driving away in his new Mercedes. This man is Joe. This kind of behaviour would be quite normal in a city, but we are in a country town. Hahn gets curious.

The next day, Hahn is waiting in the coffee shop with his laptop sporting a large suite of hacking tools. The second Joe sits down, Hahn uses his hacking knowledge to redirect all of Joe’s internet traffic through his own laptop. Hahn can now see everything that Joe is doing, he watches the URLs that are visited and is especially careful to watch for information which is pertinent to his ultimate goal. To gain access to the nuclear facility’s technical infrastructure.

Joe spends most of his time scrolling through Reddit, but then his phone rings. Disgruntled, he answers. It’s a colleague from work who is unable to access the facility’s wiki. Joe navigates to the wiki and logs in to test. “It’s working fine, probably just user error.” He mutters, and goes happily back to browsing the web.

Remember: all of Joe’s internet traffic is being watched by Hahn. That means he just disclosed the location of the nuclear facility’s wiki, and also his login credentials, to Hahn.

Hahn uses these credentials to gain an initial foothold within the nuclear facility’s network, and goes on to do all kinds of nasty things.

Protecting Yourself Against Man-in-the-middle Attacks

If you’re using any kind of public internet, such as in a cafe, hotel or airport. It’s best to use a thing called a VPN (virtual private network). They’re very easy to set up, and they cost a coffee per month. This effectively creates a safe, encrypted tunnel between you and the sites you visit. When you are connected to a VPN, even if someone does perform a man in the middle attack, the data they see will be encrypted, and you will be safe.

If you see a warning similar to the one below in your browser, especially if you are using a network with other people on it, don’t continue to the website! There’s a chance you are being attacked.

This is a classic sign that someone is performing a MiTM attack on you.

Wrap Up

This article ended up being a lot longer than I intended, and it still only scratches the surface of common attack vectors, but implementing the recommendations in this article will make you far less likely to fall victim to a cyber criminal.

Even if you don’t take any of my recommendations, I hope you enjoyed the article for the entertainment factor. If you did, let me know! I tend to shy away from most social media platforms, but one exception is Twitter. Feel free to leave a response here or get in touch via twitter.

Stay safe out there, the internet is one crazy jungle!