If you’ve been paying attention to tech news lately you’ll notice there’s been 3 major hacks. Western Digital, Linus Tech Tips, and MSI were all recently hacked. Linus Tech Tips had their YouTube channels taken over by bitcoin scammers pretending to be Elon Musk with AI tech. MSI had all of their internal data stolen and it hasn’t been released yet, but the hackers are threatening to do so if MSI doesn’t pay. Finally Western Digital had a lot of their internal services compromised, and possibly their cloud services. We’re not entirely sure how deep the Western Digital hack goes but due to those cloud services it’s possible hackers could have whatever you uploaded to their cloud services. What AMAZING hackers could take down such large tech companies? HOW!? It’s simple: Phishing.
If you didn’t know most hacks don’t happen like in movies, games, or books. It’s very rare for hackers to find vulnerabilities in a system. Hell, it’s super rare for hackers to even use a dictionary hack or even a brute force attempt. A dictionary hack is when you use a program to run through a list of words spelled in many different ways, and sometimes with numbers. Each word is inputted as fast as an instruction call for your CPU; you can run through millions of words per second. This is why you’re not supposed to use words for a password. A brute force is when you run a program that just runs through every character on your keyboard. This is like trying every key in the world on someone’s front door. It’s slow but will work. This is why longer passwords are supposed to be safer but neither length or word usage matters for security now.
Hackers use social engineering and phishing to hack into accounts. Social engineering is when hackers use information you, and/or your friends, post online to get answers to your security questions. “Your birthday determines your blah blah blah” “your favorite color is what nintendo character you are.” etc. All of these are social engineering. “My birthday isn’t bad to give out.” Yes it is. As someone who worked customer service we used birthdays for verification purposes. Names, locations, and all of that are important pieces of information to get a password retrieved. “Your stripper name is the last thing you ate and the street you grew up on.” Favorite food and the street question are both super common password retrieval questions. Sure you may not have last eaten your favorite food, but it narrows down the guessing. If all of your answers to these food questions are vegetarian we can count out any meat based dish and triangulate what types of dishes you like based off of the ones you post about. Social media has made this drastically easier, especially since people keep usernames between services. Please stop answering these questions.
Phishing is when hackers send malicious links, or files, via email/text messages to get people’s information. A phishing link will mimic a website to get you to enter your username and password. They store it and then use that against everything you use to hack into your shit. However, when you fail 1 phishing attack they don’t start hacking your shit immediately. Hackers will proceed to send your more phishing links to get more usernames and passwords. This is why using passphrases is a bad idea. If your phrase gets out there you’re boned. Another thing phishing emails will use is a malicious doc, pdf, excel, malicious code for Outlook in the email, or other attachments. You’ll open the Excel/pdf/doc/Outlook email/whatever thinking it’s from a co-worker when it is full of gibberish and running malicious code in the background. Now your system has a keylogger and they’re silently tracking everything. This is why Google auto downloading every file to your Google drive is a massive security risk. I do mean everything. Even spam emails will have their attachments sent to your drive or Google calendar. It’s super fucking annoying and a massive security risk. It’s why I am migrating away from the Google ecosystem entirely. My tablet would auto download a malicious Excel sheet and run it in the background without me knowing. My “opened by me” tab for Google Docs was rife with bullshit I never opened but Google auto opened despite it going to my spam. Google needs to disable auto sharing and require your permission to join these groups because phishers and spammers will spam you into these groups in hopes Google Drive will auto open them. Sorry, this has been a huge annoyance of mine against Google for a while. Not only is it a massive security risk, but it fills up your Google drive space too. You can limit it, but not fully disable it. Google will still add these files to your drive and randomly decide to open them, even when you tell it not to.
So, we don’t know how MSI and Western Digital were hacked, but we do know how Linus Tech Tips was hacked. Linus Tech Tips was hacked via phishing. Since Linus accepts ads from anyone, they’ve hawked those shitty expensive “professional grade chef” pans on Tech Linked, emailing a malicious PDF to them is super easy to do. They have people in their marketing/advertising department who are supposed to find advertisers for their videos. This requires them to open emails with full HTML usage to verify the company’s ledger and open Word files or PDFs for advertisers deals. A signed PDF or Word Document shows a more serious offer and the hackers could have faked a signature, who knows. The point is they need to download/open these to get the offers. This opens them to a massive security whoopsie. Linus sounds like he’s updated how it all works to prevent this from happening again. Now, I will add I am assuming that the marketing department was hit. Linus never said which department was hit, but I’m assuming it was the marketing/advertising one.This would be the easiest branch to exploit and it makes the most sense to exploit the weakest link since marketing people aren’t always super tech handy.
Phishing is such a commonly effective attack that many companies spend an insane amount of money training people to not fall for it. A lot of people are confused why phishing attacks are so effective but it’s basic human psychology. When I worked at a job where we had phishing training they would send us fake phishing attempts all the time and if we didn’t report them then we would get fired after falling for too many phishing attempts. This meant you had people like me who would just report everything, which the job told me to stop but I refused, or people who just didn’t care because we got so many emails a day from tons of different emails for internal purposes. We weren’t supposed to give our work email out so all of us knew any email was from work. However, because we got so many emails, including fake phishing emails, people became numb to them. It’s like how when people first learn to ride a bike they always wear a helmet and then eventually stop because they become too comfortable, exposing them to risk. There’s also the issue of choice drain where too many choices a day will make you lazy, no matter how small the choices are. Imagine getting 5 emails an hour and needing to choose which ones are phishing and which ones aren’t. It’s psychologically draining. As long as companies insist on overdoing it with phishing training the attacks will keep on working. Speaking of overdoing phishing attempts at my old job! Let’s go over my favorite fuck up.
Rumor was going around that the next phishing attempt was to be taken very seriously. That if you failed it, even if it was your first strike, you’d be punished. Everyone except management failed, including me. This is because management was always warned ahead of time. So, why did everyone fail this phishing attack? They were fucking dicks, that’s why. They used our exclusive internal email format that only higher ups can use. The email also linked to our policy update system on the local intranet. We would get regular emails about policy updates that looked exactly like this and linked to the same local intranet url. This wasn’t an IP address. This was an exclusive internal URL handled by our exclusive internal DNS systems. This domain name doesn’t appear on the internet at all.In fact, the local domain name didn’t even have a .com/.net/.whatever. It was just a flat url like elvenmonk/news/ instead of elvenmonk.net/news/. They also used a spoofed version of our internal email domain to create a fake local email address to a person who works there and was in charge of our policy updates. Like, if this was a real hacker using a phishing email the company has way bigger issues than us clicking a phishing link. Someone would have complete control over our internal systems.
Work, for some reason, was really pissed we all failed. They didn’t agree with us that this phishing attempt was too extreme. They also disagreed with us that it was unfair management got a heads up. So, they decided to give us a re-do. I was set because this phishing attempt is the one that got me to report every email I received as a phishing attack. Eat me IT department. This next attack was meant to be a complete surprise. Management didn’t get a heads up and no one knew what would happen. Senior management prepared to let people go if they failed this phishing attack. This one was a big deal. Some time passes and we get an email to watch the Olympics online without paying for it. Everyone reported it for phishing successfully, except management. Almost everyone in a position of power failed the phishing attack. We were super excited because management fucked up, hard.
We got an email a few days later saying that the phishing email was “too hard” and all punishments were canceled. We were pissed. They were ready to fire us, but not management. It also proved our point that management only passed these because they got a heads up. In almost every successful phishing attack you can usually pinpoint it to a person in management. These are the types of people who signed up to Ashley Madison with corporate emails. People who have become too comfortable and lazy. Corporations spend all the time training and draining the regular employees when management needs those refreshers and training. I can’t wait to see that Western Digital and MSI were both hacked due to either social engineering or phishing on a senior level management. That’s what I believe happened.
I know it’s disappointing to hear that most hackers just use Twitter, Instagram, and Facebook to get information from you to hack your shit, but that’s the truth. Sure some will try stuff like SQL injections, brute forces, dictionary hacks, or exploiting vulnerabilities but it’s not as common. A lot of the password tricks we’ve learned should work, in theory, but it’s like installing a bank vault door for your front door while you leave the windows to your house open 24/7. Sure, the door is secure but your windows are open. This is also why Microsoft and Google trying to replace passwords is meaningless. We could replace them with PINs but people frequently use the same PIN and they’ll use numbers with meanings. Meanings that could easily be socially engineered. LastPass and shit like that are attacked regularly to extract the passwords. So, those aren’t even a good option. In the end all I can say is stop answering those questions about yourself on social media. Nothing will actually make passwords secure until we fix the core problem: us. I’ll go over the issues with 2FA another day.