Shady Cousins: Hacks and Scams

Show Notes

They're the kinds of cousins you wish you didn't have, but you don't really have a choice. What's the difference between hacks and scams, and how do they work together to part you from your valuables like personal information and money? In this episode, we look at the similarities and differences between these shady cousins, and how you can keep them from doing their dirty work.

Resources: 

• 91% of all cyber attacks begin with a phishing email to an unexpected victim
• Sony Hackers Used Phishing Emails to Breach Company Networks
• Social Engineering Attack

Everyday AI: Your daily guide to grown with Generative AI
Can't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.

Listen on: Apple Podcasts   Spotify

Support the show

Join our Patreon to listen ad-free!

Chapters

• 9:31: [Ad] Everyday AI: Your daily guide to grown with Generative AI
• 10:21: (Cont.) Shady Cousins: Hacks and Scams

Transcript

Shady Cousins: Hacks and Scams

Welcome to How Hacks Happen! I’m Michele Bousquet, your friendly cybersecurity researcher, here to break down the wild world of hacks, scams, and everything in between. Today, we’re taking a look at the close, loving relationship between two darling cousins, a pair so dear to one other that you will rarely find them apart. And the two are affectionately known as: hacks, and scams.

Ah, hacks and scams. Those shady cousins that lurk in the shadows. The cousins that you’re kind of reluctant to invite over for the holidays because they always manage to corner the most vulnerable member of your family and make them cry, but you’re equally afraid to not invite them, because they might go behind your back on a group chat and ruin your relationship with the rest of your family. Or, one of them will be in the kitchen making a scene over the turkey not being cooked properly or something, while the other one is in the dining room stuffing the good silverware down their pants. Those kinds of cousins. And as they say, you can pick your friends, but you can’t pick your family. So you’re kind of stuck with them.

These cousins go almost everywhere together. So maybe, just maybe, if you could keep one of them out of your life, the other one would just bugger off. Hmm, I wonder if that would work. But the key to that is understanding how hacks and scams coordinate their efforts to part you from your personal possessions, namely your money and your private information. 

Let’s start with the differences between the two. What’s a hack, and what’s a scam? People use these words interchangeably, but they’re actually not the same.

A hack is when someone gains unauthorized access to a computer system, or network, or data. It’s about exploiting vulnerabilities in software and hardware, usually to gain information, and sometimes for money, but usually not. It’s the data they’re after. And hacking requires technical skill, the kinds of skills that most of us don’t have.

Hackers generally target companies that store vast quantities of information about lots of people, because that’s where hackers are going to get the most bang for their buck. They’ll steal stuff like people’s credit card information, social security numbers, and even their medical history. But they don’t necessarily do anything with this information, no no no. They pass it on to their cousin, the scammer, to have their own fun with.

A scam, on the other hand, is about deception. It’s when someone manipulates a person or an institution into giving up money. It’s more of a con job than a technical break-in. And scammers sometimes use information they get from hacks to make the con happen. The only skill required to be a scammer is to be a smooth talker, and that doesn’t require years of technical training. In fact, I’ve known a few kindergarten-age kids that are quite the scam artists.

In the middle ground between hacks and scams we have something called social engineering, which is sort of like a half and half. I guess we could call it the bastard child of those shady cousins. A rabid, cackling toddler who runs rampant in the supermarket knocking over stacks of cans and watermelons, without any care at all for the damage it wreaks.

Wait a minute, isn’t it legal for cousins to get married? In some states. But anyway I didn’t say they got married, I said they had a bastard child. I’m getting too much in the weeds with the metaphors here. Let’s just talk about social engineering.

Social engineering is when one of your shady cousins tricks a person into giving up sensitive information, usually by impersonating someone they would ordinarily trust. 

Two of the most common flavors of social engineering are phishing and baiting. Yeah, these are more metaphors related to the sport of fishing. but I didn’t make these names up. It’s not like casting a line into a body of water to actually catch something swimming. This doesn’t actually catch any fish. No, they’re after something more valuable, like your password or your credit card.

Phishing, spelled with a PH instead of an F, is when you get an email pretending to be from a legitimate company, like a bank or Ebay or PayPal or even Apple, any company that deals with money. They put a link in the email and they want you to click it, but there it will send you to a fake website that looks like the real website. They want you to enter your password for the real website so they can steal the password. They might even ask for credit card information so they can steal that, too. But, spoofing emails and setting up a fake website requires technical skill, so that’s kind of on the hack side of things.

Baiting is when the email offers you a prize, something valuable like an iPad or a laptop, to get you to click the link and go to some website. But you find that before you can claim the prize, you have to enter your name and address, and pay a small shipping fee, so please enter your credit card number. And then you find out you didn’t really win the prize, you were entered to win a prize. But can we offer you some magazine subscriptions or maybe some Viagra or something? Doesn’t matter, we’re going to charge them to your credit card anyway, because some percentage of people won’t notice the charge in time to get it reversed and we will make some money! Thank you so much for playing.

Both phishing and baiting can also extend to messages received on your phone, where you receive a message telling you that a package has been held up at the postal service, or the fraud department at your bank has detected some fraudulent activity, or you’re being offered a nice easy high-paying job, or you have a toll or unpaid taxes or any number of other kinds of messages designed to get you to act quickly. “Please tap the link right away!” But the domain name looks kind of suspicious, like not the actual domain for the real place it says it comes from, like maybe it ends in .ru, which is the domain extension for Russia.

The examples I described so far are more like scams, because it’s about getting people to do things. If you give up your information willingly, but under false pretenses, that’s a scam. Where social engineering crosses the line into hacking is when it’s used to gain access to large bodies of information through exploitation of hardware and software.

Let’s look at one of the classics: the Sony hack of 2014. We covered the Sony hack back in Season 1, Episode 12, and it’s worth a listen if you want all the details. But the gist is that North Korean hackers threatened violence if Sony didn't cancel the release of the film 'The Interview,' a comedy about two bumbling journalists who travel to North Korea and attempt to assassinate the country's Supreme Leader. The release went forward anyway, and thankfully, the threats came to nothing. No one was hurt.

Nobody knows for sure how North Korean hackers managed to get access to Sony Pictures’ data, but one thing we do know is that prior to the hack, many Sony employees received an email asking them to reset their Apple IDs. And, as you might have guessed, these emails were bogus. The link in the emails was to a fake website that just wanted passwords. Some employees clicked the link and gave up their passwords, so the theory goes.

Since many people reuse passwords across different sites, the hackers then had, potentially, some passwords they might be able to use to log into Sony Pictures’ database. But what about the logins to go with them? That would probably be the person’s email address. And that’s where social media site LinkedIn comes in. 

It’s easy enough to go to LinkedIn and find a list of people that work at any company, including Sony Pictures. And a lot of companies have email addresses that are like, first name dot last name at company dot com, or some combination like this. And after you go to LinkedIn and find the names of people that work there, you can figure out some email addresses to go along with your passwords. That’s yet another social engineering trick. 

And from there, the hackers could log into Sony Pictures’ servers as if they were an employee. The next step in the hack required some technical expertise, namely getting in among all the data and manipulating it so the hackers could download the data for themselves.

So the Apple ID email that started all this could be considered part of a hack, since it led to unauthorized access to a system. But in the strictest sense, the phishing email was a scam, since it was just fooling individuals into giving up something valuable: their passwords. Which the perpetrators then could use to perform a hack into the system, where all the data is.

But the login part of the hack, I would argue that that part is not a hack. They didn’t use some super special, advanced hacking tools to “break the code” and get the password. They just asked for it. 

It’s like, if your friend gives you a sob story about why he needs 20 bucks…

Friend: I got robbed!

…and you, of course, being a good friend, you hand him 20 bucks. But then you later find that the sob story wasn’t true. He didn’t steal 20 bucks from you, because you willingly handed over the money. It might be fraud, but it’s not theft. In the same way, if you get a phone call from a hacker pretending to be from your company’s IT department and you willingly give them the password to your bank account, and then they use it to transfer all your money to their own Bitcoin wallet, you might be tempted to scream, “I’ve been hacked!” But really, you were scammed or defrauded. You were not hacked.

Pig butchering scams and romance scams, where someone sweet-talks you into giving up money or passwords to your bank account, these are scams. But they are not hacks, because you gave it up willingly. If you listened to our three-part catfishing series here on How Hacks Happen, or our episode on pig butchering, you know how these scams go.

Ransomware is a combination of a hack and a scam. The hack is whatever the hacker was able to do to get access to the data and encrypt it with their own encryption key, and after the hack is the hackers’ demand for money before they’re going to give the victim the decryption key so they can unlock their own data. That’s actually extortion, that’s not a hack or a scam! But if you were going to put it in some category, you would probably say it’s a scam. 

And then on top of that, hackers be hackers, and they sometimes don’t even give up the decryption key even after getting paid. Or, part of their random demand is that they say they will keep the data private and not leak it if the ransom is paid, but then the victim pays the ransom and the hackers leak the data anyway. Scam-my! Scam sandwich. Like, a bit ol’ slice of scam, topped with scam sprinkles.

As for the difference between hacks and scams, an easy shorthand is to think of a hack as software requiring skillful technical expertise, and a scam being an activity that convinces someone to do something, like give up a password. Ah, those pesky cousins, one with mad programming and hacking skills, and the other with a silver tongue, telling lies that convince you to give up information.

In case you haven’t noticed, all of the hacks we’ve talked about here have a scam aspect to them, a piece of the overall hack that involves the scammy cousin. But in reality, do all hacks involve scams?

Well, there are a few hacks that didn’t involve phishing or other scams. One was the Equifax breach of 2017, which I covered in the very first episode of How Hacks Happen.

Equifax is a credit reporting agency that tracks the credit histories of pretty much everybody in the United States. In the Equifax breach, hackers took advantage of a vulnerability in a web page that Equifax used to accept documents related to credit disputes. The hackers used this portal to get into the system and do some more hacker-type stuff to get access to passwords and databases, and to pull the information out of Equifax’s servers, sneaking it past the routers that were supposed to block this type of activity. And the hackers made off with the names, addresses, and social security numbers of over half the adults in the United States. I’m still kind of annoyed about it, in case you can’t tell.

Notice the terminology I’ve used here. The hackers took advantage of a vulnerability in a web page, which is basically software. That’s a hack. Then they used some more tools and scripts that they had written themselves, to move around the network. That’s also a hack. Then they managed to fool the router into letting the data out with some tricky encryption-related maneuvering, and that’s also a hack.

And as awful as the Equifax breach was, it was one of the few big hacks in the past several years that didn’t involve social engineering or phishing. It was just clever hackers taking advantage of a known vulnerability in Equifax’s infrastructure, actually one that Equifax could have patched up ahead of time, but unfortunately they didn’t. And since then, Equifax has battened down the hatches, so to speak, and hasn’t been hacked since. Or, so we think.

In the sense that it was purely a hack with no social engineering, Equifax is in the minority. because it’s estimated that over 90% of so-called hacks are attributed to social engineering where somebody gives up a password, not because some genius hacker tapped away on a keyboard and came up with an exploit that bypassed all the security measures.

It means Betsy in HR got fooled into giving up her password, and her company’s website doesn’t have multi-factor authentication, and now a hacker gains access to all the employees’ social security numbers and pay rates. Or someone at Sony Pictures falls for the Apple ID reset scam, and coughs up a password that works on Sony’s servers.

And here we have it. With all the anti-hacker technology we have, from multi-factor authentication to routers that monitor all the traffic going in and out, and entire teams of cybersecurity professionals watching who is getting into their networks and what they’re doing, how are hacks still even a thing?

Well, the problem is twofold. One is that some companies just don’t take cybersecurity seriously enough. A couple of years ago, I gave a talk at a security conference about Equifax, looking back on the breach that happened in 2017, discussing the lessons learned. I had a nice room full of people, but they weren’t there to learn about Equifax because they already knew about all that. What their issue was, was that they couldn’t get their company to implement the simplest of measures to prevent the same thing from happening to them, and they wanted to discuss it with others so that we could figure out a solution for that. It was really eye-opening to hear that that’s the problem.

The other side is that these precautions are useless if people keep falling for phishing scams. Now, that’s basically a people problem. And we are the people who are the problem.

According to Kevin Mitnick, one of the notorious hackers in internet history, “Humans are the weakest link in any security system.”

And I gotta say, I don’t disagree.

All this musing is fine and good for feeling all knowledgeable and stuff. But the point is not for you or me to feel all smart and smug. The point is, what can we do about it, to keep ourselves safer from hacks and scams?

There are a few things. I’ve mentioned a lot of these on this podcast before, but let’s look at these from the perspective of hacks and scams working together, and how you can keep that from happening.

With regard to companies that can’t be bothered to implement security measures, as a consumer, in a way have more power than their cybersecurity pros that they’ve got working in the back room. One of the problems that the security crew faces when they’re trying to get new measures implemented is that cybersecurity itself doesn’t generate any profit for the company, so they’re reluctant to put more money into it. But if a website where you do business doesn’t have some basic security measures, like, say, doesn’t have multi-factor authentication, you can complain about this. And you can say that you won’t do business with them until they fix it, and that will have an impact. Because if a company is worried about losing customers because of a lack of MFA, they might be inspired to finally allocate some funds to do it.

And of course, there’s my usual advice of never clicking on a link in an email, but going to the actual website. 

And try to use unique passwords on every website you visit. I know this is hard, but remember the lesson from the Sony hack, and maybe it’s time to get a password manager. 

Also antivirus software, really important. It will check all your downloads from email. I’ve had a few things blocked from that where I did get fooled, but my anti-virus software was there to tell me that’s not good.

And of course, as always, check your credit card and loan accounts regularly for suspicious activity, and freeze your credit. 

That is all I have to say for today. I hope this episode has shed some light on the differences between hacks and scams, how those shady cousins operate together, and how you can keep their sticky little hands out of your pockets. See you next time on How Hacks Happen.