How Hacks Happen
Hacks, scams, cyber crimes, and other shenanigans explored and explained. Presented by your friendly neighborhood cybersecurity gal Michele Bousquet.
How Hacks Happen
Hacks Ain't What They Used to Be
Hacks used to be impressive, utilizing bits and pieces of technology that made us sit up and pay attention. Nowadays, every scam, breach, or sketchy text message gets labelled a "hack" when it's really just basic use of existing technology, or an outright scam. Let's take a closer look at how the meaning of “hack” has changed, from the complex brilliance of NotPetya in 2017, to today's flood of scams powered by stolen data and AI fakery. It’s the end of the Age of the Great Hack, and the rise of the Age of Many Scams.
Resources:
- Healthcare Data Breach Statistics
- Being Infected by NotPetya: What Maersk learned
- NotPetya: A Columbia University Case Study
Join our Patreon to listen ad-free!
Hacks ain’t what they used to be
Welcome to How Hacks Happen. We’re going to start this episode with a little radio drama.
Our story begins on a late afternoon in Kyiv, the capital city of Ukraine, in June 2017.
This is long after Ukraine declared its independence from the Soviet Union in 1991, but still several years before Russia launched its full-scale invasion in 2022. While tensions with Russia are ongoing—especially with all the drama around the Crimean peninsula in 2014—but Crimea is hundreds of miles away from Kyiv, and day-to-day life in most of Ukraine feels pretty normal.
People are just going about their lives: going to work, buying groceries, and raising families.
We begin our story with one of these normal activities. Larysa, a middle-aged Ukranian woman, has stopped at her local grocery on the way home from work, the day before Constitution Day. Constitution Day in Ukraine celebrates the day that the Constitution of Ukraine was approved by Ukraine's parliament on June 28, 1996. It’s a federal holiday, kind of like Independence Day in the United States. But while Americans tend to party a lot on July 4th and hold barbecues and drink too much and wave around flags and blow off fireworks and stuff, in Ukraine, Constitution Day is a quieter affair. More like the way we celebrate something like President’s Day. You know, a parade or two, maybe a concert. But that’s about it.
Larysa is in a good mood. She has the day off work tomorrow, which is always nice. She just needs a few things from the grocery store, then she can get home and relax.
Cashier: Just these items, ma’am?
Larysa: Mm-hmm.
Cashier: Any plans for the holiday?
Larysa: Just a picnic with my husband. Nothing fancy.
Cashier: That sounds nice.
Larysa: How about you? I hope you’re not working.
Cashier: No, the store will be closed. I’m going to visit my brother in Vinnytsia. Hmm, that’s strange. I’m sorry ma’am, it’s not scanning. Just one moment. Manager to register 2, manager to register 2.
Larysa: What’s happening?
Cashier: I’m sorry, ma’am. There’s something wrong with my register. It’s not just me. It’s all of them, I think. I can handle the transaction manually, though. Ma’am, do you have cash?
Larysa: A little. Here, I’ll just get the cheese and the crackers.
Cashier: I apologize for the inconvenience, ma’am. Everything’s just—I don’t know. It just stopped.
Larysa: Right. Okay. Thank you.
Ticket seller: Here you go, ma’am. One round trip ticket to Vinnytsia. The platform is up on the board. Next in line, please.
Cashier: Let’s see. Vinnytsia, Vinnytsia. Excuse me sir, is there another board? I can’t find my train.
Vladmir: It should be up there.
Cashier: But those trains are from three hours ago.
Vladimir: When does your train leave?
Cashier: In 15 minutes.
Vladimir: Let me see your ticket. Hmm. Let’s go back to the ticket counter and see if they know something.
Cashier: What’s happening? Why are there so many people now?
Ticket seller: Nothing is working now! Excuse me, just one moment.
Man 1: My train leaves in 5 minutes. Why can’t you give me a ticket?
Woman 1: I need to get my baby home!
Ticket seller: I’m sorry. Cash only. Special announcement. We can accept only cash for ticket sales. Please visit the ATM.
People: Where’s the ATM? The ATM is not working.
Larysa: Things are crazy out there.
Yuri: You saw it, too? I couldn’t get any money out of the ATM, and the bank is closed. There were people inside, but they wouldn’t open the door.
Larysa: That is strange. I had to use cash at the grocery, and their ATM is broken, too.
Yuri: Let’s see if there’s anything on the news.
Announcer: Breaking news: a ransomware attack is affecting computers across Ukraine.
Banks, supermarkets, postal services, transportation companies, and even media outlets have reported system failures throughout the day. Computers have been locked and replaced with a message demanding payment in Bitcoin.
The central government building in Kyiv has shut down their computers as a precaution.
We will continue to bring you updates as this situation develops.
This, on June 27, 2017, was the beginning of the NotPetya attack. It was called NotPetya because everyone thought at first that it might be the same as the ransomware attack called Petya that happened the year before. But when they realized it wasn’t, they all started calling it NotPetya.
Now, that was a hack. In this episode of How Hacks Happen, we’ll be looking at what makes a hack a hack, and why I believe hacks ain’t what they used to be.
Let’s start by taking a closer look at the NotPetya attack.
And NotPetya turned out to have devastating consequences, not just in Ukraine but all over the world. It’s believed that Russia unleashed NotPetya in an effort to cripple Ukraine, because, you know, Russia. The ransomware was spread through a piece of software called MeDoc, which is the Ukraine equivalent of something like Quickbooks or TurboTax. Lots of companies use MeDoc, so the ransomware spread like wildfire within just a few hours. No one knows exactly how MeDoc was infected by NotPetya, but NotPetya was designed to not only infect the computer that had MeDoc, but to replicate itself and spread over the internet.
Eventually, NotPetya spread outside Ukraine, reaching Europe and the United States and even blowing back into Russia, too!
And the kicker was, even though the ransomware asked for a payment of a few hundred dollars to decrypt the system, the end goal didn’t seem to be money. As in, paying the ransom might not even release the files. The goal was to cause chaos in Ukraine. I
Even so, NotPetya caused huge amounts of chaos all around the world. At Danish shipping company Maersk, for example, NotPetya caused hundreds of millions of dollars in damage, as tens of thousands of trucks lined up on the road to deliver merchandise to their ships, but had to be turned away because no one could pull up the manifests. Perishable goods perished, and medications didn’t get delivered, because all of Maersk’s computers were infected—all except one. They were able to recover because they had a single unaffected system in Ghana that they could use to reboot their entire network.
There just happened to be a power outage in Ghana right when NotPetya was hitting all the other computers. Very lucky for them. But man, it took a while and cost millions of dollars. What a mess!
Now, that was a hack. A good, old-fashioned hack. Someone with advanced knowledge and talent and skill wrote that little NotPetya worm and implanted it into a MeDoc update in a way that it wouldn’t be detected. And that took some serious hacker chops.
There was a time when the word “hack” struck awe into the hearts of not just cybersecurity people, but anyone who admires technological feats—when hackers were seen as clever rebels, slipping past digital defenses like cat burglars through laser grids. They weren’t going after your grandma’s Facebook password, no sirree. They were taking down airlines, stealing millions of sensitive records or billions of dollars, and causing ripple effects across global economies. And while out one side of our mouths we were railing against them (“Those evil hackers!”), out the other side of our mouth, we’re going, “Dang, that was pretty clever.”
Then there’s these other kinds of things called hacks that disgrace the word hack. They give me second-hand embarrassment to call them hacks. One example is the hack of the Ashley Madison website, that website for people looking to have an affair. The records of millions of users were stolen in 2015, and the hackers threatened to release the records if Ashley Madison didn’t shut down their website within 30 days. That one was mostly likely an inside job, where a disgruntled ex-contractor or ex-employee just logged in with their credentials and took stuff, then wrote a little threat on PasteBin. Something that pretty much anybody with basic computer skills could do.
Then there’s phishing, another low-level skill, where someone writes a convincing email that gets a victim to go to a website and give up their login and password. The hacker uses these credentials to log in and grab things like a list of passwords. Or, they hack into your email or cloud storage with your stolen password, and hang out for a while until they find something they can use to scam you.
These are not the most complex hacks to perform. Comparing the skill level needed for something like NotPetya with say, the Ashley Madison hack, is like comparing bank robbers that have blueprints and they’re figuring out how to drill up into the vault after hours and stuff, comparing that with shoplifting at the dollar store.
Even the recent Change Healthcare breach earlier this year, that was done with stolen credentials, not with fancy hacking.
And these days, the word “hack” gets slapped onto anything that involves a login screen or something. Your cousin clicked a link in a fake postal service text message and put in his credit card number, so he says he got hacked. And there’s a call claiming to be from your bank that asks you to “verify your account number”. “They’re trying to hack me!” No, these are all scams.
And don’t get me started about the email that claims a hacker has acquired a big stash of compromising videos of you pleasuring yourself in front of your webcam, which they will send to your Mom if you don’t send them some Bitcoin. They haven’t even hacked anything. This is just a straight-up scam.
Add to this the emergence of AI voices and text and bots, and we have a huge swell in the depth, breadth, and variety of scams, many of them very convincing. And there’s new ones every day. We can’t keep up!
We’ve come a long, long way from emails from a Nigerian Prince and those crappy-sounding robocalls from the fake IRS. Those kinds of scams seem almost quaint and cute now.
And with this evidence in hand, I present you with my personal, unofficial, not-necessarily-backed-by-extensive-serious-research-but-I’m-pretty-sure-it’s-true theory: That The Age of the Great Hack has given way to The Age of the Many Scams.
Allow me to present my evidence. Remember that 2017, the year of NotPetya, was also the same year of the Equifax hack, where Chinese hackers used a series of sophisticated methods to roam around the Equifax network for several months, undetected, and extricate the personal data of more than half the adults in the United States. That was a hack.
But these days, these types of intense attacks seem to be fewer and further between. Sure, we have the Lazarus Group out of North Korea, the ones believed to be responsible for the Sony Pictures Hack in 2014, and also the ones who spread the Wannacry ransomware in 2017. But since then, the Lazarus Group has mostly been focused on stealing big chunks of money in general, and cryptocurrency in particular. Which, if you don’t own any crypto, really doesn’t affect you directly. Since North Korea doesn’t trade with any other nations and they have a tiny GDP, they gotta get their money from somewhere, right?
I would argue that 2017 was the last year of the Great Hacks. Sure, there have been a few serious data breaches of medical data since then, but they didn’t involve anything particularly clever. Just some phishing.
For medical data, the year 2021 saw more data breaches reported than any other year since records first started being published by the Department of Health and Human Services. Having stolen all our social security numbers, bank account numbers, credit card numbers, and tax information, hackers have moved on to medical data as the next frontier. Oh, and also stealing our DNA information, after the breach of 23 and Me in 2023.
So now that hackers have all that, what’s left to steal? Not too much. I think just about all the information about us that could be stolen through hacks, has been stolen already, and the rest has been taken through regular old data breaches as a result of phishing. My social security number and address went out with Equifax, I’ve had several credit card numbers stolen over the years, and pretty much every bank has experienced a breach of some kind. And let’s face it, my bank account number is on every check I’ve ever written, so it would be shocking to me if my bank account number wasn’t already out there on some dark web list.
In the words of John Chambers, former CEO of Cisco, “There are two types of companies: those who have been hacked, and those who don’t yet know they have been hacked.”
By now, I’m pretty sure my medical history, all my hashed passwords, every flight I’ve taken, and maybe even my shoe size are out there on the dark web.
Now, you might say, “What about those little mom and pop stores, have they been hacked, too? Like that bakery down the street?” Oh yeah, they’ve probably been hacked. The hackers just got in and out quick because there wasn’t much of anything to steal. Maybe a King Cake recipe or something.
But any company of any size, yeah, I think they’ve been hacked already.
So hearing about yet another company getting breached, is just a big yawn to me at this stage. This is in stark contrast to 2017, when I heard about the Equifax hack. I was hoppin’ mad about that one. But after all we’ve been through over the past few years, between the breaches at Change Healthcare, and Hilton Hotels, Solarwinds, various airlines, Coinbase, even the US government, I’ve given up on any expectation of privacy for my data.
This theory I have that 2017 was the end of The Age of the Great Hack is also supported by the fact that hacking, and by hacking I mean real hacking, is really hard. Like, it takes years of devotion to the craft. But scams and data breaches through phishing, these are relatively easy, and require only the most basic knowledge of technology.
Now that all our data’s been stolen, it makes sense that we would move on to the Age of the Scam, because all the data required to do scams is there, and scams are easier. So why not?
Especially when you factor in the latest component in The Age of Many Scams. And that is the miracle of artificial intelligence for generating pictures, text, and voice clones.
AI is a hot topic nowadays. And it has some great uses, like when it does the grunt work of searching a massive database of medical symptoms to recognize patterns for diagnosing diseases, or working out the most efficient maintenance schedules for an airport or a processing plant. These are uses of AI that have advanced us in technology.
But for everyday use, one of the most common uses is for generating text and images. AI is used to check grammar and suggest better wording for emails. At the same time, it can be used to generate images that look a lot like photos, and voice recordings that sound like the real thing, and even realistic-looking animations of a person talking. And while there can be many legitimate uses for these kinds of things, the fact of the matter is that scammers have taken to using AI any way they can to try and fool youse and meese to part with our monies.
All this fakery, when coupled with all that data stolen by hackers and made available to scammers through brokers on the dark web, this has created a perfect storm for the Age of the Scam.
Want to convince Grandma that her precious grandson is in a Guatemalan jail, and she needs to send $5000 in Apple gift cards to get him out? Just buy the grandson’s name and Instagram handle off a data broker, grab 10 seconds of his voice off one of his videos to make a voice clone, and make it yell, “Help me Grandma, I’ve been arrested!” into the phone.
Want to run a recruiting scam, where you offer fake jobs and require the new hire to send money for equipment for the nonexistent job? Run the job ad through AI to get the wording just perfect.
Want to stick to the classics, like the utility bill scam? Just buy a bunch of electric bills off the dark web to get the account numbers and addresses. Worried that your accent will give you away as not being a native English speaker? Use an AI text-to-voice generator to create all kinds of natural-sounding sentences in the accent of your choice, like a nice United States midwest or maybe UK, or even a United States southern accent.
Are you trying to pull off a romance scam, with you playing the part of Johnny Depp? Make a nice video of that cute Johnny-boy professing his undying love for your victim. You can even make a clone of Johnny’s voice from his many films and TV shows, and it will sound just like him. These types of videos still look a little wonky, and you can tell they’re fakes if you look closely, but the tools are only going to get better with time.
There are even some AI services that convert voice accents on the fly. They’re not very good right now, but they’ll only get better. And that goes for video, too. I can see a future where you pull up any image and just start talking into your microphone, and poof! There’s Jennifer Aniston, talking in what sounds like her own voice about how she can’t wait to marry you, if you could just send $5000 in gift cards so she can buy her dream wedding dress.
Yeah, it’s coming. The Age of Many Scams is just getting started.
So, what can you do? In addition to the usual tips like, freeze your credit, don’t answer the phone if it’s a number you don’t recognize, don’t send money to people you’ve never met, and never fall for demands to pay for things with gift cards, I think we have to change the way we think about trust.
Remember “stranger danger” from when you were a kid? We need to apply the same rule in adulthood. If you get an unexpected phone call or email or text from someone you’ve never heard of, even if they say they’re from a company or service you use regularly, put up your “stranger danger” radar immediately and assume the worst. There’s no harm in taking a moment to confirm through channels you trust, like by calling the number on the back of your credit card, or looking up the company name and the word “scam”. And there is never anything so urgent that you have to take care of it “right now, right away! You have to do it now!” That just isn’t a thing.
I exercise this “no trust” mindset regularly, even when I meet someone new socially. Oh, you say you’re an aerospace engineer at NASA? Mm-hmm. I’ll chit-chat with you for a while, but we won’t really become friends until I look you up on LinkedIn and confirm that’s you. You’d think that my not trusting anyone, ever, until I’ve checked them out, would have impacted my social life negatively, but it hasn’t. When we eventually become good friends, I’ll come clean about my light internet stalking, and we’ll have a good laugh. And I expect you to say the same thing about looking me up before trusting me.
While hacks ain’t what they used to be, data breaches are still rampant. And they lead directly to making it easier for scammers to try and part you, me, and our fellow citizens from our identities and our money. The Age of Many Scams is upon us.
For more on safety in our interconnected age, be sure to subscribe or follow How Hacks Happen. If you like to watch videos on YouTube, I’d also like to recommend a YouTube channel called Reject Convenience, which does some amazing deep dives into a lot of the same topics I talk about here, including how scammers use your data.
This is Michele Bousquet from How Hacks Happen, signing off. Stay safe out there!