The Daily Mail journalists, willingly hacked by the CyberNews team, said they were alarmed by the results. The ethical hacker behind this attack explained that only a lack of imagination could stop malicious actors from doing anything they want with the data they can easily harvest.
The CyberNews team conducted an ethical hacking experiment in collaboration with The Daily Mail that involved trying to hack three of their journalists during a six-week period. You can read the full report here.
“We thought accessing this kind of data would be harder as they are publicly exposed people who would be cautious about their details,” the ethical hacker behind the Daily Mail attack said.
The Daily Mail journalists who agreed to be hacked by CyberNews were frightened by the results that, according to those journalists, should be a wake-up call for every reader. You can read their full report here.
So you tried to hack three Daily Mail journalists. What were your expectations - how long did you think it would take, and what data you were looking for? CyberNews asked.
Well, my expectations were to find data from oversharing.
Initially our goal was to collect the data that had been overshared on social profiles and find patterns from old leaked passwords.
So you used white hat hacking techniques. How are they different from black hat hacking? And how different could the results have been if you would have used black hat hacking and didn’t have any ethical considerations?
The difference there is that there are communities of criminals that act as one. Together, they offer services and tools to help achieve the same goal - which is profit.
That’s the main issue with this process, we couldn’t give any information about targets to third parties - for their safety. There are certain services that only do one thing, for example: background checks, sim swapping and so on. So, without access to these things, our options are pretty limited, and we have to do everything alone.
You applied 4 different social engineering techniques. Which one was the most interesting for you? Do you need more than just hacking knowledge for social engineering? Some psychological insights?
Well, I can say that psychological insights definitely help – you can notice how the target is reacting, then act accordingly.
It is both an interesting and difficult task to call the targets directly because in most cases you only have one chance. Usually, it never goes to plan so you have to be ready to improvise.
What is special about using social engineering techniques? Did you work at night?
We tried to call the target in the morning. The reasoning behind this is that the target would be preoccupied and less suspicious about our call.
What personal data were you able to obtain using the white hat hacking techniques?
Strictly from oversharing and social media profiles we were able to obtain addresses, dates of birth, phone numbers and even mothers’ maiden names.
What could a malicious actor do with all this data you managed to obtain? What damage could this do to a person whose data has been obtained? Please be explicit about this.
Well, the thing here is that initially you have to launch a sophisticated, targeted attack against the person knowing this kind of data. Then after that only the criminal’s imagination is what’s stopping them from doing anything they want.
Even a small amount of oversharing could lead to a huge financial loss.
You tried to hack three different people. And the results are quite different. Were they easy targets? How might the fact that they knew that something was going on have impacted the result?
We thought accessing this kind of data would be harder as they are publicly exposed people, who would be cautious about their details. Also, we noticed that one of the passwords had been changed quite recently, and the previous password did not work.
This resulted in us not being able to get access to that account.
It might be easier for people to protect themselves from you because you have ethical considerations. But how can someone protect themselves from those black hat hackers who don’t have any ethical considerations whatsoever?
In this case I have three main tips that could save you from these attacks: the most important is to enable two factor authentication (2FA in short) for all of your accounts! Not just payment, but every single account - especially as every account you have can lead to more information about you online.
Next, use a reputable password manager, for every one of your passwords.
Another step is to set all your social media profiles as private, and make sure not to overshare information because every single link for a black hat hacker is a good link!