Your company suddenly loses some huge amount of money. Your personal or corporate email account gets hijacked. You lose control of your social media accounts. You cannot quite figure out what happened.
Although this is not a common phenomenon in Kenya, its only a matter of time before we start hearing incidents of online fraud as we go into online banking and as technology becomes more ingrained in our daily lives.
I bet you have watched lots of movies involving hacking and cyber crimes with images similar to the screen below and suddenly, boom! someone has lot all their funds in their account or they can no longer access their email or social media accounts. How exactly does it happen?
Think of this as the attacker getting to know you a little bit too well. The scary bit is that you aid them by unwittingly volunteering this information. There is a field of information security called Open Source Intelligence (OSINT). Here the attacker creates a profile of their target, in this case you or your company through publicly available sources.
I am talking about those selfies you post regularly with the location tagged – You’ve helped the attacker map out places you frequent a lot and what times you’re at what specific location.
Those tweets ranting about where you work – Your attacker now knows where you spend most of your day.
Those tweets to your bank ranting about poor service in which you sometimes disclose your branch and account number.
Those Facebook posts about what you’ve planned for the epic weekend – Very kind of you to tell the attacker exactly where you’ll be.
That Facebook post from your favorite band asking you to post your number in the comments section so as to be added to their exclusive Whatsapp group – The attacker now knows your phone number.
Those details you write down in that 4-quire book when entering a building…hehe – You’ve just added your National ID number to the list.
And on and on…you get the picture by now 🙂
The attacker now has a gold mine, he basically knows your personal details, your work and social life, your interests and so on. From there on it’s just a matter of tailoring his approach. He could befriend you and gain your trust by taking advantage of the intimate knowledge he has of you. He could take advantage of some weakness he’s identified, maybe the fact that you love the free wifi at your favorite coffee place 🙂.
Next comes the attack
If the attacker has already collected the right kind of information about you at the recon stage, the attack becomes easy. Easiest way would be to exploit the naturally trusting human nature. This goes by the name Social Engineering.
So you never miss a Sofapaka match – The attacker sends you a link offering you a chance to win season tickets, click on it and your computer gets infected and taken over.
So you’re looking for a new job – The attacker sends you a pdf document promising an awesome job opportunity, open it and your device gets compromised.
With a bit of creativity, there are several ways your device can be taken over. From there he can easily get what he’s after, details such as passwords and confidential information.
How do you prevent all this
First, be careful on the information you reveal publicly especially in this age of social media. What may seem harmless now may be what the attacker uses against you.
Be alert to social engineering, could be those fishy links promising the opportunity to win an iPhone or some guy trying to trick you into revealing confidential information by first gaining your trust.
Limit access to your devices by other people or external devices especially the unknown ones. That flash disk that you just happened to stumble upon may have been left there intentionally.
Be cautious while on the internet and don’t blindly install applications on your devices, those cool free screensavers probably do a lot more than advertised.
Attend the AfricaHackOn Conference on July 31st at the iHub for demonstrations on this and much more. Tickets will be on sale soon!