A professional hacker explains how he dupes people into clicking on malicious links
At the highly technical Infiltrate hacking conference, a pen tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a client's system is to bait an employee into clicking on an infected link in a seemingly innocuous email.
"People love to click on that blue line," Ray Boisvert, a veteran of Canada's intelligence services, told Business Insider at the conference.
From there, the hacker for hire can acquire the employee's username, passwords, and other sensitive information - which can lead a hacker into the company's system.
This tactic, known as "phishing," can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool.
Unlike criminals sending emails about winning $1 million from Nigeria, sophisticated hackers spend time learning what they can about their target in order to craft an email - and a persona - that will look authentic enough for the victim to trust.
How it's done
Sean Gallup/Getty Images
He would scour LinkedIn looking for the least cyber-savvy airline employees, such as those who work in non-technical areas and new hires unlikely to recognize an atypical email.
The infiltrator will then try and guess the employee's email address by learning the format of a typical address for that company (i.e., x.name@company.com) and sending out messages repeatedly until they stop bouncing back.
After attaining the victim's email address, the hacker looks to social media to learn as much as possible about his target's professional background, friends, and general interests. In this way, he can customize the phishing email as much as possible - even posing as one of the victim's closest friends (profile picture included) - to make it look familiar and increase the odds that the target will trust it.
The penetration tester we spoke with said that he could use a complicated exploit to get into a system, but he often doesn't because phishing often works.
He also noted that the tactic is highly illegal when done outside of a professional environment.
- Saudi Arabia wants China to help fund its struggling $500 billion Neom megaproject. Investors may not be too excited.
- I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
- One of the world's only 5-star airlines seems to be considering asking business-class passengers to bring their own cutlery
- Experts warn of rising temperatures in Bengaluru as Phase 2 of Lok Sabha elections draws near
- Axis Bank posts net profit of ₹7,129 cr in March quarter
- 7 Best tourist places to visit in Rishikesh in 2024
- From underdog to Bill Gates-sponsored superfood: Have millets finally managed to make a comeback?
- 7 Things to do on your next trip to Rishikesh