5 Hackers You Should Know (They may already know you!)

Over the last several years, I’ve dedicated my professional career to defending some very prominent organizations against some very skilled hackers. As an expert in cybersecurity, I frequently get asked what an individual (a “normal person”) should do to defend against cyber criminals in their own personal lives.

In short, I believe that these are the most important cybersecurity strategies for individuals:

• Use different passwords for each web site and store your passwords in a secure password manager.
• Pick password reset questions that aren’t easy to research or guess. Consider using fake password reset questions.
• Turn on two-factor authentication at sites where it is offered
• Keep your operating systems, applications and antivirus up-to-date.
• Learn about common scams. Be especially wary when you are using a digital platform to buy or sell things, or when transferring money to another person who contacts you through email, text, social media or even by phone.

If you are the type of person who trusts experts, don’t bother to read any further. The information above will protect you pretty well.

My wife, who is an amazing and exceptional woman, but definitely a “normal person” where technology is concerned, always keeps me grounded. I was talking with her about some security best practices recently and she said:

I feel the same way about most “Security Experts” that I feel about that “Prince” who emails me offering a share of his lottery winnings. I’m confused and irritated by both of you. Why do I actually have to do these things?

During my 25-year long career in Information Technology and Security, I’ve written hundreds of policies, procedures, articles and emails covering security best practices. If I’m honest, I don’t have strong proof that our expert efforts have improved individual security practices much during that timeframe. If our expert advice worked, we would all be more secure and security breaches would be rare. I think people are overwhelmed by advice when they can't connect it to the questions "why" and "what's in it for me?"

So if you don’t want to take my word for it, I’ll introduce you to 5 hackers you should know and they can tell you about the security mistakes that you make and how those mistakes can help criminals achieve their malicious goals.

Pierre – The Password Hacker

• Hacks web sites and steals password and credit cards.
• Has software thats tests stolen usernames and passwords to see if they are being re-used on other web sites. The software can automatically tweak years, dates, numbers or symbols to look for similar passwords in use at other sites.
• Sells collections of passwords and credit cards on Russian criminal forums. Small batches of validated banking and email credentials are sold for a premium.
• Sell bundles of Netflix, HBO and Hulu accounts on criminal web sites.
• Doesn’t waste his time trying to use the passwords himself and doesn’t care much about the individual accounts he is stealing. Pierre’s business is a game of numbers. He wants to get as many passwords as he can as quickly as possible and sell them to his criminal forum customers.
• Sometimes trades collections of passwords with other criminals.

Pierre likes:

• When you re-use the same passwords across multiple sites. Similar passwords are great for Pierre too. You probably assume that Pierre’s software isn’t able to change “Winter21!” to “Spring21!” or “Colts?34 to “Colts?35” but of course you would be incorrect. 
• Passwords for any site are valuable to Pierre but he really likes financial and email accounts. Those are more valuable and can be sold in smaller batches to other criminals who will do the messy, time consuming work of actually exploiting the accounts for financial gains.

Pierre dislikes:

• When you use different passwords for every site, especially when you use a secure password manager (LastPass, 1Password, Dashlane) to store those accounts.
• When you use two-factor authentication to protect your account logins.

Yelena – The Banking Fraudster

• Purchases batches of passwords on the dark web (maybe from Pierre) and attempts to use that information to break into banking accounts.
• Searches on the internet to learn more about her victims. Social media postings, public databases and genealogy sites are especially helpful to her.
• May purchase illegal remote access to a computer in the same town as her victim to avoid triggering fraud alerts and additional authentication questions.

Yelena likes:

• When information listed in your account profile for one web site helps her answer security questions for another web site.
• When you don’t change your passwords after web site breaches are publicized. This gives her more time to break into your accounts.
• When you pick the easiest password reset questions on the list. She would prefer if you picked questions that are easy for her to research like “Mother’s maiden name”, “high school mascot” and “favorite food”. She’s very happy when you have played the “Soap Opera Name” game and other quizzes on Facebook and have helpfully provided your first pet’s name, the make of your first car, the first concert you ever went to and the name of the street you grew up on.

Yelena dislikes:

• Two-Factor Authentication. It’s the worst. When your account has two-factor turned on, she will typically move to the next victim on her list because it’s too hard to break in.
• When you have fake answers for your security reset questions. Why would you say that your high school mascot was a bear, when it was actually a tiger?

Karl – The Carder

• Purchases batches of credits cards on the dark web (maybe from Pierre).
• Tests card numbers by purchasing web site memberships or other inexpensive items online.
• Valid card numbers are used to purchase electronics or other items that can easily be sold on eBay.
• In cases where multiple small purchases are successful, Karl may resell the credit card number to other criminals who are able to manufacture physical credit cards. Those cards will be used by criminals for additional purchases.
• Karl also purchases identities from breached web sites and uses the information to set up new credit card accounts.

Karl likes:

• Victims who don’t regularly check their credit card accounts for unusual charges. This gives Karl more opportunity to use the cards before they are cancelled.
• People on Craigslist who are willing to buy things or ship things with no questions asked.

Karl dislikes:

• People who have a credit freeze in place with Equifax, Experian and Transunion. This makes it nearly impossible for Karl to create a new credit card in your name and then he’s limited to running up charges on your current accounts until you notice.

Aleks – The Malware Author

• Uses a toolkit that he purchased on the dark web to produce malware that logs typed keystokes, reads and sends email messages and export passwords stored in web browsers. His malware also checks in regularly for new instructions.
• Sends out millions of phishing email messages every day with malicious web site links or infected office documents.
• Pays attention to US news and holiday calendars so he can adapt his phishing messages and find creative new ways to get people to click on links and open attachments.
• Sells bundles of passwords and access to infected computers on the dark web to make money.

Aleks likes:

• People with no antivirus or outdated antivirus.
• People with outdated operating systems.
• People who store their passwords in their browser.
• People who like to click on things and open things from their email, even when messages come from people they don’t recognize.

Aleks dislikes:

• People who use a password manager like LastPass, Keeper, 1Password, or Dashlane. His malware isn’t able to grab passwords out of those utilities and his keyboard logging doesn’t work when passwords are pasted directly into the browser.
• People who turn on automated Windows updates.
• People who turn on macro security in Microsoft Office.

Hana – The Scammer

• Understands human psychology and takes advantage of multiple emotional manipulation techniques to deceive her victims.
• Uses email, text messaging, social media, phone calls, or fake web sites in various schemes that she adapts over time.
• Knows where her victims work, worship, volunteer, and send their kids to school. Can impersonate trusted people from each of those settings.
• Is bold and thinks quickly on her feet.
• Targets businesses or individuals with different scams. Quickly moves to a new strategy when an existing one stops working.

Some of her favorite scams:

• Spoofed websites – Sends messages indicating your account is locked, membership needs to be renewed, unusual activity was detected, or similar. Directs you to a fake website to steal your credentials. Banking, streaming, retail, credit cards, and insurance are the most commonly spoofed sites.
• Help Me! – Pretends to be a family member or clergy in an urgent situation. Asks for money transfer or gift cards.
• Government – Indicates that you are in trouble with the Police, FBI, IRS, Medicare, or similar. Pay money or send gift cards immediately to clear up the trouble.
• Craigslist and Ebay scams – Offers great deals on cars, electronics, or other desirable products. Collects money through unusual channels to cover unexpected shipping, insurance, overpayment, or escrow costs.
• Tech support scams – Convinces a victim that there is a problem with their computer or mobile phone that can only be solved by purchasing her software or services.
• Bank Transfer Scams – Changes payment details on existing accounts to funnel payments into a new bank.
• Extortion – Convinces a victim that she has access to their computer or mobile device and knows about the “bad things” that they have done.

Hana likes:

• People who are generally trusting and react quickly to emotional appeals.
• People who are too embarrassed or too busy to ask questions or to delay a decision until they can investigate or talk to family, friends or financial advisors. Doctors, lawyers, and executives are the best because they are often in a hurry and may be too embarrassed to report when they are victims of her scams.
• People who share a lot of personal information publicly on social media.
• People who want something for nothing or amazing deals.

Hana dislikes:

• People who know that requests for a wire transfer, prepaid debit cards, or gift cards are almost always a scam. 
• People who aren’t afraid to confront authority.

As you probably gathered from the information above, the world of cyber criminals is populated by people with different skills, different methods, and different goals. These 5 hackers you should know represent a sample of the issues that you should be aware of.

So once again, my recommendations are:

• Use different passwords for each web site and store your passwords in a secure password manager.
• Pick password reset questions that aren’t easy to research or guess. Consider using fake password reset questions.
• Turn on two-factor authentication at sites where it is offered
• Keep your operating systems, applications and antivirus up-to-date.
• Learn about common scams. Be especially wary when you are using a digital platform to buy or sell things or when you are asked to transfer money to another person who contacts you through email, text, social media or even by phone.

Have a question? Have a recommendation for another hacker that we should meet? Have your own expert advice for “normal people”? Comment below or email me: [email protected] 

(Hey Hana and Aleks… please don’t bother emailing me.)

Notes:

1. Although all of the hackers referenced in this article are fictitious, the illegal activities described are based upon examples from the real world.
2. The people in the pictures are also not real. They were created through Artificial Intelligence. See https://thispersondoesnotexist.com for more information. I grabbed the first 5 random pictures that weren’t obviously flawed and a list of random names from the internet. Any resemblance to you or your cousin Sal is purely coincidence.
3. If I added 6th recommendation, it would be "back up your data securely". That's a hacker for another day.
4. To my fellow colleagues who work in information security: You and I could have a healthy discussion of 100 ways that this article mischaracterizes how things work in dark markets, oversimplifies complex issues, doesn’t match a particular nuance of a real-world attack chain or naively distills multiple actors into one person. Also, I'll admit that I'm using the term hacker loosely and incorrectly. I welcome your input and constructive criticism. Please keep the target audience in mind.