A hacker case study

Email Inbox ScreenshotAn illustration of one instance in which information was accessed or used inappropriately.

The hacker finished his coffee, checked the code one last time, and pressed the ‘execute’ button. As the egg-timer icon appeared on his computer screen, he turned out the light and went to bed. The computer churned away for hours whilst he slept, and finally flashed a ‘completed’ message on the screen.

It had taken him several hours to write the code, but he had finally succeeded.

His first task was to search an Internet website for a list of the most popular names in the UK. This took less than five minutes, revealed 500 men’s and women’s forenames and almost 1,400 surnames.

The program took each forename and surname in turn and placed them together as a string, so ‘john’ and ‘smith’ became ‘johnsmith’, and then for good measure added a second combination with dot between them, as in ‘john.smith’. The program then added each of 20 of the most popular email suffixes to each combination, which provided a total list of 55 million possible email addresses.

He had toyed briefly with the idea of creating ‘johnasmith’ and ‘john.a.smith’ combinations as well, but decided to leave this for another day and to see how the first batch fared.

He had carefully studied every spam email he had received, seen the obvious grammatical and spelling mistakes they had made, and had crafted his message with precise attention to detail. The typeface, text size and colour was identical to that used by a major UK banking group; their logo was copied from their own website and pasted into the message; the language was carefully chosen, and he was sure that there was nothing in the message text that would arouse suspicion.

Next, using a number of Hotmail accounts, the program began sending out its messages. So as not to trigger alarms on the ISPs’ systems, it changed sending accounts randomly, transmitted to just 20 addresses at a time, all in the blind copy or ‘bcc’ field, and using a very carefully chosen ‘from’ address.

The email invited the recipient to click on the hyperlink at the end of the message to confirm their bank account number, sort code and password. If they did so, the website to which they connected - another computer in the hacker’s house - would record this information and then transmit an email thanking the customer and reassuring them that their account was fully in order and that their banking details were safely stored.

Both facts were true. The customer’s account was perfectly in order, and the hacker was securely storing their details!

He knew that if only one per cent of the email addresses the program had generated was genuine, over half a million people would receive the message; if only one per cent of those actually had an account with that particular bank, more than 5,000 customers would consider responding; and if only one per cent of those actually responded, he would have more than 50 complete sets of banking details.

Did that represent a small return on investment? Maybe, but when you consider what the hacker could achieve with those bank details in terms of fraud, the amount of time he had invested in research and development was well worth the potential return, and this was just one hacker, and just one night’s work.

The risks he faced were very low. If his messages caused an ISP to block one of the many Hotmail accounts, he would simply acquire others. The Internet address to which the target customers might respond would only be active for a few days before he removed it - just long enough to gain valuable information; not long enough to attract too much attention.

In one sense, the example given here, which is taken from Information Risk Management is pure fiction. It was written simply to illustrate the point that there are people ‘out there’ who want to obtain information and are eminently capable of doing so. The specific methods this fictional hacker used may or may not be entirely accurate, but the principles are, and it only takes a one in a million success rate to get lucky.

If you’d like to read more on this subject, there is a sample chapter available at www.bcs.org/books/irm

About this blog
Our business and IT books cover a variety of topics. Here authors, colleagues and other professionals share their thoughts on related subjects.

See all posts by BCS Books
September 2017

Search this blog