And I´m what most people think of when they imagine
a hacker.
I live in my parent´s basement and spend most of my waking hours online. I have a large circle of friends. I guess you can call them friends, I´ve never actually met any of them in real life and we try and out-do each other by doing different types of hacks. Notoriety is the coin of the realm here.
I´m mostly just curious about what kinds of weaknesses are out there and what I can do, and how far I can get into these systems. I just want to explore for fun.
I don´t mean any harm in it. Sometimes we´ll change a page on a website to embarrass someone or to show the world how clever we are. But no serious damage.
The kinds of methods I use include various way to obtain valid login credentials to the systems I want to get into.
There are lists online of the most commonly use passwords, an those can be useful.
But without the corresponding account names, I would bet left with brute force attacks where I guess the account names and try each of the common password. That´s not every efficient. Instead, I find ways to trick people into telling me their account names and password was incorrect.
Then I´ll re-direct their browser to the real login page where they can login and think everything´s okay. Hey, we all make typos, right? Happens all the time.
Nothing terribly suspicious here... ha ha.
Then I send a specially crafted email that looks like it was sent by the real system.
This email will tell them that they have to immediately login to the system and do some important task. Then the email will include a handy link tha5t they can use to go directly to the system and take care of whatever needs taking care of whatever needs taking care of. However, that link doesn´t take them to the real system, it takes them to my special webserver that is masquerading as the real system. By the time they get into the real system and see that everything’s actually okay, I have their credentials.
And can login as them. Most people will never know. Who am I?
Who wants to know? Most of us want to remain anonymous (ha ha. See what I did there?) Okay, I go by FreeData2k and I´m hacker – and an activist. I´m a hacktivist.
I´m a member of several online anarchist collectives, and we attack targets that represent things we collectively don´t agree whit.
Sometimes they´re specific corporation. Sometimes we go after political or social organizations if they´ve done somethings that we feel is bad. We´re motivated by political, social or moral outrage.
One of our favorite attack methods is what is know as a Distributed Denial of Service attack. Or DDoS. This is where we get thousands, or hundreds of thousands or even millions of the computers worldwide to send bogus network requests to our victims.
Victims´ servers. With so many requests hammering their servers, they either can ´t fulfill legitimate requests, or they crash entirely. Either way, they´re effectively taken offline. Now we don´t have millions of members, so how do we get all those computers to attack our victim? Simple:
We set up a botnet. To make a botnet, first we set up a command-and-control server accessible on the internet. This is a central coordination point for all the botnet nodes. Next, we craft some malware gets distributed lots of different ways. But a common method is to put a software installer as an attachment to spam email. A bank error in your favor? Open this attachment to find out more. By the time they realize that it isn´t real, we´ve covertly installed our botnet software on their computer, and they´re none the wiser.
Sometime later on, some corporation or regime that we feel is evil something we don´t agree with, we´ll tell that botnet, via the C&C server to attack their servers at an appointed time and BOO! We´ve taken them down.
My name is Brad. And I’m a member of a cyber-terrorist group. Our aim is to intimidate and strike terror into the hearts of our enemies. By causing disruption, mayhem, and damage. Our motivation is purely based on ideology. Cyberterrorism can be a trick thing to define. Try this:
Here´s NATO´s definition: Cyberattacks using or exploiting computer or communications networks to cause sufficient destruction or disruption to generate fear, or to intimidate a society into an ideological goal. Unfortunately for us, we´re not usually nell-funded. So, our methods vary. We use whatever we can to attack our enemy high profile targets. We can disrupt internet services with DDoS attacks, and infiltrate system to steal sensitive data, or expose the personal data about people we want harmed. We also threaten to corrupt critical information such as healthcare records, hoping to throw entire industries into disarray. As we don´t usually have a lot of resources to throw at this, we don´t develop much of our own malware tech. We beg borrow and steal what we can, wherever we can find it. We´ve had pretty good luck with Spear Phishing though. It´s like phishing, but instead of sending the emails out to a broad audience, we send the email only to specific people that we want to target Once we´ve infected the computer that they use, we know that we can get to the more serious stuff – which is what we want. The world´s always changing.
Though. Today we might be thin on resources. Tomorrow? Who knows? Yo. I´m part of an organized crime syndicate that operates purely online. Some small-time cyber criminals operate alone, making a little money here and there we have the resources to hit bigger targets. Our motive is MONEY! Pure an simple. Now, I´m more of an opportunist than a hardcore hacker. I´d rather not re-invent the wheel if I don´t have to.
So a lot of the time, I actually just buy my malware tools instead of writing them myself. There are online malware marketplaces where I can buy malware components, and even use malware-as-a-service providers that will for a price, perform an attack for me, complete with customer service helpline. So far, our prime targets have been networks that have point-of-sale credit card data, then we can sell that info to any numbers of buyers or even use cards ourselves. Once we´re inside those networks, we can also grab the personal information about their customers. One specially rich set of targets are system that hold healthcare data. There are lots of buyers for that.
In fact, some people make money just by trading credit card an personally identifiable information. A newer method of making money, is extorting it directly form the owners of infected computers. Holding their computers and data for ransom. We call it ransomware. Usually it means infecting a computer whit software that will encrypt a computer´s hard drives and display message demanding the payment of some amount of bitcoin in trade for encryption key to get their data back. The more computers that get infected, the more money we make.
Lt. General Anderson here. I´m in command of my nation´s elite force cyber- warriors. We´re motivated by, and act in, the national and military interest of our country´s government. We´re well-funded and have the resources to not only use any exploit method that exists, but also develop new ones on our own. If you´re thinking that we´re the “good guys”, then it depends on your point of view. If you and I are on the same side or the same country, then yeah, we´re the “good guys”. But do realize that other unfriendly countries have teams just like mine that are potentially taking aim in your direction.
Unlike the other actors that you´ve been learning about, we do not have a singular focus. Our missions include espionage, extortion, and embarrassment on one end, to using targeted cyber-weapons to disrupt, damage, or destroy critical infrastructure on the other.
To complete these missions, we use a variety of attack methods. Heck! We use them all! Obviously I can´t talk about most of them but one well-known method is to leverage unpatched vulnerabilities in common operating system an applications. These are also known as “zero day” exploits. Presumably because when the exploits launched, the vendor has had zero days to fix the problem. Using some of resources I mentioned earlier, we do intensive research on these common operating system and applications, finding weaknesses, bugs, and other behaviors that we can use to attack our enemy’s computers systems. When we do find vulnerabilities, we keep them secret. We don´t want them to fix the problem. If they did fix the problem, then our expertly crafted exploits would be useless. Hopefully, we´re the only ones that know about the vulnerability. If it comes time that we have to launch an attack that uses an exploit of an unpatched vulnerability, then likely it won´t be long until someone figures out how that attack worked then the software vendor will almost always issue a patch right away. So, once we use one, it has a pretty short shelf-life before it´s no longer usable again. Again, it´s why we keep the secret.