A friend recently commented that hackers won’t benefit from getting access to his email account. “There’s nothing there,” he laughed, “it’s a waste of time for them. I’m a nobody.”
A few weeks after, I noticed a trend wherein the credentials of some Filipino doctors were used to create fake medical certificates for employees, complete with email contact details. The unscrupulous groups doing this would charge a fee and replied to inquiries that would arrive in the real doctor’s email inbox.
I thought it trivial for attackers to redirect incoming email from a compromised inbox to themselves. This is one of the first things any attacker would do when taking over an email account, and often the owner would be none the wiser that someone else was reading and sending mail on their behalf. There are much more devastating outcomes regarding compromised email accounts.
In one case I handled last year, a middle-aged specialist doctor was befriended online by a self-described savvy investor. “I just need P5,000 to deposit into this bank account, and I can return P8,000 to you in a week,” the investor said, which surprisingly was indeed fulfilled. The next request was to borrow P10,000 for a P15,000 return – which was fulfilled as well, thus gaining the trust of the ecstatic eye doctor.
Eventually, the investor offered to enrol the doctor in a special banking account, and even offered to do it in her stead because well, the process was “a little complicated for non-techy people.” Understandable. “Well then, I would need your email credentials, so I can make it easier for you,” read the viber message in Tagalog. At this point the doctor simply gave the information; what would be the harm after all? Only after the damage was done was it discovered why this lady doctor was specifically targeted and befriended.
Apparently, she was designated as one of the transaction approvers for a shared online banking account for a group of local specialized doctors in her field – and somehow, the attackers knew this. None of the doctors in this group were very technologically inclined, and all conducted their transactions in the physical bank.
Unbeknownst to them, they had a live online method of performing transactions using an online banking portal. Once the attackers had access to the lady doctor’s inbox, they utilized her email to authorize a string of online transactions through this portal. Ultimately, this group of doctors lost all their profits and savings accumulated over the last three years.
Upon digging deeper, we hypothesized that the attackers identified her as the approver of the online bank account by scouring an inbox of another hacked email account, owned by an acquaintance of hers.
While this is certainly one of the more unfortunate outcomes, the truth is that catastrophic cybersecurity incidents like these are often the result of numerous smaller and seemingly inconsequential breaches. When all these little tidbits of information are combined, mined and analyzed, they provide a complete picture for an attacker to plan out their next big heist.
You may be wondering, how does this all work? Let’s start small and imagine that attackers won’t actually read hacked email inboxes (but you can bet that they certainly will) and for now believe that they are only able to collect a list of recipients and correspondents under each hacked account. This sounds harmless at a glance, but through these email addresses alone, a huge map of relationships between people and organizations would be compiled in a database. This database would essentially contain thousands of people’s names, the organizations they work for, their relatives (easily derived from surnames in email addresses) – ready to use as fuel for daily 9 a.m. to 5 p.m. scamming operations.
Now imagine that over time, this database gets increasingly detailed. By hacking and bulk buying thousands of personally identifiable data from the dregs of the internet, the people in the database now have associated mobile numbers, SSS, health and even home address information.
To use a military analogy, this would be akin to an invading army having all the information necessary to conduct effective warfare against another country. While I don’t profess to be familiar with military intelligence, I would imagine it being aware of all the defense capabilities, schedule routines and personnel numbers of the country they want to lock horns with. I don’t expect that battle to be a very fair fight.
This is also the reason why PII (personally identifiable information, such as names, email addresses and phone numbers) have been the “black gold” of the modern internet age – everybody is scrambling for it. Not only is this highly desirable for the vast number of advertising agency networks and eagerly collected by our favorite social media platforms, all this seemingly benign PII fuels the mind-bogglingly lucrative scamming industry.
Simple tidbits such as what a person does for a living, her age, where she works, possibly her position and her work phone number may suddenly reveal a middle aged, IT-averse specialist doctor with an online bank account. So no, not all email inboxes would have emails containing nuclear launch codes, the 13 spices of KFC, or a memoir of who assassinated Ninoy Aquino – but I can guarantee that there will be something that can eventually be weaponized for a cybersecurity attack.There are no “nobodys” here.
The key is to be aware that attackers are trained to recognize what seemingly innocent tidbits of information can potentially be weaponized, and this is in fact what they do for a living. We all need to share the responsibility in protecting information, if not directly for our own selves, then for all users of the internet at large.
* * *
Paul Prantilla is director for security operations of Red Rock IT Security.