A professional hacker explains how he dupes people into clicking on malicious links

Advertisement

When it comes to finding security holes in a company's information system, professional penetration testers start with what is often the company's biggest and clearest vulnerability.

Advertisement

At the highly technical Infiltrate hacking conference, a pen tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a client's system is to bait an employee into clicking on an infected link in a seemingly innocuous email.

"People love to click on that blue line," Ray Boisvert, a veteran of Canada's intelligence services, told Business Insider at the conference.

Complimentary Tech Event
Transform talent with learning that works
Capability development is critical for businesses who want to push the envelope of innovation.Discover how business leaders are strategizing around building talent capabilities and empowering employee transformation.Know More

From there, the hacker for hire can acquire the employee's username, passwords, and other sensitive information - which can lead a hacker into the company's system.

This tactic, known as "phishing," can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool.

Advertisement

Unlike criminals sending emails about winning $1 million from Nigeria, sophisticated hackers spend time learning what they can about their target in order to craft an email - and a persona - that will look authentic enough for the victim to trust.

How it's done

laptop computer working focus

Sean Gallup/Getty Images

The pen tester in Silicon Valley described a scenario in which he would be looking for information security vulnerabilities in a major airline.

He would scour LinkedIn looking for the least cyber-savvy airline employees, such as those who work in non-technical areas and new hires unlikely to recognize an atypical email.

The infiltrator will then try and guess the employee's email address by learning the format of a typical address for that company (i.e., x.name@company.com) and sending out messages repeatedly until they stop bouncing back.

After attaining the victim's email address, the hacker looks to social media to learn as much as possible about his target's professional background, friends, and general interests. In this way, he can customize the phishing email as much as possible - even posing as one of the victim's closest friends (profile picture included) - to make it look familiar and increase the odds that the target will trust it.

Advertisement

The penetration tester we spoke with said that he could use a complicated exploit to get into a system, but he often doesn't because phishing often works.

He also noted that the tactic is highly illegal when done outside of a professional environment.

NOW WATCH: Kids settle the debate and tell us which is better: an Apple or Samsung phone