The phishing industry today is much more than clicking on a link—it’s an industry that threatens to take down the victim and the petty scammer in one fell swoop. Here’s how it works:
Remember when you were a gamer? Not so long ago. You had the latest hardware installed: wide-screen multi-monitors, sensor-vest… you could even access your pigpen from your phone. As for cheats—you ruled!
One day, you get a message on telegram from a sponsor. At first, he’s interested in advertising on your twitch-cast. Eventually, he tells you there’s money in hacking. You buy a malware kit for under $10 and sign up for a Coding-as-a-Service provider. Someone else is setting up phishing sites for you; hell, you can even advertise over the web your hacks and the products you’ve scraped.
Welcome to your corporate crime career.
Chances are, you’re working for one of a handful of crime bosses in the country—he’s got a stable full of Lamborghinis and Bentleys in Miami, a much-younger-than-him trophy wife or two; he may even be dealing with Russian or Chinese politicians.
But he’s gone BigBiz – just as the robber barons did in the late 19th Century’s Gilded Age, just like the mobsters of Las Vegas did in the 70s, when gambling joints became luxury, all-you-can-eat-for-a-dollar-by-the-slot-machine resorts.
High Stakes = Tasty Steaks
Well, despite Morpheus’ temptation, you luckily took the BLUE pill. Decided to stay this side of the slammer. Finished school, cleaned up your act. Now, you have your own small business. It’s not CitiCorp, but then again, it’s not Warner Brothers’ ACME INC. Now you’re on the other side of the fence. You’re threatened by scammers, hijackers, potential ransomware. The list is endless.
But it’s changed… grown! If you think it’s your bank account they’re after, well… yes. But the stakes are much higher: they’re out to get the corporations and the state governments that host them, as well. Because your phone isn’t just a gateway to your bank or municipal pay-zone; it’s their entrance to Twitter (which could go belly up if Musk decides the company’s too scam-ridden), LinkedIn (and from there to their mega-company client sites), and WordPress-based sites, through which they can mimic PayPal or any other company that uses the WordPress platform to build and maintain its websites..
Last January, a hacker calling themselves ‘Zhirinovsky’ (named after the famous Russian politician) described a process whereby a hacker can easily access a Twitter account and scrape it. He published this on a website called Hackerone, where Twitter duly thanked him and even paid him in kind for his efforts, saying they’d “look into it”. They were too late, however, and six months later, a hacker named ‘devil’ was offering user data of celebrities, companies, and more over the internet—5.4 million users at $30,000; that’s ½ a cent per user or half the price of a local TV ad. Such data can be used in targeted phishing attacks, and—with almost ½ billion Twitter users in total—there’s more than a 1% chance your data was there.
A more frightening approach threatens to undermine nearly every shopping site created using the popular WordPress platform, which accounts for 37% of all websites and 60% of all content management systems. Here, according to BleepingComputers, hackers managed to violate the WordPress PayPal add-on—that’s the one that provides a site with the option for clients to pay using the world’s most trusted payment processor’s payment system.
Following one such payment, a user may receive an email purportedly from PayPal saying there’s been some unusual activity on the account and requesting credit card confirmation, including email address, ID or driver’s license, etc. for multi-factor authentication. The user may think they’ve just entered the PayPal system, but they’ve been hijacked by a spoofer (an impersonator) and their data is about to end up in the wrong pockets.
But perhaps the biggest threat is the direction all of this is taking: the corporate. Not only has hacking become an industry—they’re taking on big business; and this doesn’t mean the social platforms, but their clients. For what major brand doesn’t use social media extensively? Twitter and Facebook for advertising and PR, LinkedIn for networking, HR, and things much closer to home.
It’s great to be able to uncover a company’s major stakeholders and officers, and even better to message them personally. And your average social media manager will never ignore an email saying “you appeared in x searches this week”. Click on the link to find out who, and an important company employee has just been phished into a fake LinkedIn page asking for their username and password. Before you know it, fake Nike and Wells Fargo sites are all over LinkedIn. In fact, according to Checkpoint, LinkedIn scam sites accounted for 45% of all phishing attacks in 2022’s 2nd quarter.
Covering the Bait
There is very little we can do to dissuade hackers from working for crime syndicates and foreign intelligence networks when the profits are so high. The only thing we can do is cut into those profits by being wary.
Prevent scammers from accessing your coworkers, connections, and friends. Make sure you have 2-factor authentication on all your social networks. NEVER click into your social channels from an email. And once you’re IN a site, make sure that the URL is correct and the content makes sense.
Over the past 3 years, we have come to rely on the internet for a major portion of our life’s needs: work, play, connectivity, news, and even our social lives. For small businesses, this has been a business: it’s provided them with the infrastructure to actually compete with the Big Boys: services and platforms as online infrastructures, direct advertising, shipping, and sales. Suddenly you can have entire staffs at your disposal without worrying about social security or pension plans for them all. You can ship to Europe at the blink of a mouse. Cast a huge holy net.
On the other hand, if once upon a time all these were spread over a variety of communications channels, now they all funnel into this one huge black box. It contains your identity, your activities, nearly all the non-physical activities of your and your company’s existence. You’ve entrusted your life and your loved ones to a box. It’s enough to leave one flap slightly open and the entire box can be contaminated.
You need to be doubly conscious, doubly secure. Adopt anything that can help, but remember: the eyes must still be yours.