A young woman from the US was tricked into giving out the password to her email account which led to her losing access other online accounts such as her Email, Facebook and iCloud.
6 weeks ago a young woman was asked by a distant ‘friend’ on Facebook Messenger to help her win an online modelling competition. The young woman agreed and provided her email and password to her ‘friend’ to allow her to vote. What the young woman did not know, was that her friends Facebook account had been hacked and that it was cyber-criminal messaging her.
The cyber-criminal, who now had full access to the woman’s email account, changed the password on all of her accounts including Facebook and iCloud. They were then able to gain access to a lot of her personal data stored onto the young woman’s iCloud including bank details, a picture of her passport and some explicit photos.
Something that stood out with this cyber-attack in particular was the criminal’s motive. We hear every week of people and businesses who have lost thousands of pounds to cyber-attacks, but this criminal was not interested in money. The woman said she soon received a call from the hacker, who she identified as being young and possibly a student. She said it was clear his motive was to find explicit photos of woman and that he threatened to upload her photos unless she did a live sex show for him, which she declined.
She said he accused her of leading an ‘immoral life’ after seeing evidence of her smoking, having boyfriends and being sexually active. The attacker said he was happy he had hacked her accounts, she deserved everything and then began to upload the pictures onto Facebook where she had over 1000 friends.
The woman had told some of her friends of what was going on, and asked them to report activity on her account. Within 15 minutes her account was disabled by Facebook, however it was too late, she began to receive concerned messages from some of her friends who had seen the photos.
When the Facebook account was disable the attacker was finished, he finished the phone call with “Have a great life.” The young woman was able to recover some of her accounts back however lost her Snapchat and Hotmail account.
What is ‘Spear-Phishing’?
This type of attack is called a ‘Spear-Phishing’ attack, like a ‘Phishing’ attacker where a criminal pretends to be someone authentic like a trusted organisation or person, only it is a targeted, personal attack.
“Phishing uses behavioural psychology to trick victims into trusting the attacker in order to obtain sensitive information,” said Paul Bischoff, Internet Security Expert, “Spear phishing is less prevalent, but far more dangerous. Spear phishing targets an individual or small group of people. The attacker can gather personal information about their target to build a more believable persona.“
The attacker, in this instance, had managed to hack a Facebook account and messaged the account holder’s friends asking for their Email account a passwords. He then either used the same credentials for other sites like Facebook, or did the ‘Forgot password?’ which would have led to a password reset being sent to the email account.
A lot of people today use one email account for signing up to the likes of Facebook and Twitter, if a hacker has access to someone’s email account there’s a large possibility they can gain access to other accounts they are sign up to as well.
How to protect yourself from a Spear-Phishing attack?
To begin with, you should NEVER give anyone your passwords and NEVER use the same password twice. This one example is proof of the devastating affect that one password can have on a person’s life when put in the wrong hands. You must remember that online we never really know who we are speaking to, as proved in this story, it could be anyone.
Be careful who you share information. Spear-phishing is not only a type of online crime, criminals can use this type of attack in many different ways including phone and mail.
You may sometimes wonder why websites ask for details like your mobile number when signing up, this is because many sites and applications have something called ‘Two-step Authentication’. This is something we suggest all users should set-up to help protect their accounts, and themselves.
When logging in on a device for the first time, a user not only inserts their password but is also sent a code to their mobile or email, they must then enter the code on the site or application to gain access. For some sites this is currently only an option and is something users can choose to set-up on their accounts but soon we predict it will be something a lot of sites make a necessity.