Image for post
Image for post

Password Breaches and Social Engineering Attacks

Arthur Kay
Oct 30, 2018 · 4 min read

A former colleague of mine recently shared an email she received from a purported hacker:

Image for post
Image for post
A social engineering attack

The picture is a bit grainy, so here’s what it says (censored for obvious reasons; poor grammar left intact for hilarity):

Hello!

I’m a hacker who cracked your email and device a few months ago. You entered a password on one of the sites you visited, and I intercepted it.

This is your password from XXXXX@XXXXX.com on the moment of hack: XXXXXXXXXX

Of course you can will change it, or already changed it. But it doesn’t matter, my malware updated it every time.

Do not try to contact me or find me, it is impossible, since I sent you an email from your account.

Through your email, I uploaded malicious code to your Operation System. I saved all of your contacts with friends, colleagues, relatives, and a complete history of visits to the internet resources. Also I installed a Trojan on your device and long tome spying for you.

You are not my only victim, I usually lock computers and ask for a ransom. But I was struck by the sites of intimate content that you often visit.

I am in shock of your fantasies! I’ve never seen anything like this!

So, when you had fun on piquant sites (you know what I mean) I made screenshot with using my program from your camera of yours device. After that, I combined them to the content of the currently viewed site.

There will be laughter when I send these photos to your contacts! BUT I’m sure you don’t want it.

Therefore, I expect payment from you for my silence. I think $833 is an acceptable price for it!

Pay with Bitcoin.

There’s a lot to unpack in this message, but the important takeaway is that my friend wasn’t actually hacked. Poor grammar aside, the attacker has executed a believable social engineering campaign that sadly many people may fall for.

Let’s take a few minutes to dissect this attack and discuss some strategies to keep yourself protected.

Why is this attack believable?

Legitimate “From” Email Address

Although I cropped this part out of the original picture, this message was, in fact, “sent” from my friend’s email address. The message would have you believe that her computer and email account have been compromised — and that’s why she’s receiving the message.

In reality, it’s really easy to send an email using any “from address”. It’s just as easy as sending mail via the USPS and using a spoofed “return address” in the upper-left corner of the envelope.

Legitimate “Hacked” Password

Next, the email contained a password that my friend had indeed used at some point in the past. The fact that it’s a real password that the recipient would recognize makes this attack very believable.

In reality, my friend had an account involved in an unrelated cyber breach — meaning some other company was hacked, and the password she used on that company’s website is what is seen here in the email.

Effective Social Engineering

Ransomware is a thing that many people fall victim to, and it’s constantly in the news. People know about it, which is another reason this attack sounds believable. Other cybersecurity buzz words also lend credibility to the message: “cracked”, “malicious code”, “Trojan”, and “malware”.

Moreover, the real attack vector in this message is blackmail.

Many, many people love their porn — and as the author of this message would have you believe, my friend allegedly visited some “piquant sites” with “intimate content”. She didn’t actually, which is why she knew this message was fake, but enough people do that social engineering attacks like this are highly successful.

Can you protect yourself?

Simply being aware that social engineering attacks are common is a good first step to protecting yourself. Messages like the one above can be very convincing, but you should always be suspicious whenever you receive a message like this.

The number of data breaches every year (4.5B in the first half of 2018 alone!) makes it difficult to keep your personal data from being used in a social engineering attack. Limiting the amount of personal data you put online is always a good idea, but sadly this problem is only going to get worse — being aware of the tactics is ultimately the best way to keep yourself safe.

Another security best practice (and perhaps the most important thing you can do to protect yourself against attacks like this) is to practice good password hygiene. Never use the same password on multiple websites — either you’ll actually get hacked, or you’ll fall victim to a social engineering attack like the message above.

You should also keep your antivirus software up-to-date, your computer’s firewall (or other defensive software) turned on, and take advantage of your email provider’s anti-phishing features.

Gmail’s SPAM warning

Social engineering attacks can be incredibly convincing and difficult to defend against. The message above tried to convince my friend she was being blackmailed as a result of being hacked — would you fall for a similar message?

THAT Conference

THAT Conference is your Summer Camp For Geeks.

Arthur Kay

Written by

Engineering Lead. Mentor. The Cyber.

THAT Conference

THAT Conference is your Summer Camp For Geeks. The only family friendly polyglot community of geeks who've set out to change the world together.

Arthur Kay

Written by

Engineering Lead. Mentor. The Cyber.

THAT Conference

THAT Conference is your Summer Camp For Geeks. The only family friendly polyglot community of geeks who've set out to change the world together.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store