Tag Archives: Phishing

  • -

The Case of Ashley Madison and the Dark Room.

Tags : 

A Blog Noir by Vigne Kozacek and Gary Sharpe.

The scene: a room in near darkness. A figure, seated, visible only by the glare of computer screens. He sits forward, intensely observing the dark web’s data streams. He already knows from the patterns of activity that something big is about to go down.

He is waiting but primed for action, watching for a Name. His traps are pre-prepared: small programs ready to record all the keystrokes on any computer they can infiltrate. These short pieces of code are also lurkers in the darkness. Just like him, they are thieves. Stealers of usernames, passwords, website activity. His prey are usually blind to these lurking bots which compromise their machines.

The word from the criminal network is that it’s about to be Open Season. Big Game Season. If the low down from his contacts is right, he will not need the dark room for a while, he can emerge, spend a few days in the light. Indulge his online shopping addiction, buying directly from the bank accounts of his prey, ever protected by the cover of a mailing address in countries where the laws of the internet are not enforced.  Then, once he has extracted what he needs to satisfy the addiction, he will sell the stolen identities on to his ready and hungry buyers, at a premium. Medical records are his biggest earner on the digital data Black Markets.

He sees it now. The Name is out on the Dark Web.

He jumps up, the chair falls backwards. He can’t believe it. It’s big. Really big. For him, it’s pure, black gold. They’re broadcasting the List itself on the dark network.

His cold calculating mind is already processing the numbers. His lottery win is the published List on the dark web, but the List itself is irrelevant to him. He’s a thief himself, not one of his buyers. The numbers are astronomical. He runs through them again. He reckons up a few million people are about to unwittingly install his program on their computers.

He sets his traps in the massive email lists he’s stolen over a criminal lifetime and camouflages them with quickly rendered but professional looking websites. He baits the traps with a sign. The sign reads “we’ve got the list and we’ve made it searchable – find out if anyone you know is on it – click here”. That click, the link, is how the crime is done. With each click thru, a lurker program goes back up the link, on to the prey’s computer, ready to steal everything which is typed. He checks his numbers again. Yes, he’s sure. His success rate will be in the millions. Not just those on the List, but anyone with a need or desire to look. The silence of the room is briefly broken as he mutters “…Journalists… Lawyers…”.

He sets about his work.

It’s later now.

His work is now done, all the traps set, so he sits back again, returns to just watching the screens. Waiting for the first traps to close.

He watches the public newsfeeds now too, monitoring the internet for the first mentions of the Name. He doesn’t have to wait long to see it everywhere.

..“Ashley Madison”… “Ashley Madison”…

In the dark room, the figure is sitting, waiting, watching. It’s too dark to see the cold smile on his face.

  • -

IT Security Explained: Phishing.

Tags : 


In this, my new series of blog posts, it is my aim to make IT Security issues accessible to all. A kind of “…. For Dummies” series. I hope these are useful and that they will be helpful to business users in particular.

We begin with “Phishing”.

Phishing is a term which is a play on the word “fishing” – the analogy holds well. The “hackers” (fishermen) cast their line and nets (typically by sending mass email) into their online “ponds” of large email lists where their prey await (unwitting online users). These emails sound enticing to some and like a trout fisherman’s fly or pike fisherman’s lure, they appear to the targets to be to all intents and purposes something they are not. Beware: for they hide a very barbed hook.

The way these cyber attacks work is usually the emails contain a link or button which they try to entice you to click. Clicking on the link will take you to a website which is usually a pretty good copy of a legitimate website asking you to verify your account information, for example. When you enter your account details and password, this information is recorded on the fake site and then the hackers have it. They may use it to log into your legitimate account which they faked. Worse still, they can then potentially access other accounts where you use the same login details. Indeed, these days virtually all our accounts are online and instead of having different passwords and user names for each, it is all too tempting to use the same details across many accounts. So if a Phishing attack is successful, often you don’t only give them access to one account but they will try the same details with multiple sites. For example, if you have an EBay account and you inadvertently release your password to a Phishing scam, they may now also have access to your email, amazon, apple, google, bank account, etc., if you have not protected yourself by having different login details for each account or at the very minimum enabled “two-factor authentication” (covered in a future post).

As an example, in 2003 a successful phishing campaign was conducted against eBay customers. Millions of emails were sent out to potential eBay customers stating that they needed to verify their details immediately or their account would be suspended and thousands if not millions of people clicked the link and gave their details away. That same year the U.S. government reported that 9.9 Million U.S. residents were the victims of “Identity Theft” (to be covered in future post), the cost to businesses was $48 Billion and the cost to customers $5.5 Billion.

Something else that can occur when you click on one of these links, is that software created by the attackers can be downloaded onto your computer and can sit in the background without your knowledge. This software can have almost endless capabilities, anywhere from recording every key press (this can also capture you login details for everything you login to) to giving full remote control of your computer to an attacker – allowing the attacker to use your computer as if he/she was sitting at the keyboard.

I am aware of many companies that have been compromised in this way.

What to Do?

If you receive an email or text message purporting to be associated with one of your accounts, do not ever click on any links, go to your browser and browse to the actual company website referred to in the message, not through URLs contained in the email, but by internet searching for the company’s official web page. Find the section that refers to Phishing and Scams (most reputable companies have details of the latest phishing scams as well as an email address where you can forward the message that you have received). Also check the companies email policies – many will say “we will never ask for your details by email”, for example. If you are still concerned about your account, contact the company directly using the contact information provided on their website. I strongly recommend that you do forward the information onto the company, as they will use the information from the message you received to help protect other customers and as potential evidence when/if they manage to track down the attackers.

In summary: read the message received carefully and if it is encouraging you to click on a link verify it with the company before you do. Make it part of your online routine to keep checking the scams page of companies that you use often. This will also help you to grow more familiar with the types of emails in circulation and help you more quickly recognize Phishing scams and suspicious messages when they arrive. Indeed, there is rarely any reason for clicking directly on a link in an email, and if there is any doubt, it is advisable not to do so.

If you found this informative or useful, as my first go at this I would appreciate it if you would share it.

Thanks to Gary Sharpe for his editorial assistance.