Behind the hack: How tech journalists were voluntarily hacked (in the name of research)

(Image credit: Shutterstock / Zeeker2526)

Whilst most people know cybercrime is on the rise, too many of us still leave ourselves wide open to attack. Recent analysis suggests that data breaches cost companies an average of almost $4 million, with over $17,000 lost every minute globally to phishing attacks alone.

Part of the problem is that many people believe that they are already protecting their personal data and that only attacks involving top-level, sophisticated methods do the damage.

About the author

Edvardas Mikalauskas is a Senior Writer and Researcher at Investigation team recently conducted a hacking experiment with three volunteering UK journalists to expose how easy it is for criminals to exploit personal data. Here’s how they did it, and how to stop it from happening to you.

This is wrong: in fact, all of us are vulnerable to basic forms of attack and could do more to protect our data.

To prove the point, we recently spent six weeks trying to hack three journalists from the Daily Mail – with their permission, of course. These were clued-up journalists, yet we were still able to show that exploiting their publicly available data was relatively easy to do.

The most useful source of data to criminals is personal information, which can be used to impersonate your identity online, or crack your login credentials. This data is often made freely available by individuals, via social media accounts, public profiles, and even previous fundraising pages. Almost all of us are guilty of oversharing. In addition to this, hackers can also exploit previous data breaches from online services to find the data they need.

In our experiment, we quickly found phone numbers, email account details, home addresses, dates of birth, full names of family members, the names of pets and previous passwords. Some data, like mobile numbers, we could piece together using password resets from different accounts. For example, a Facebook reset gave us the last two digits of the attached phone number, PayPal provides six digits in total, and so on. This data was more than enough to launch an attack on the journalists.

Using combined efforts of phishing attacks, brute-force resetting of passwords, vishing campaigns and sim swapping, our Investigations team attempted to breach the online security of the three journalists through white hat techniques.

What do these techniques look like in practice?

Phishing is a method that exploits our trust in organizations, such as the HMRC, or a bank. Malicious actors attempt to fraudulently obtain personal information by impersonating these trusted sources, through using online communications like emails and messages. This method often directs users to spoof websites requesting people to enter login details and other personal information, which is then stolen by the hackers.

Brute-force password resetting involves guessing a password by attempting possible character combinations. Although this is a rather slow method, as the malicious actor would have to know the parameters of the password (e.g. upper- and lower-case characters, special symbols, password length) to narrow down the search, it is still a viable way for accounts to be hacked.

Vishing, meaning voice phishing, is a particularly worrying method, where a hacker will impersonate a trusted source in a direct phone call with the target. Fraudsters will most likely use caller ID spoofing or an automated system so that the number looks trustworthy, making them harder to track. The communication aims to obtain personal information with the goal of stealing identity or money.

SIM swapping is a type of scam and account takeover that targets weaknesses in two-factor authentication (2FA). In this type of fraud, actors exploit mobile phone service providers and use previously obtained personal data to impersonate the victim. Once they have passed the security measures, the hackers will ask for a secondary SIM card to be sent to them, aiding their attempt to bypass authentication for social media, banking and email accounts.

How did we hack the journalists?

Using the obtained mobile number for one target, our vishing campaign resulted in a direct phone conversation between one of the journalists and one of our researchers impersonating a PayPal representative – an attempt to gain access to their account. The journalist became suspicious at the last moment, and this breach was ultimately thwarted just before revealing personal account data.  

In the SIM swap experiment, our team impersonated two journalists and spoke with their mobile phone provider to request a secondary SIM card, asking for shipping to our address. This method took us over 20 attempts to secure, as we did not possess all the personal data required for the security check. Eventually, we found one customer service worker who trusted us and agreed to send the SIM. In receiving and using this SIM card, our team could bypass phone-based authentication for resetting logins to a number of accounts and quickly gain access.

At this point, our status as ethical hackers prevented us from using other methods favored  by criminals. We have no doubt that common criminal techniques like background checks and blackmail would have quickly gleaned even more information and made defrauding these individuals relatively simple.

So, how can you reduce the risk of an attack that sees your own data exploited?

How to best protect yourself

The most important action is to enable two factor authentication (2FA) on all of your accounts, which requires two separate stages of approval when accessing your accounts. This can be done for your social accounts on Instagram, Facebook and Twitter, messaging platforms like WhatsApp, as well as your personal banking, file management and gaming accounts. Any account where personal data is stored should feature 2FA.

Unless you are able to remember long, individual, and unique passwords for each of your accounts, then using a reputable password manager is a must for ensuring security. Password managers help users create unique passwords, as well as securely storing them, for maximum efficiency and privacy.

Finally, a simple but effective step in protecting your information: keep your social media profiles private. As we highlighted during this hacking experiment, the more personal data that is freely available, the easier it is for hackers to exploit this. By freely releasing personal information, however innocent that may feel at the time, you increase the pieces of the puzzle that hackers are able to collect about your life.

Edvardas Mikalauskas

Edvardas is a Senior Writer and Researcher at CyberNews. He writes about cybersecurity, privacy, and the impact of technology on the daily lives of consumers. He has a background in media, advertising, social, privacy, and security. 

On CyberNews, Edvardas tends to focus on the subjects of data privacy and cybersecurity. His investigative reports on major data leaks, security vulnerabilities, and the black markets of the dark web have been featured in Forbes, TechRadar, Reason, TechRepublic, SC Magazine, and more.

With eight years of experience writing articles for web startups and tech publications, his bylines can be seen on ReadWrite, DZone, Hacker Noon, Cybersec Asia and more.