Imagine getting endless deliveries that you didn’t order. Imagine a police car pulling into your driveway in the middle of the night, because someone from your mobile number texted and reported a murder or a kidnapping.

Imagine getting unknown phone calls every hour, blocking your flow of work or a peaceful night of sleep. Imagine strangers calling from around the country and come knocking on your door stalking all the time.

Imagine losing your job because someone sent a hateful and abusive email to your boss and colleagues. Imagine the look of shock on your parents’ faces because they received an email with your passport and ID’s, confessing that you are working for terrorists or for the organized crime.

These aren’t just some possibilities. These are actual nightmares that people live through after their data is compromised by an online hacker.

In the space of one hour, your entire digital life can be destroyed. Your Google account can be taken over, then deleted. Your Twitter account compromised and used to broadcast racist and homophobic messages. And your Facebook can suddenly post pedophile pics making you automatically the target number 1 of the FBI.

Details of an Attack

One day in a company I worked for, we decided to invite some hackers and execute an unusual exercise: spend 1 month trying to hack some volunteers, employees from the company, as deeply as they could. The only conditions were that the hackers signed a contract where they could not steal money or any other assets from them, reveal any private information, or do any harm. And then, at the end of the hack, we wanted them to tell us what they found, and somehow help us fix any security flaws or vulnerabilities we had. By the way, companies do this all the time and very often nowadays, it is called Penetration Testing.

At the end it doesn’t matter at all, how effective your defenses you think they are or the level of your security knowledge. Against an experienced hacker any kind of defense is pretty useless even if you are a Fortune 500 company. But let’s have some insights of what happened during that hacking experiment.

The art of deception

In the first part of the hacking there were conducted some “social engineering attacks”. If you want to fully understand what this attack vector is about, I cannot recommend enough the book written by Kevin Mitnick The art of deception which illustrates very clear this “techniques”. Simply it exploits completely the human behavior weakness rather than your computer or your accounts, and it doesn’t have the necessity to use technical elements in theory; so imagine when you combine it with a highly technical hacker in the field. The result is: may God have mercy on you.

The hackers began by compiling a dossier on the victims, using publicly available information like email addresses and social media accounts. Most of this was information publicly available, but some of it wasn’t. (They found a home address, for example, by enlarging and zooming in on a photo somebody posted on Twitter, and using geolocation services like Google maps, they were able to have the address of a victim).

They also called government offices, pretending to be family members of the victims to gather information about local utility services like water, gas or electricity; and also they found Social Security numbers on a “hidden dark site” and recorded the social media activity of each victim. In the end the profile of the targets was made totally.

If they had been malicious attackers, they could have gotten the electricity shut off, or gained access to bank accounts and stole everything. They could also have stitched together several bits of personal information to come up with a convincing cover for a more sophisticated attack. (For example: They saw on Twitter that a victim recently ordered a package from Amazon, then wrote a phishing email from a fake Amazon account to the victim that led to a malicious link where, it claimed, it was needed to confirm the mailing address for customs. The rest is trivial).

For the cherry on the cake, it was conducted a “vishing” (voice solicitation) call to a cell phone company, in which somebody pretended to be a non-existent wife and asked for access to an account. To make the act more convincing, and create sympathy from the customer service representative, the “hacker wife” found a YouTube video of a crying baby and played it in the background, while spinning an elaborate fake story about how the victim was out of the country on business, and how, if she could just get into the account, she could get the information she needed to apply for some urgent transaction she needed. The act worked like a charm: the customer service worker believed the hacker was the victim’s wife, and, over the screams of the YouTube baby noises, not only allowed her to access the account, but allowed her to change the password, effectively gaining control of the account.

The scariest thing about social engineering is that it can happen to literally anyone, no matter how cautious or secure they are. The interconnected nature of digital security means that all of us are vulnerable, if the companies that safeguard our data fall down on the job. It doesn’t matter how strong your passwords are if your carrier is willing to give your information out over the phone to a stranger, because we need to remember the operators of these companies are just people like us, normally not knowing at all about these potential treats.

The other scary thing about social engineering is that it’s incredibly easy. Anyone can do it, all you need is Google, a phone, and some amateur acting skills. Now try to conceive what a skilled technical hacker could do to you.

For tasting a clam you must open the shell

The experiment also involved a technical part for sure, which I will not be describing it deeply as it is not the purpose of this text. The title of this section refers to the word shell. In the hacking jargon a shell is an interface for access operating system services and executing commands. In many ways when you try to hack some system, what you expect ultimately is to pop up a shell, more or less. In this case the hackers executed several scripts aiming the computers and systems of the organization, until they found some attack vectors which they could be exploited. At the end, they could spawn several shells with enough privileges to control entirely the machines of the victims.

Once this shell is stable, taking what they want from the victims was super easy. They installed a keylogger that captured every letter typed, and used it to steal login information. They found personal information, they accessed private networks, they found pics and videos, and also they found access to Google Home and Alexa and used it to spy on the victim’s house through their own smart security systems. They installed programs that snapped photos from the webcams and took screenshots of the laptop’s screen every 2 minutes, and sent them to a server where they could collect and view them.

In few words, they owned their victims in every single way and they could have done unspeakable damage: draining bank accounts, ruining credit scores, deleting years’ of photos, videos, and important data from hard drives, using secrets from email inbox and ruin reputations. Anything, really. Unfortunately we cannot live a hermetic life.

So, can hackers find me?

The answer relies in Privacy/Safety through Obscurity. Basically, the idea is that although anyone can theoretically be hacked by somebody with enough skills and time on their hands, the vast majority of us simply aren’t interesting enough for hackers to care about, but as we need to anyway use some security principles, I will end this post with some minor bullets that can help you to boost up your defenses against online “predators”.

  • Continually check the accuracy of personal accounts and deal with any discrepancies right away
  • Use extreme caution when entering chat rooms or posting personal Web pages
  • Limit the personal information you post on a personal Web pages
  • Carefully monitor requests by online “friends” or acquaintances for predatory behavior
  • Keep personal and financial information out of online conversations
  • Use extreme caution when agreeing to meet an online “friend” or acquaintance in person
  • Use a 2-way firewall
  • Update your operating system regularly
  • Increase your browser security settings
  • Avoid questionable Web sites
  • Only download software from sites you trust. Carefully evaluate free software and filesharing applications before downloading them
  • Don't open messages from unknown senders
  • Immediately delete messages you suspect to be spam
  • Use antivirus protection
  • Get antispyware software protection