Home
Blog
Cybersecurity made human: Don’t balk at the basics

Cybersecurity made human: Don’t balk at the basics

Paul Ducklin
Paul Ducklin
10/16/2024
Share this article:

Even if you’ve got cybersecurity covered in your own digital life, remember that friends don’t let friends get scammed!

Cybersecurity made human

We’re halfway through October already, which means we’re halfway through Cybersecurity Awareness Month, an initiative of the US government aimed at getting us all to do exactly what the name suggests.

Attitudes to Cybersecurity Awareness Month are, to put it bluntly, mixed.

Privately, you’ve probably heard experts you know and otherwise trust treating it superciliously, looking down on it as “too little, too late,” or treating it as some kind of “same old, same old” government formula showing that the authorities have fallen behind, and are happy clutching at trivialities instead.

Publicly, however, you’ve probably seen just how excited the marketing departments of cybersecurity vendors get about hitching their boats to the text Cybersecurity Awareness Month, if you judge by the number of paid or sponsored links your favorite search engine has recently been showing you if you search for exactly those words.

In the words of the Cybersecurity and Infrastructure Security Agency, better known as CISA:

“Over the years, [Cybersecurity Awareness Month] has grown into a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk, and generate discussion on cyber threats on a national and global scale.”

If you keep up with cybersecurity news, you’d be forgiven for assuming that ‘cyber threats on a global scale’ inevitably involve what are known in the jargon as advanced persistent threats (APTs) from so-called nation-state attackers or state-sponsored actors.

The term ‘state-sponsored actors’ in this context doesn’t refer to students of film and drama who are attending government-funded schools or colleges. It is a metaphorical term for cybercriminals who work for, or who are in some way associated with, the government of a country. Those who are not obviously or officially on the government’s payroll may nevertheless avoid investigation or prosecution, and may be able to keep and even to flaunt their ill-gotten gains, apparently without attracting the attention of their local financial authorities.

The true global risks

As we’ve pointed out in numerous previous articles, almost all cybercrime is global in nature, and largely unaffected by international borders.

Even in countries with strict internal censorship or network restrictions, cybercriminals inside those countries can comparatively easily prey on victims outside their country (whether those criminals are ‘state-sponsored’ or not), and cybercriminals outside those countries can target victims inside them.

Cloud services make it easy for anyone who is (or who can pretend to be) in one part of the world to set up a fast and efficient online presence such as a web server or a blogging site, perhaps for just a few dollars, that can be accessed by visitors from almost anywhere else on the planet.

These cloud services often come with a domain name of your choice plus an HTTPS certificate that’s created for you automatically to give the site an aura of proper security.

Sometimes, hosted websites may even be available for a promotional ‘try-before-you-buy’ period that makes the service free if you decide to cancel your account within a day or two.

Sadly, a day or two is more than enough for cybercriminals to conduct a scam campaign that presents a realistic-looking but bogus login page masquerading as a well-known site such as a webmail service, a file-sharing utility, a payroll system, and so on.

In many cases where I have analyzed phishing emails that link to malicious websites, the domain names used for those lookalike sites had been allocated by a domain registrar for the first time earlier the same day, or late the previous evening, ready for immediate use by the cybercriminals who registered them.

The fake domain names used for cybercrime are often surprisingly realistic, as in the case of a scam I wrote about last year in which a malware-tainted WordPress plugin was distributed via the legitimate-looking domain en-gb-wordpress.org, which wasn’t considered misleading enough to be denied registration, despite its obvious similarity to the official name en-gb.wordpress.org.

Grabbing credentials

As you know, phishing sites of this sort aim to lure impatient or incautious users to enter their login details, often including their username, password and current multi-factor authentication (MFA) code, into a web form that gets transmitted directly to the criminals.

Those criminals generally re-use the personal data they just harvested as quickly as they can, either using software to automate the process, or by having humans on standby in a ‘service center’ to work their way past any anti-automation tools that the genuine site might use to detect inauthentic logins.

If the criminals do catch you off-guard and get into your account without you spotting the subterfuge, they then have numerous lines of attack open to them, including:

  • Take over the account completely. By heading straight for the user profile or account settings tab, the criminals may be able to lock you out and thereby to abuse the account for as long as it takes you to convince your service provider that you are the genuine owner. Unsurprisingly, if disappointingly, recovering a stolen account may take days, weeks, or even longer.
  • Reconfigure the account settings but leave it apparently untouched. In a so-called business email compromise (BEC) attack, the criminals will typically set up a bunch of well-hidden mail processing and forwarding rules as a means of industrial espionage. For example, they might auto-forward any emails mentioning accounts payable or receivable, thus keeping tabs on exactly when the company expects funds to be paid in or out.
  • Try the password on as many other accounts as they can. This is known by the slightly confusing name of credential stuffing, a jargon term than doesn’t refer to trying 50 different password guesses against one account, but to trying one known password against 50 different accounts belonging to the same user. If you’ve taken a security shortcut and used the same password on multiple accounts, the attackers could end up in control of all of them.
  • Sell the access details on to other cybercriminals. Shady operators who go by the annoyingly legitimate-sounding jargon name of IABs, short for initial access brokers, typically don’t carry out network attacks themselves. Instead, they concentrate on stealing, collecting, or buying up access credentials and trading them in underground forums where buyers can request access to specific targets, and sellers can offer up job lots of cracked accounts.

Starting out in cybercrime

Troublingly, getting started as a cybercriminal who phishes for passwords and then sells them online requires very little technical knowledge or skill, so that almost anyone can do it.

As we mentioned above, a ready-to-go web server with a domain name and a security certificate can be purchased in a few minutes for a few dollars.

And Github, for example, hosts several free, open-source tools, created ‘for research purposes’, that almost entirely automate the process of creating a realistic but evil copy of a legitimate site.

These click-to-phish tools generally include features including: automatically cloning the content of a third-party site to create a pixel-perfect replica; inserting booby traps into the fake site to to harvest any uploaded data; forwarding visitors to the real site after the phish to increase realism; generating scam emails for a list of targeted users, each with a uniquely trackable link; and providing a ‘campaign dashboard’ for viewing who clicked through and what personal data they gave away in the process.

In the screenshots below, I used a popular phishing ‘research toolkit’, downloadable from GitHub in ready-to-run form, to clone the Hire me to write for you page of my own website, complete with a web form that captures details from prospective customers.

The entire process, including downloading the software, cloning the page, generating a scam email template, ‘spamming’ it out to myself (the software allows CSV lists with any number of victim recipients to be imported), automatically hosting and serving up the fake page, and retrieving the stolen data via the dashboard, as shown below, took about five minutes.


Cybersecurity made human: Don't balk at the basics - SolCyber
Cybersecurity made human: Don't balk at the basics - SolCyber
Cybersecurity made human: Don't balk at the basics - SolCyber

From here, setting up as an Initial Access Broker is as easy as creating an anonymous account on an underground forum.

Some of these forums have been active for up to 20 years, and can be found with search engines on the regular web, thanks to front-end sites that operate in plain sight.

These publicly visible sites often present an illusion of legitimacy by publishing real-world cybersecurity news or offering genuine-looking services, but also provide handy dark web links that visitors can use with the Tor browser to teleport anonymously from the regular site to its underworld counterpart.

Here’s a long-running example, showing a cybercrime brokerage site with a main page on the regular web, offering Новости (news), Контакты (contact), Форум (forum), TOR (teleport to the dark web site), and Хранилище (storage):

Cybersecurity made human: Don't balk at the basics - SolCyber

The storage link provide a free cloud-based file sharing service, with an English-language front-end that almost mockingly warns you to “make sure you trust your recipient when sharing sensitive data”:

Cybersecurity made human: Don't balk at the basics - SolCyber

Beyond stolen passwords

Initial Access Brokers don’t just sell passwords, but also traffic in ‘attack directories’ that provide ready-to-use lists of unpatched servers with the corresponding exploitable vulnerability for breaking into each one.

Just as with phishing, numerous open-source toolkits exist that make it easy for anyone with a fast network connection, or with a bunch of innocent computers that they control remotely via malware they implanted earlier, to scour the internet for vulnerable servers.

These tools automatically find and keep a record of servers that are open for business, but not yet patched against security holes that are exploitable using already-known vulnerabilities.

In other words, attackers such as ransomware criminals or data thieves (and remember that many contemporary ransomware criminals steal data immediately before they scramble files in order to double up on their blackmail leverage) don’t need to spend their own time, or to risk giving themselves away, in order to acquire a list of prospective victims.

Some data-stealing and ransomware attacks are targeted very specifically, with the attackers deciding in advance that they are going to go after government department X or global business Y, and then explicitly buying up or finding for themselves a way into those exact organizations.

In other cases, attacks may be targeted much more loosely, with criminals buying up a list of vulnerable networks in a general category, such as ‘companies with 200 to 2000 Windows computers that rely on online sales’ or ‘hospitals with Accident & Emergency departments in major cities’, and then picking off victims from their shortlist one by one.

The underlying message

The publicity-grabbing ‘nation-state attackers’ and ‘state-sponsored actors’ we mentioned at the top of the article do exist, and represent a clear and present danger to our cybersecurity.

But the underlying message from everything we’ve talked about so far is that these so-called ‘advanced’ attackers are not the only danger we face, and probably aren’t even the primary threat we should be addressing.

The precautions promoted by Cybersecurity Awareness Month 2024, in its 21st annual incarnation, may feel as though they are old-fashioned, and obvious, and unexciting, and even unimaginative…

…but they are nevertheless profoundly important, because it is vital that none of us balk at the basics.

Blunders relating to phishing, passwords and patching are still the major underlying cause of the ever-expanding number of serious data breaches.

Fortunately, as CISA’s own social media tiles remind us, the basics are surprisingly easy to remember:

  • Unique, long, random. Seal accounts with strong passwords. Note that CISA is now officially asking us all to get rid of those artificial ‘complexity rules’ that say you must have some CAPS, and at least 1 digit, and a few $%^* wacky characters. Use that sort of trick if you like, but blindly obeying those complexity rules can lead to predictably weak passwords like P4ssWord! being judged stronger than a genuinely random choice such as RNTUMNSS­XHINRVZZ­MAKUMOUK­YXQKANXQ.
  • If it looks phishy, it probably is. Report phishing attempts. Good advice, but we suggest an even simpler and stronger rule, namely that if it LOOKS phishy, it IS phishy. If enough of us routinely reject and complain about legitimate mails that are just too close to phishing for comfort, we’ll eventually force businesses into cleaner, safer email behaviors themselves.
  • Stop clicking “remind me later.” Update your software. Don’t always be the person who hangs back to see how everyone else gets on first, or else we’ll all end up waiting indefinitely for each other. Instead, learn how to defend against updates that don’t work out perfectly by perfecting the art of rollback, which will help you with many other aspects of business continuity and disaster recovery.
  • Committed to online safety? Become a cybersecurity champion. Even if you’ve got cybersecurity covered in your own digital life, remember that friends don’t let friends get scammed!

We still haven’t collectively built a cybersecurity culture in which we routinely Get The Basics Right.

So why not use Cybersecurity Awareness Month 2024 as a reason to set that as a goal to aim for in the year ahead?


Why not ask how SolCyber can help you do cybersecurity in the most human-friendly way? Don’t get stuck behind an ever-expanding convoy of security tools that leave you at the whim of policies and procedures that are dictated by the tools, even though they don’t suit your IT team, your colleagues, or your customers!

Cybersecurity made human: Don't balk at the basics - SolCyber


More About Duck


Paul Ducklin is a respected expert with more than 30 years of experience as a programmer, reverser, researcher and educator in the cybersecurity industry. Duck, as he is known, is also a globally respected writer, presenter and podcaster with an unmatched knack for explaining even the most complex technical issues in plain English. Read, learn, enjoy!

 

Paul Ducklin
Paul Ducklin
10/16/2024
Share this article:

Table of contents:

The world doesn’t need another traditional MSSP 
or MDR or XDR.

What it requires is practicality and reason.

Related articles

Businesses don’t need more security tools; they need transparent, human-managed cybersecurity and a trusted partner who ensures nothing is hidden.

It’s time to move beyond the inadequacies of current managed services and experience true security management.
No more paying for useless bells and whistles.
No more time wasted on endless security alerts.
No more dealing with poor automated services.
No more services that only detect but don’t respond.
No more breaches caused by all of the above.

Follow us!

Subscribe

Join our newsletter to stay up to date on features and releases.

By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.

CONTACT
©
2025
SolCyber. All rights reserved
|
Made with
by
Jason Pittock

I am interested in
SolCyber XDR++™

I am interested in
SolCyber MDR++™

I am interested in
SolCyber Extended Coverage™

I am interested in
SolCyber Foundational Coverage™

I am interested in a
Free Demo

9577