Most attacks are a result of simple human errors, so we designed an experiment. I’m about to do something that most people would not willingly do. I’m about to get hacked. F-Secure presents Adventures in Cyberland, Episode 2: Through the Looking Glass with Linda Liukas We are about to turn my life upside down, right? Yes, that’s the plan. How likely is it for someone to go through an attack like this? Well, this kind of targeted attack wouldn’t be too probable for like, an ordinary person, but for enterprises, companies, organizations, or people higher up the food chain, I would say that it’s even probable. Is there anything like a hacker would typically look from say, me? Basically your job is to go to companies to speak and do stuff, for example, like this one, so you are pretty well known in that regard. So one interesting avenue of attack would be to gain access to your let’s say email and use that to approach companies and gain their trust and, for example, try to attack those companies based on your identity. Wow, so this could really well snowball into something really good. Yeah, that’s a possibility. You really think you can hack me? Well, I can certainly try, but let’s first sign the paperwork. Okay, sure why not? The best method to get in is most likely social engineering, because we’re all human, we make mistakes, and that’s typically a really good way to hack someone. I would say that Linda is in a position that she can basically approach any company globally. People wouldn’t even be suspicious if they receive email from Linda. But the thing is that if Linda has been hacked and if the attacker has access to Linda’s email, then it could actually be the attacker approaching those companies and that will definitely help the attacker because again, it comes down to the trust. How’s it going? Mmm… I don’t think I’ve been this nervous or this curious since elementary school. That is good. So, let’s take a look. One of the first things we did was figure out Linda’s Gmail address and once we have the email address we can do a search on pipl.com and that will give us most of the social media profiles that Linda has. What I found, Linda also has a wish list on Amazon.com. On January 6th Linda has added an item called TouchThinkLearn ABC which is a board book by a French author. I’m not gonna butcher the name, but if you google that French author there’s not that much information about the guy. Even finding a photo of that guy is super challenging. What we had in mind was that we could pretend to be this French author/illustrator emailing Linda saying that “I’m a big fan, maybe we should have some sort of a cooperation.” Hopefully Linda will reply to the guy and then in the next email the French guy could send for example, a malicious Office document or link to Google Drive and when Linda clicks on the link and she types in her username and her password and then we can steal her Gmail password. Okay, so we have been targeting you for about a week now, so how do you feel about it? I definitely noticed myself getting more suspicious about everything and everyone to the point where I think I made a couple of people really angry online by like accusing them of being phishers and attackers. There was someone using like an anonymous, like half anonymous name and saying that that I had been doxed so basically someone had published my information online and sending a link. I was like hmm phishing or not? and made that like a Twitter thing, and then the guy got really sad and I felt sad because I had made him sad, but I never clicked the link though. That was actually us. Yes! Yes! So you played my empathy. Yes, we did. So did you get in, actually? Mmm…no, we didn’t. Yes! I win! Round one. Yeah, that is true. I’m so relieved. The Amazon thing was great though. It was really interesting and I probably, because I get a lot of email from random people with very good intentions, I do feel like I maybe would have fallen for that. Yeah, okay, if we would be doing this for the rest of the year for example I would definitely slip. Yeah. How big a role do human errors play in attacks like this? Well I don’t know if it’s an error because of course, emails are designed to be opened and read and so on, so that’s the typical way in, but of course there should be other controls in place to protect against this, like, first line of attack. You shouldn’t depend on the fact that people don’t open malicious emails. Anybody is bound to make mistakes. With enough time and persistence the attackers would have gotten in. Luckily, I was alert and trusted no one, but other people do trust me, which means that the threats are always lurking around the corner. That’s pretty intense. So of course I want to be able to look around the corner and learn how attacks like these get detected. Next stop, Poland.