I’ve posted this before but it’s worth repeating, and you’ll have to forgive me for a somewhat provocative title and allow me some poetic licence, because in fact, different hacking groups do things differently, although they have much in common.  Personally, I don’t like the term hacker, much preferring cybercriminal, because anyone who accesses a system without the owners’ permission, is by definition, a criminal.  But I suppose hacker is less of a mouthful.

What is Hacking?

Hacking involves exploiting vulnerabilities in systems, software, or networks to gain unauthorised access or manipulate data using a variety of techniques and methods, which tend to combine technical tactics and social engineering.

Profiling

One of the first things a hacker, or criminal group, will do, is to profile your organisation and your people.  Favourite open sources of information include:

• Social media: Information about hobbies, job roles, family, and schedules shared on platforms like LinkedIn, Facebook, and Instagram.  Do you have a social media policy in your company?  Do you lay down what an employee can and cannot say about your company on their personal social media pages?  Do you have a designated person in the company who handles your company’s profile on social media?

• Company Website:  You’ll want to give prospective clients contact information of course, but you should not give out individual email addresses and you should limit profiles published.  I do give my personal profile on my website but don’t give information about any other position, leaving it to a generic phone number and email address.

• Professional Profiles: LinkedIn is a favourite for targeting businesses, as it provides details about an individual’s role, connections, and organisational structure.

• Personal Websites or Blogs: These may reveal contact details, interests, or sensitive information inadvertently.  The same issues that appertain to social media apply here. 

• Data Brokers: Cybercriminals can purchase detailed dossiers on individuals from data aggregator sites.

With all of these things you’re walking a bit of a tightrope.  You need to advertise and you need to provide potential customers with relevant information to allow them to contact you easily, but at the same time you need to be careful of what you give away.  Use generic email addresses and phone numbers and limit the information you give in profiles.

Phishing and Pretexting

Another favourite is phishing and pretexting.

• Phishing Emails: We all know, or at least I hope we know, what phishing is.  Attackers send emails designed to extract more information, such as login credentials, by posing as a trusted entity.  In this context, it could be as simple as the attacker wanting to verify information by perhaps sending an email to a discovered address but wanting to confirm that individuals position in the company.  That just requires a response showing a signature block, so the phishing email might seem very innocuous.

• Fake Surveys or Job Offers: These can be used to obtain detailed personal or professional data.

Favourite Reconnaissance Tools

Hackers don’t need an array of expensive tools to do their job, neither do they need to spend hours developing their own. There are a variety of reconnaissance tools used by attackers, including open-source intelligence (OSINT) tools, WHOIS lookups and scanning misconfigured systems using commercially available tools such as Nmap and Nessus, which identify open ports, services and weak configurations.  This is why it’s essential to regularly scan your network for these weaknesses.  Ports can be opened for a particular reason and never closed again.  It’s a common fault.

We are now seeing new models increasingly. In particular ransomware as a service (RaaS) is a cybercrime business model where  operators write software and affiliates pay to launch attacks using said software. Affiliates do not need to have technical skills of their own but rely on the technical skills of the operators. The “ransomware as a service” model is a criminal variation of the “software as a service” business model. This model allows small threat attackers to gain access to sophisticated ransomware tools at lower costs, also lowering the threshold of entry into cybercrime and complicating defenses against hacking.

Here at H2 we scan the dark web daily looking for leaked credentials, particularly email credentials.  When we on board a new client we nearly always get hits with sometimes up to 20+ compromised email addresses including passwords.  You might ask why they’d be on the dark web – simple, they are often up for sale on dark web marketplaces.

Psychological Profiling

In terms of cybercrime, who’s heard of psychological profiling?  Cybercriminals analyse:

• Behavioural Patterns: Regularity in actions, such as times a person is online, financial habits, or common purchases.

• Weaknesses and Triggers: Examples include a recent job loss, major life changes, or emotional vulnerabilities, which they exploit through spear-phishing or scams.

I’ve often argued on these pages, that your employees are both your first line of defence and your greatest weakness, and that a good cyber awareness programme is worth its weight in gold.  Cybercriminals often focus on employees in specific departments (like HR, finance, or IT).

• LinkedIn and Organisation Charts: Identify individuals with access to sensitive data.

• Impersonation: Pretending to be a senior executive to trick lower-level employees (e.g., through Business Email Compromise attacks – I’ve written about the CEO scam a lot).

• Technical Probing: Use of phishing or malware to breach a target’s employer.

Conclusion

In conclusion, what I’ve tried to do here is give you a flavour of what you may be up against, and I hope, I’ve shown you that for all the reasons shown above technology comes last after people and process.  All the tech in the world won’t prevent issues arising from the above and is just one part of an integrated defence in depth required to prevent disaster.