© 2021 CyberNews - Latest tech news,
product reviews, and analyses.

If you purchase via links on our site, we may receive affiliate commissions.

The Daily Mail asked us to hack their journalists. Here's what went wrong


The CyberNews team conducted an ethical hacking experiment in collaboration with The Daily Mail that involved trying to hack three of their journalists during a six-week period.

Since we at CyberNews are focused on educating the public about cybersecurity, we jumped at the chance to experiment with willing participants. And if there’s anything else you should know about us – it’s that we love a good challenge.

While we came across a few bumps (to put it mildly) and did not fully succeed in the end, this experiment has shown how even well-crafted ethical hacking attempts can go wrong due to unexpected customer service bottlenecks, a pinch of healthy skepticism on the part of the target, and other external factors. Even though it might not be a story of triumph, it’s still one hell of a story at that.

It’s all about the journey, not the destination, right?

While The Daily Mail article tells the story from the journalists’ perspective, this report will follow our side of the experiment. An experiment replete with the somewhat unfortunate experiences for our security experts, as well as some helpful tips on how to protect yourself from the types of attacks the CyberNews ethical hacking team carried out against the journalists.

So, here’s how it all went (wrong).

About this experiment

This ethical hacking experiment was performed with the express consent from The Daily Mail. We had six weeks to conduct the experiment. Although the journalists who volunteered to participate in the experiment did not know when or how they were to be attacked, they were informed that the attacks were imminent.

Preparations and preliminary data gathering: so far, so good

Before we initiated the attacks, we had to collect as much data on the journalists online as we possibly could. Acquiring data is essential for any targeted cyberattack because these attacks usually involve leveraging someone’s personal information when trying to infiltrate their personal online accounts.

Data gathering

What should have happened?

To successfully attack the journalists, we needed to know as much as possible about them: their full names, email and home addresses, their interests, etc. We would then use this data as the starting point for our attacks.

For example, by finding out their interests or the names of their pets and family members, we’d have a solid foundation for answering security questions when trying to crack their online account credentials, or for impersonating them when trying to gain the trust of customer support representatives of the online and banking services the journalists were using.

What actually happened?

By combing through their social media, charities, and other less reputable channels such as previous data breaches of the online services they were using, we managed to find quite a lot of data related to most of the journalists we tried to target (with one notable exception – more on that later).

We got their phone numbers, email and home addresses, dates of birth, names and maiden names of their family members, as well as their old passwords for some of the online services they used.

Armed with the data we gathered, we then decided on four attack vectors against The Daily Mail journalists:

  • Phishing campaign
  • Password reset attack
  • Vishing campaign
  • SIM swapping attack

So, that went as well as could be expected. Unfortunately for us, this was the only step of our experiment that went either well or as expected.

How to make sure it doesn’t happen to you?

Basically, a good defense against effective data gathering attempts boils down to not oversharing your personal data online and keeping your online accounts well-protected with strong passwords:

  • Always be cautious about who you befriend and what you post on social media. You never know when a new "friend" may, in fact, not be a friend at all. This “friend” might actually be a cybercriminal who may just want to learn more about you and use what they learn for their own malicious purposes.
  • Share responsibly. Avoid sharing your personal information online whenever possible. Otherwise, merely googling your name may be all it takes for an attacker to obtain data that they then will be able to use against you. Interestingly enough, sharing responsibly was exactly how one of The Daily Mail journalists managed to avoid our attacks. We were not able to find any of her data online that would be useful for launching cyberattacks against her. If you want to avoid being targeted by cybercriminals in the future, make sure to follow her example.
  • Use strong passwords and/or password managers. Your passwords should be at least twelve characters long and include a combination of symbols, letters, and numbers. We also suggest using passphrases, which are harder to guess but easier to remember than complex passwords. Or, even better, use a password manager to generate and store the passwords for you.
  • Organizations should conduct security awareness trainings. These trainings usually cover basic safety tips, as well as some more advanced techniques that help employees have a better understanding of how to avoid becoming a target for cybercriminals.

1. Phishing campaign: defeated by spam filters

Our first attack against The Daily Mail journalists was one of the most common attacks used by cybercriminals. Namely, a good old phishing campaign. While millions of people tend to fall for phishing attacks every year, we knew that experienced journalists would prove to be tougher nuts to crack.

How phishing works

Having that in mind, we handcrafted and sent them convincing phishing emails that seemed to originate from PayPal, but actually contained links to a malicious “PayPal” website.

The hand-crafted phishing email we sent to the journalists

The malicious website would ask them to enter their PayPal credentials in order to “resolve an issue…” When the journalists would enter their account names and passwords, the website would save the data and hand it over to us. Brilliant.

The fake PayPal phishing website we set up for the journalists

Having planted the phishing hooks, we sat back and lied in wait…

What should have happened?

The Daily Mail journalists were supposed to receive our phishing emails, follow the links therein and enter their PayPal account details for us to steal.

This would allow us to get access to their precious PayPal accounts, get their current passwords, and fingerprint their devices that they used to access their accounts. Having that data in our hands, we would be able to hijack their PayPal accounts and gain the ability to cut them off from the service (as well as potentially steal their money if we were cybercriminals).

Not only that, but having their PayPal passwords would give us a glimpse of their password creation patterns, which would help us reuse or guess their passwords on their other online accounts.

What actually happened?

A mere 36 hours after we sent out the phishing emails, we got a notice from the service that hosted our malicious website:

To our surprise and disappointment, the notice said that our malicious website had been flagged and taken down by the hosting service. This meant that even if we managed to trick a journalist into clicking the link inside the phishing email, it would lead to a dead end. Not only that, but as we discovered later, our beautiful handcrafted phishing emails were also caught by the infuriatingly effective Gmail spam filters.

In other words, our phishing campaign failed.

With the first hacking attempt botched, we begrudgingly proceeded to our next step…

How to make sure it doesn’t happen to you?

Online threats are often disguised as simple distractions or offers that are too good to be true. Phishers will try to trick you into giving up your personal data by sending you “free” offers, online quizzes, and emails that appear to come from legitimate sources. Don’t let them.

  • Think twice before opening an attachment or link. Before clicking on anything in any suspicious email message that lands in your inbox, confirm with the sender that they did indeed send it. If you don’t know the sender, it's best not to open the email at all.

2. Password reset attack: Google’s customer support from hell

The amount of information that we obtained during the data gathering phase was more than enough for us to initiate a password reset attack. This attack would allow us to reset the journalists’ Gmail passwords by guessing the security questions set up on their Gmail accounts, cutting them off from their email service in the process.

How password reset attacks work

To access these accounts, we used the Gmail password reset feature and entered the journalists’ personal information that we obtained during the data gathering phase. Apparently, the data we provided was enough for Google to reset the passwords.

Because the reset process, when performed from a new device, requires manual review from Google, all we had to do now was wait for Google to review our submitted form and send us a follow-up email with the password reset link.

What should have happened?

A successful password reset attack would allow us to access the journalists’ email accounts, as well as any other online platform that was linked to these accounts.

This would be a great foothold for us to have, as people tend to use the “Sign in with Google” feature to easily access many of the online services they use, including social media and blogs, as well as various paid services.

What actually happened?

Having passed Google’s verification process, we were certain that we would receive the password reset link in no time. But as time passed, our hope began to dwindle.

Apparently, Google was having difficulties with manually reviewing password reset requests due to the coronavirus pandemic, which meant that their service was slower than usual.

So much slower, in fact, that we never received the follow-up email from Google.

And – get this – there was no way we could appeal or hasten the process!

For us, this has merely been an experiment without any negative real-world consequences. But we can only imagine how excruciating the wait would be if we actually forgot a password for one of our personal Gmail accounts and tried to reset it from a new phone and Google taking weeks to respond.

Ironically enough, reports from the dark web indicate that many cybercriminals are experiencing the very same problem, with Google often failing to follow up with password reset requests. This has led multiple scammers to give up on using this type of attack altogether, at least until the situation improves.

It seems that there’s a bright side to everything, doesn’t it?

How to make sure it doesn’t happen to you?

Protecting against password reset attacks is actually pretty simple and mostly involves common sense security measures:

  • Use two-factor authentication (2FA). Most online services keep your 2FA on even after resetting your password, which means that even if your password is reset by a cybercriminal, your online account will probably still be safe if you have 2FA enabled.
  • Make answers to your security questions difficult to guess. Don’t use answers that cybercriminals can find out by googling you on the internet, such as your mother’s maiden name, your birthday, your place of birth, etc. Make sure to come up with something personal and unique to keep attackers off your accounts.

3. Vishing campaign: foiled by an American accent

As our initial phishing attempt got thwarted by a bunch of spam filters and an annoyingly vigilant hosting service, we decided to target The Daily Mail journalists with a type of phishing attack that no robotic spam filters can ever hope to block – a vishing campaign.

How vishing works

Before calling the journalists, we came up with a devilishly convincing customer support call script that would hopefully lead us to the precious PayPal account credentials we tried to acquire with our previous phishing attempt.

With a solid script in hand and our most eloquent team member on the phone, we dialed the journalists’ personal phone numbers, which we found by scraping their social media profiles. Third time will surely be the charm, right?

What should have happened?

In a perfect world, calling the journalists disguised as a PayPal customer support representative and successfully tricking them into believing our spiel would allow us to gain access to their PayPal accounts, and they would be none the wiser.

However, as we would soon discover, we don’t really live in a perfect world of incredibly lucky hackers and surprisingly gullible journalists. We do, however, appear to live in a world full of the unexpectedly vacationing and the financially literate.

What actually happened?

As it turns out, the journalist we decided to call first was the worst possible candidate for this type of attack that we could think of. She was a person who knew the ins and outs of financial services and their operating procedures like the back of her hand. A person who knew that calls like this are not supposed to happen. In fact, she even wrote a column about our failed attack, thinking the call came from some random scammer:

After being foiled by our team member’s American accent and the journalist’s superior education, we proceeded to try our luck with another journalist.

This journalist… simply didn’t answer our calls. Apparently, he was enjoying his vacation and decided to not take any calls from unknown numbers.

Another swing, and another miss…

How to make sure it doesn’t happen to you?

Sometimes, it can be difficult to tell when you’re being vished by a cybercriminal. Thankfully, there are some red flags that can help you spot potential fraudsters:

  • Most services won’t ask for your personal information. If you are getting a call from a company, and they ask you to confirm your personal details, you can safely assume that it’s a scammer who already has your data on hand. Legitimate companies will never ask you for sensitive details over a phone call.
  • Scammers will try to pressure you to act immediately. Don’t. You can always request to continue the conversation over email or use a secure contact form on the company’s official website, which was exactly what one of the Daily Mail journalists asked us to do. Criminals will rarely have an answer to such requests.

4. SIM swap attack: the delivery that wasn’t

Since we couldn’t fool a journalist by impersonating a customer support representative, we knew we had to try the reverse approach. And that’s exactly what we did.

Our brand new approach involved fooling a customer support representative by impersonating a journalist, calling their mobile carrier and ordering a secondary SIM card in their name. Clever, huh?

How SIM swapping works

Unfortunately, we didn’t have any deeply sensitive personal information such as passport details or social security numbers that would allow us to impersonate the journalists convincingly enough for the customer support agents to believe us outright. Fortunately, we had a cunning plan.

Our cunning plan was to keep calling customer support until we bumped into a support agent who was distracted, lazy, or tired enough to accept the personal data that we did have: a name, a phone number, or some other relatively superficial piece of personal information would have to do the trick.

So, armed with less than ideal tools, we proceeded to call the mobile carrier customer support line…

What should have happened?

Obtaining the journalists’ SIM cards would essentially mean that we now possessed their mobile accounts. Using their SIM cards would signal online services that our requests were coming from the journalists’ phone, which would allow us to access their social media and email accounts that required phone-based authentication.

What actually happened?

It took us 21 phone calls, but in the end, we successfully convinced a customer support agent that we were one of the journalists by just giving them “our” phone number. We then simply asked the agent to ship the card to us and informed them that the card will be picked up by our colleague. The support agent obliged.

We then waited for the delivery service to ship the SIM card to us so we could initiate the actual attack. And waited. And then we waited some more. And then… nothing happened.

That’s right: the delivery service simply failed to deliver the SIM card.

Our hacking experiment had a deadline, and the SIM card did not arrive on time, even though we did manage to successfully convince the support agent to send it out. Shocking, we know.

How to make sure it doesn’t happen to you?

SIM swap attacks are somewhat difficult to protect against. Fortunately, criminals rarely use this type of attack against the average user due to the high cost and effort involved. While there’s no guaranteed protection against your SIM card being replaced, there’s one trick that the swappers will surely hate:

  • Use app-based two-factor authentication (2FA). The best defense against SIM swapping is to stop using SMS-based 2FA, as such passcodes would be sent to the duplicate SIM card in the attacker’s possession. However, if you use a dedicated 2FA app such as Google Authenticator and your SIM card gets replaced by a malicious actor, they won’t be able to access your 2FA app from another phone, which would defeat the purpose of the SIM swap attack.

Conclusion

At the end of the day, this experiment was a valuable learning experience, both for our ethical hacking team and the Daily Mail journalists. While the planning and data gathering phase went relatively well, the attacks have shown that execution can fail because of bad luck or circumstances outside your control. While we expected some of our attacks to miss because of outside factors, what we didn’t expect was the unending string of misfortunes that befell our team during the entire process.

“Everyone has a plan until they get punched in the mouth.”

Mike Tyson

Fortunately for the Daily Mail journalists, our attacks, even though mostly unsuccessful, were merely part of an ethical hacking experiment. We avoided using black hat tactics like ransomware deployment or malware injection, as these could cause actual harm to the journalists or their hardware.

With the amount of publicly available information that we found on most of our targets, cybercriminals without ethical constraints would have no qualms or problems infecting their devices with malware to cause real damage, including stealing money from their bank accounts and cryptocurrency wallets, as well as crippling their devices with ransomware. Which, unfortunately, keeps happening to thousands of unsuspecting users every day.

Leave a Reply

Your email address will not be published. Required fields are marked