UPDATED 18:44 EDT / APRIL 17 2018

INFRA

Hackers operate in the clear with all the social media and hardware resources they need

Interested in becoming a hacker? Not exactly sure where to start? No worries. Forget about looking for the necessary tools on the dark web, that corner of the internet reachable only through special software. Most of what’s needed is available on the open internet and the cost ranges from minimal to free.

If people are still wondering how cybercrime continues to expand unchecked, they might take a few minutes to browse some very familiar sites, such as Facebook, YouTube, Instagram and even LinkedIn. It won’t take long to realize that the freewheeling world of social media is helping the well-meaning and the malevolent in equal measure.

At the RSA Conference in San Francisco on Monday, three members of the RSA Security LLC threat investigation team presented a view of the cyberworld that the vast majority of people likely never take the time to find. “It’s a very active space,” said Daniel Cohen, head of the FraudAction business unit at RSA. “Social media is doing a great job of bringing hackers together in a global community.”

Stolen credit cards on Facebook

Looking for sites with credit card numbers for sale? Type “ccnum” into the Facebook search bar and the result will be multiple sites listing card numbers available for ready use.

But don’t delay. “Fresh” numbers will likely be snapped up, used and closed within 24 hours of posting by hackers. “They are operating completely out in the open,” Cohen said.

Another area of online credit card fraud involves “carding,” where the holder of a stolen card number purchases store-branded gift cards which are then either sold or used to buy merchandise for others. Instagram is a popular site for carding activity, according to the RSA researchers, who provided session attendees with online pages, mostly from international users, that freely advertised popular items such as the Apple iPhone at cut rate prices because “we order all product by #hack cards.”

Social engineering via LinkedIn

Even LinkedIn, generally considered a carefully monitored and curated site for business professionals, can be used for phishing scams. The practice of social engineering is being exploited by criminals who befriend LinkedIn users under the guise of a job recruiter or industry colleague.

New employees joining a company, usually noted in LinkedIn profiles, are especially vulnerable to phishing scams, according to Ayelet Biger-Levin, RSA’s senior consultant for identity product marketing. They just “want to get on, get into things and learn,” she said.

Part of the problem on LinkedIn lies in the ready availability of source information for information technology professionals, who can be courted by wily criminals with ready access to the current employment summaries posted on the site. A search in the site under “SaaS operations,” for example, yields more than 700,000 people, a veritable treasure trove for any hackers seeking to social-engineer their way into the corporate infrastructure.

Enterprising hackers looking to brush up on their skills or new ones seeking to get started have access to a range of “how-to” videos courtesy of YouTube. A search for “how to hack” on YouTube yields 93 million video results, including training tools titled “How to hack a password in a PC” and “How to reset a Windows password through a backdoor.” The latter posting had over four million views.

“This stuff that we are battling against is not that difficult to do,” said Neil Wyler, a threat hunting and incident response specialist for RSA. “The barrier for entry is very low.”

Devices capture personal data

Stolen credit cards and hacker training are not the only readily accessible resources in the cybercrime community. Wyler demonstrated a couple of fairly basic hardware hacking tools that can be easily acquired online.

One was the WiFi Pineapple, a rogue access point that can steal data from hundreds of users at a time who are logged into a public network. It’s available online for $100. Wyler displayed all of the data he had collected from session attendees using the device in a hotel ballroom during his presentation on Monday.

The second gadget was the Bash Bunny, a payload-equipped USB that made hacking information stored on a device absurdly easy. In his demo, Wyler inserted a Bash Bunny into his own computer and in less than a minute displayed on a projection screen every network he had ever accessed and the accompanying passwords, all for the price of $100.

“When you walk away from your laptop at Starbucks, I can quickly insert a USB and obtain that information in seconds,” Wyler said.

In fairness to Hak5, the maker of these devices, the technology was originally designed for penetration testing by security professionals to strengthen network controls through the audit process. But it’s still a free market and, much like the social media tools described at the RSA session, they can always be used for bad as much as good.

The point delivered by the RSA security team is hard to miss. Social media is increasingly being weaponized, hacking tools are freely available and the bad guys are doing business out in the open with reckless abandon. “They’re operating very much in the clear and are unconcerned about the police getting to them,” Cohen said.

Time to get back to posting on social media while sipping an iced latte in a local coffee shop. Oh, wait.

Image: Wikimedia Commons

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU