ADVERTISEMENT

The Daily Mail asked us to hack their journalists. Here's what went wrong

Daily Mail vs CyberNews
Edvardas Mikalauskas
Edvardas Mikalauskas Senior Researcher
Sep 9, 2020 Updated: 28 September 2021 10 min read
It’s all about the journey, not the destination, right?

About this experiment

Preparations and preliminary data gathering: so far, so good

Data gathering

What should have happened?

What actually happened?

  • Phishing campaign
  • Password reset attack
  • Vishing campaign
  • SIM swapping attack

How to make sure it doesn’t happen to you?

  • Always be cautious about who you befriend and what you post on social media. You never know when a new "friend" may, in fact, not be a friend at all. This “friend” might actually be a cybercriminal who may just want to learn more about you and use what they learn for their own malicious purposes.
  • Share responsibly. Avoid sharing your personal information online whenever possible. Otherwise, merely googling your name may be all it takes for an attacker to obtain data that they then will be able to use against you. Interestingly enough, sharing responsibly was exactly how one of The Daily Mail journalists managed to avoid our attacks. We were not able to find any of her data online that would be useful for launching cyberattacks against her. If you want to avoid being targeted by cybercriminals in the future, make sure to follow her example.
  • Use strong passwords and/or password managers. Your passwords should be at least twelve characters long and include a combination of symbols, letters, and numbers. We also suggest using passphrases, which are harder to guess but easier to remember than complex passwords. Or, even better, use a password manager to generate and store the passwords for you.
  • Organizations should conduct security awareness trainings. These trainings usually cover basic safety tips, as well as some more advanced techniques that help employees have a better understanding of how to avoid becoming a target for cybercriminals.

1. Phishing campaign: defeated by spam filters

How phishing works
The hand-crafted phishing email we sent to the journalists
The fake PayPal phishing website we set up for the journalists

What should have happened?

What actually happened?

In other words, our phishing campaign failed.

How to make sure it doesn’t happen to you?

  • Think twice before opening an attachment or link. Before clicking on anything in any suspicious email message that lands in your inbox, confirm with the sender that they did indeed send it. If you don’t know the sender, it's best not to open the email at all.

2. Password reset attack: Google’s customer support from hell

How password reset attacks work
ADVERTISEMENT

What should have happened?

What actually happened?

So much slower, in fact, that we never received the follow-up email from Google.

How to make sure it doesn’t happen to you?

  • Use two-factor authentication (2FA). Most online services keep your 2FA on even after resetting your password, which means that even if your password is reset by a cybercriminal, your online account will probably still be safe if you have 2FA enabled.
  • Make answers to your security questions difficult to guess. Don’t use answers that cybercriminals can find out by googling you on the internet, such as your mother’s maiden name, your birthday, your place of birth, etc. Make sure to come up with something personal and unique to keep attackers off your accounts.

3. Vishing campaign: foiled by an American accent

How vishing works

What should have happened?

What actually happened?

How to make sure it doesn’t happen to you?

  • Most services won’t ask for your personal information. If you are getting a call from a company, and they ask you to confirm your personal details, you can safely assume that it’s a scammer who already has your data on hand. Legitimate companies will never ask you for sensitive details over a phone call.
  • Scammers will try to pressure you to act immediately. Don’t. You can always request to continue the conversation over email or use a secure contact form on the company’s official website, which was exactly what one of the Daily Mail journalists asked us to do. Criminals will rarely have an answer to such requests.

4. SIM swap attack: the delivery that wasn’t

How SIM swapping works

What should have happened?

What actually happened?

That’s right: the delivery service simply failed to deliver the SIM card.

How to make sure it doesn’t happen to you?

  • Use app-based two-factor authentication (2FA). The best defense against SIM swapping is to stop using SMS-based 2FA, as such passcodes would be sent to the duplicate SIM card in the attacker’s possession. However, if you use a dedicated 2FA app such as Google Authenticator and your SIM card gets replaced by a malicious actor, they won’t be able to access your 2FA app from another phone, which would defeat the purpose of the SIM swap attack.

Conclusion

“Everyone has a plan until they get punched in the mouth.”
Mike Tyson
ADVERTISEMENT