Setting up to leave the back door open.

This stage could be done from multiple methods.

• Physical penetration of the target location (gaining access by covert entry or using social engineering to trick staff or security in letting you in)

• Remote access via brute force attack
(A brute-force attack consists of an attacker submitting many passwords or passphrases with the hope of eventually guessing correctly. The attacker systematically checks all possible passwords and passphrases until the correct one is found, giving them access to the system.)

• Remote access via social engineering or phishing attacks.
(What is a phishing attack. Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message, that would look like it’s coming from a trusted source. This would contain code that would compromise the system.)

There are many options available for hackers to gain access to systems this is often referred to as “creating a back door”

In this blog, we won’t be covering how to code or indeed the methods of hacking.

We will cover some of the methods used to gather information about a person or organization in order to exploit weakness in their system’s security.

Good intelligence dramatically increases your chances of gaining access.

So by understanding the methods used to compromise personal and business I.T systems we can start by using already available resources such as social media or direct interaction with the target.

Social media sites uncover lots of information on an individual or organization.
For example, someone’s LinkedIn profile may have details on their positions within the company, contact details and email addresses ect. All that could be used to access the system.
Facebook profiles are even more useful as we tend to post more personal information on them, things like birthdays, family members, favorite football team ect. All great information that a hacker can use.

So how do we use this?
Here is an example to see this process in action.
The target location is an energy supply and research company.
The task job role is to gain access to the main computer system.
By researching the company and its staff you have found that they are using Microsoft Windows with their main office space and Apache Linux operating system for the server and technical part.
The methods that we could use to acquire this information could be any of the following.

Direct contact for example pretending to be from a supply company or contractor and noting the details from your visit.
Covert surveillance methods such as looking through windows from a distance to spy on staff using computers on site. (This is especially useful for acquiring passwords or personal information.)

Indirect methods using social media platforms by checking the business website you are likely to find out the names and positions of the senior staff members, from this you can locate them on LinkedIn and Facebook ect, from this you now have key information on their personal data this is what we use for the attack.
So David the CEO likes Liverpool football club drives a vw camper and has a son who’s birthday is December 5th aged 6
His LinkedIn profile gave us his email and contact details for the company positions held and via linked information details on other company staff.
Facebook gave us information regarding his personal life, photos and posts regarding birthday parties camper van Holidays ect.
From this information, we can exploit weakness by using social engineering like sending David an email offering Free football tickets for Liverpool? Containing dangerous malware used to gain access to the system once he opens the email.
Or could call him claiming to be from a vw camping group offering discounted tickets.
Getting David to log into your website from his work computer (obviously not a real website for vw campers, but a fake website with keylogging spyware in that now gives you personal details about his password and login credentials)

We can also attack remotely using our gathered information to greatly increase our chances of gaining access as now we know things like birthdays and other personal details that we can add to a brute force attack as mentioned above making it much easier to crack David’s password as most people will use a memorable date or favorite football team ect.

So as we can see our personal information on social media sites with other information connected to our jobs combined could easily give a potential hacker enough information to setup a potential exploit.
For more information regarding online cyber security and best practices for identity protection follow our blog link below.
https://chasereality.co/social-media-whos-watching-the-watchers