It’s commonplace for people to post photographs and videos from their everyday lives to their social media profiles, but such user-generated content can pose major security issues. Social media is great for gathering information about people. Here’s how hackers gather and exploit precisely this information.
Gathering Intelligence Is the First Step to Hacking
The first thing hackers do before attacking a system is gather information. Sometimes this process can take minutes, hours, months, or years. This time period varies according to the capacity of the target system, the number of employees, the size of the attack, and defensive measures. The aim here is to identify all the weaknesses of the target system and to create an attack strategy.
For example, imagine a person whose Instagram username is victimuser has a company email with the extension example.com, and they have bought a plane ticket to go on a business trip abroad. Turns out, victimuser is very excited about this and decides to upload a photo to share the excitement with followers and friends on Instagram. In this photo victimuser uploaded, a certain part of the plane ticket can be seen. Uh oh. This is very useful information to a hacker.
Although the entire flight ticket is not visible in the photo shared by victimuser, since each company’s ticket is different, the hacker can understand which company this ticket belongs to. Then, the hacker will read the description under the photo. If victimuser shared the flight date and time, the hacker’s job will be easier. But even if this information isn’t publicly available, the hacker can pretend to be a customer, enter the official website of the aircraft company, and examine the flight plans. This means that hackers can predict the day and time of the flight belonging to victimuser.
At this point, the hacker starts to think about attack vectors while victimuser continues to think that he is making an innocent post.
Using the power of Google, the hacker starts to search the tickets of the flight company learned from victimuser. Then the first step the hacker will take is to do Google dorking.
With Google dorking, you can search for specific file extensions on a given site. In this case, the hacker searches PDF files of victimuser’s flight company. The hacker downloads this PDF file and manipulates it to serve their needs.
Some hackers deceive and defraud target users through a process known as social engineering. At this stage, the hacker will create a realistic email address and accompanying body text. They can then attach a modified PDF file containing malware. If victimuser opens this email, the hacker has achieved their goal.
If the hacker knows victimuser’s flight time and day, of course, the fake email will be much more realistic, but most of the time, this may not even be necessary. If there is a membership system on the flight company’s site, the hacker can become a member and receive an email from the flight company. This will help the hacker learn the email HTML layout and style used by the flight company.
After preparing the fake email, the hacker will now need to obtain an email address with a domain belonging to the flight company, but this is almost impossible to do. That’s why the hacker prepares a fake flight company email address. They may put a different email address in front of a normal email account to mask it, and unless the target user clicks on this address, they don’t see the real email address behind it. It’s an easy trick to fall for.
After the hacker has prepared a fake email address, there is only one step left: find out victimuser’s email address. The hacker can turn to the forgot password option for this.
After the forgot password option, the hacker can discover the email domain name of the targeted user. In this example, victimuser has a domain named example.com and appears to have an email address like email@example.com. Of course, the hacker can immediately understand that the part marked with * is the username of the victimuser. If it weren’t that simple, the hacker could have searched with Google dorking to see if there are other email addresses with the domain example.com. However, now the hacker has the victimuser’s email.
How Things Look From the Victim’s Perspective
An urgent email comes to victimuser, and this email is so convincing that victimuser falls into this trap. After all, this email contains the flight ticket, flight information, and important flight policies. Also, the email address looks like the email address of the flight company. Everything seems legit.
Moreover, since victimuser will be making this flight for a business trip, they take this email seriously. At the bottom of the email, there is a link such as “documents you need to fill to complete your flight procedures”. As soon as victimuser clicks on this link, the hacker gets what they’re after.
What Does This Story Tell Us?
Most of us are no different from victimuser, and it’s important to be aware of this. The mistake victimuser made in this example scenario was to publicly share ticket information, which is personal and private information. And here’s the thing: this was a true story. So think twice before sharing information related either to your business or personal life.