SPOC-Web Icon, semantic Knowledge Management

How to... get Things done

Examples for attacks on computers

In this sections a number of techniques are described, that are possible using computers. Apart from these there are of course still all 'old' ways starting with door-to-door sales leading  up to burglary or blackmailing.

Attacks from all directions

Experts call these "attack-vectors". There are, among others, these possible ways to steal your data or to defraud you:

  • Interviews: it is surprising how many peope answer to sympathetic strangers in public places, even when they are asked for their adress or PIN!
  • Door-to-door sales and cold phone calls: it is much easier to sign a contract when customers are taken by surprise and try to get rid of the salesperson or do them a favor. This holds too when passers-by are addressed in public places.
  • Phishing: Emails present an extremely cheap way to 'check out' huge numbers of people in a short timeframe. It pays off already if only a tiny fragment falls for it.
  • Fake web sites: Often links in phishing eMails lead to fake copies of bank web sites, that are indistinguishable from the original except for the URL. Browsers will often not even warn you about security, because these sites may even employ a valid certificate and support https for secure transfer. For these reasons you should NEVER click on links in eMails, but rather enter the web-adress (URL) yourself or find it using web-search. Search services like Google, Duck Duck Go or Bing filter out these fake sites or rank them extremely low if they know them at all.
  • Identity theft: when hackers obtain your password, they can act in your name. They can transfer money from your accounts or compromise more services, either by exploiting the fact that you re-used the same password for them or by employing the "forgot password" funktion to change it for themselves.
    • While the latter can at least easily be detected by the victim, keeping a cracked password is possible more harmful, because it gives the attacker more time. One of the most important rules is therefore to use a different password for each service which, in turn suggests using a password-manager.

Trojans as give-away items

The trojan horse was disguised as a present, already 2500 years ago a well-known trick to obtain access. Nowadays USB-sticks are a ein popular give-away, because they are cheap and easy to brand for advertising. They are a favorite tool of hackers, because they can stand in for any input or output device to the computer. They can start programs acting as mouse or keyboard input. They can place themselves between browser and web page by pretending to be a network adapter. In this so-called 'man in the middle' position they can pick up the whole traffic, including passwords.

This trick was used e.g. in arresting Ross Ulbricht in october 2013. Two FBI-officers acting as an arguing couple for diversion placed a USB-stick in Ulbrichts laptop to prevent locking. This was sufficient to also obstruct the harddrive cleaning that Ulbricht installed to wipe out evidence from his computer. They obtained full access to the confiscated computer.

It is sad, but especially with free or found valuables you should be suspicious and search for possible motives.

Free offerings, including Viruses

It is easiest to motivate people using greed, avarice or fear.

In many cases the search for free video or music leads to virus-plagued web sites. You should never start downloaded programs or scripts unless you are trust the web site and are very sure about its identity. As of Windows 7 the admin-modus must be confirmed separately whenever a program requests administrative rights. This warns the user once again, but still programs are often installed recklessly.

Actually most programs should not require installation. For example, none of the Spoc-Applications available from this web site will require administrator-access. This gives you the certainty that these apps cannot modify your computer. For installation simply unzip and copy the folder wherever you want.

In addition to starting downloaded software, hackers also deploy pop-ups and adware on web sites to exploit bugs in browsers or lure users into clicking them.

In the best case you only have to eventually reinstall the computer, but it can be worse: so-called 'Ransomware' like e.g. Wannacry in Mai 2017 encrypts all your files and uses them as 'hostage' until you pay money to decrypt it.

Attacks via eMail

EMail receives increased attention due to the perceived personal nature, although they can be considered weapons of mass-confusion, since they are extremely cheap.

This motivates different kinds of attacks described below.

EMails to 'check out' potential victims

Insecurity in handling electronic media, especially among elder people can be exploited by mass-eMail efficiently.

Just like with cold calls, gullible people can be unsettled by eMails and motivated to imprudent actions.

Often a seemingly easy way out is offered e.g. by paying a small "administrative fee". But if someone pays it, they qualify as susceptible to blackmail and will be faced with ever higher charges. This pattern is especially devious and can only be broken by a competent and self-assertive attitude on the part of the victim.

It is liberating and exhilarating to see how to brek out of these schemes as this TED-Talk shows, where James Veitch pretends to let himself in for shady deals via eMail.

Phishing eMails with links to fake web sites

Another way to destabilize people is to notify them of an alleged problem (locked bank account or overdraw, security issues etc.) and prompt them to login to a fake web site. Conveniently the suitable links are provided in the same eMail.

It is easy to copy an existing web site and route the whole communikation across your own site. This is known as a so-called "man in the middle" attack. By presenting a login dialog, usernames and passwords can easily be obtained. These can even be fed into the actual web site to proceed and leave the victim inconspicous about the fraud.

Both eMail sender as well as the link to the web site can easily be faked to look authentic. Never use links from eMails to log into secured web sites!

Statistically attractive eMail-offerings

For this kind of attack you only need a sufficiently large set of eMail-adresses. These can be bought cheaply in large quantities on the internet and in only three steps you can construct a proposal that look quite compelling to the individual recipient. In this case greed instead of fear is used to motivate the victim. 

  1. Split the adresses into twp groups and send them a forecast that e.g. a share will rise or fall together with the offer to manage a stock portfolio for them. In any case this prediction will come true for one half of the recipients.
    Though this will be not enough reason for most of the readers, to trust their money with these managers.
  2. But you can repeat this scheme, by splitting the list into half once again and make another prediction for the next week. Again it will be true for half of the recipients and they begin to wonder.
  3. The third time the sender is right with their predition and they seem to have an infallible intuition for the stock market, and you beginn to think, whether it wouldn't be a good idea to open up a portfolio with them.

Of couse this happens only with an eigth of the original recipients (half of the half of the half), but if only a fraction of these von diesen auch nur ein Bruchteil take that bait, the effort has paid off. The sender can pretend to make further good investments (e.g. using fake reports with buy/sell decisions after they have taken place) until enough money has accumulated and then get away with it.