When it comes to finding security holes in a company’s information system, professional penetration testers start with what is often the company’s biggest and clearest vulnerability.
At the highly technical Infiltrate hacking conference, a pen tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a client’s system is to bait an employee into clicking on an infected link in a seemingly innocuous email.
“People love to click on that blue line,” Ray Boisvert, a veteran of Canada’s intelligence services, told Business Insider at the conference.
From there, the hacker for hire can acquire the employee’s username, passwords, and other sensitive information — which can lead a hacker into the company’s system.
This tactic, known as “phishing,” can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool.
Unlike criminals sending emails about winning $US1 million from Nigeria, sophisticated hackers spend time learning what they can about their target in order to craft an email — and a persona — that will look authentic enough for the victim to trust.
How it’s done
The pen tester in Silicon Valley described a scenario in which he would be looking for information security vulnerabilities in a major airline.
He would scour LinkedIn looking for the least cyber-savvy airline employees, such as those who work in non-technical areas and new hires unlikely to recognise an atypical email.
The infiltrator will then try and guess the employee’s email address by learning the format of a typical address for that company (i.e., [email protected]) and sending out messages repeatedly until they stop bouncing back.
After attaining the victim’s email address, the hacker looks to social media to learn as much as possible about his target’s professional background, friends, and general interests. In this way, he can customise the phishing email as much as possible — even posing as one of the victim’s closest friends (profile picture included) — to make it look familiar and increase the odds that the target will trust it.
The penetration tester we spoke with said that he could use a complicated exploit to get into a system, but he often doesn’t because phishing often works.
He also noted that the tactic is highly illegal when done outside of a professional environment.