When it comes to finding security holes in a company’s information system, people hired to hack into a company’s systems start with what is often the biggest and clearest vulnerability.
At the highly technical Infiltrate hacking conference, a professional penetration tester for a major company in Silicon Valley told Business Insider that the easiest way to infiltrate a client’s system is to bait an employee into clicking on an infected link in a seemingly innocuous email.
“People love to click on that blue line,” Ray Boisvert, a veteran of Canada’s intelligence services, told Business Insider at the conference.
From there, the hacker for hire can acquire the employee’s username, passwords, and other sensitive information — which can lead a hacker into the company’s system.
This tactic, known as “phishing,” can be executed by unskilled scammers. When executed by a professional, however, phishing becomes a highly targeted tool.
Unlike criminals sending emails about winning a million dollars from Nigeria, sophisticated hackers spend time learning what they can about their target in order to craft an email — and a persona — that will look authentic enough for the victim to trust.
How it’s done
Sean Gallup/Getty Images
The pen tester in Silicon Valley described a scenario in which he would be looking for information security vulnerabilities in a major airline.
He would scour LinkedIn looking for the least cybersavvy airline employees, such as those who work in nontechnical areas and new hires unlikely to recognize an atypical email.
The infiltrator will then try to guess the employee’s email address by learning the format of a typical address for that company (e.g., firstname.lastname@example.org) and sending out messages repeatedly until they stop bouncing back.
After attaining the victim’s email address, the hacker looks to social media to learn as much as possible about his target’s professional background, friends, and general interests.
In this way, he can customize the phishing email as much as possible — even posing as one of the victim’s closest friends (profile picture included) — to make it look familiar and increase the odds that the target will trust it.
The penetration tester we spoke with said that just the week before he handed all of a company’s passwords back to them after a successful phishing attempt.
He also noted that the tactic is highly illegal when done outside of a professional environment.