From the horrible Hollywood hacks of 2014 to John Podesta’s emails, hackers aren’t feverishly trying to sneak into your computer. They’re coming up with better ways to convince you to let them in. So Sarah Jeong invited a hacker in to see exactly how it’s done.
The nude photos first emerged on 4chan. From there they spread to Reddit and Imgur—a hoard of around 500 photos implicating at least a hundred individuals, including celebrities like Jennifer Lawrence, Kirsten Dunst, McKayla Maroney. A month later, two more batches of photos would also come online, dragging Kim Kardashian, Rihanna, and Scarlett Johansson into the fold.
While being interviewed by the FBI, Lawrence broke down and had a panic attack. She later publicly denounced the leak as a “sex crime.” The photos seemed to originate from a hack. Initial speculation suggested that hackers had taken advantage of a security flaw in Apple’s iCloud. But the culprit, sentenced to nine months in prison earlier this year, said that the celebrities had actually been phished.
Clicking on the wrong link had unleashed emotional devastation and public-relations nightmares. But in 2016, a similar hack resulted in what was previously unthinkable: It may have swayed an American presidential election. When Democratic political operative John Podesta’s private e-mails were published in bulk, the contents of his e-mails were covered in the media for weeks. (One set of e-mails would fuel a popular online conspiracy theory known as “Pizzagate,” culminating in a gunman firing off a weapon inside a D.C. pizzeria the following January.)
Along the way, the media relentlessly referred to the Podesta e-mail “hack,” conjuring up the image of a shadowy figure in a basement somewhere pounding on his keyboard, making glowing green code scroll up a black screen as he cracks into the secret substructures of the Internet. That’s not really how it works. Despite the fevered hysteria around Russian state-sponsored hacking, the Podesta e-mail release wasn’t the result of state-of-the-art Cold War cryptographic research. His hackers didn’t need classified CIA malware or any yet-undocumented software exploits. The source of Podesta’s problems was mostly likely a dodgy message masquerading as an alert from Google, warning him to reset his password.
The published e-mails revealed that Podesta had forwarded the alert to a computer technician for the Clinton campaign, who had then made the mistake of identifying the fraudulent alert as a genuine communication from Google. Russians—if the hack was indeed state-sponsored—may have influenced an election just by getting Podesta to click a bad link.
If you’ve ever used e-mail, you’ve probably been phished at some point or another. An unexpected password-reset notice. A generic-looking business e-mail that says, “See attached receipt.” A shipping confirmation from a company you’ve never bought anything from, directing you to click on a link to track your package.
Spearphishing involves a component of social engineering: It’s the most boring kind of hacking, but also the most dangerous.
No one knows exactly how many phishing e-mails are sent out per day, but one antivirus company has claimed to have blocked over 70 million phishing attempts in a three-month span. The last time someone tried to phish you, the message probably landed in spam. Or you spotted the misspelling in the subject line and deleted it without a second thought (or, like approximately 12 percent of victims, you actually opened the e-mail and then clicked on an attachment).
John Podesta was phished, but unlike that unhappy 12 percent, he was the victim of what is known in industry parlance as spearphishing: a targeted phishing attack aimed at a particular person. It’s a sniper shot versus a shotgun blast, and the person on the receiving end doesn’t get much of a chance to duck for cover.
Regular mass-mail phishing attacks are often clumsy and a little obvious—words are misspelled, graphics are misaligned, the sender’s address is hosted at a suspicious-sounding domain. But these e-mails were likely sent out en masse—they’re not trying to fool everyone, just enough people to turn a profit. But, in turn, anti-spam systems can detect the hallmarks of mass mailings and seek to prevent malicious e-mails from landing in inboxes.
When someone decides to target you and only you, it gets a lot harder to protect yourself. In fact, Podesta, like any spearphishing victim, wouldn’t have been safer with more secure phones or better antivirus software or smarter company security at Google or Yahoo or Facebook.
We all know what it’s like to receive mass-mailed spam. But most people aren’t going to attract enough attention to merit being spearphished. What’s that like, anyway? And how is it different from regular phishing? To search for those answers, I went out and found someone to spearphish me.
You can’t just wait around hoping to get spearphished—unless, I guess, you work for the Democratic National Party. So I asked Cooper Quintin—staff technologist at the Electronic Frontier Foundation, and a friend—to hack me. “Sorry, I didn’t have time to prepare,” he apologized, after I burst into his office on short notice.
Compromising someone’s digital security is time-consuming, though not for the reasons pop culture might suggest. Hacking isn’t a matter of typing furiously into a cyberpunk-y computer terminal like in The Matrix (although Quintin did indeed spend much of our session typing into an old-fashioned command-line interface). What he needed was time to skulk through my social-media profiles to figure out who I was, who my friends were, where I worked, who I worked with, who I was close to, who I would trust—the kind of information, thanks to social media, that’s available to anyone who wants to look. This is the key difference between spearphishing and regular ol’ phishing. Spearphishing involves a component of social engineering: It’s the most boring kind of hacking, but also the most dangerous.
Spearphishing is so boring that it barely looks like hacking, if only because hacking as depicted in popular culture ignores how important social engineering is. This happens for a lot of reasons. If the news is going to cover hacking, it might as well be exciting: cars hacked while the driver is still inside, viruses that melt down nuclear power plants, Internet-connected televisions listening in on your conversations, or epic legal confrontations between the FBI and Apple over encryption. Hidden vulnerabilities, government viruses, unbreakable codes, terrorism, and espionage make for great stories. Clicking on a bad URL doesn’t.
Quintin says social engineering is ignored because “it’s hard to defend against. Like our brains have this bug that makes us vulnerable to social engineering, because we have shortcuts and we want to trust people.”
A social engineer might pretend to be a customer-service representative at Comcast, the IT guy at your company, even a FedEx automatic package-tracking e-mail. A good social engineer can convincingly take on the guise of a colleague, an acquaintance, a friend, even sometimes a relative. It’s shocking the things you’ll click on if you trust the sender.
Quintin used the same attack that felled the two daughters of Paul Manafort. In February, hackers published hundreds of thousands of text messages taken from the former Trump campaign manager’s two daughters. Buried in the dump is a message from Manafort to his daughter in August: “Your sister has been … hacked. I just got an email from her saying ‘important document’ and sharing a Google spreadsheet … Needless to say, don’t open!”
I got a taste of what might have tricked Andrea Manafort when an e-mail from my friend, Parker, inviting me to look at a Google Doc, landed in my inbox.
A thumbnail of his photo hovered next to a message. “Hey Sarah do you mind reviewing this blog post I’m writing about Oracle? Thanks!” A reassuringly familiar blue “Open in Docs” button lay beneath. I clicked.
The button took me to what looked like my Google Drive, except a login screen prompted me to type in my password again. The moment I did, a pop-up leapt out:
YOU HAVE JUST BEEN SPEARPHISHED
Then, in kinder, gentler text:
Don’t worry, I didn’t actually save your password (you might wanna change it anyway). But if this were a real spearphishing attempt, you would be owned right now.
It had taken several hours to get to that point, hours during which I had sat back, watching Quintin construct an attack against me. He went through my social-media accounts, rifled through my work information, skimmed through my latest articles. The idea was to slip into my shoes and construct an e-mail that I would click on without thinking. The tried-and-true method is to pretend to be someone the person already knows, using social media to scout out connections to impersonate.
He first pondered an approach where he would masquerade as a colleague from the same media company. He rejected this line of thought when he couldn’t assess how well I knew a person. The trick was to find someone that seemed trustworthy—because he or she belonged to the same organization—but that I didn’t know very well, so that I was less likely to detect the fraud.
Another method: The offer that is too good to refuse. Nowadays we all know better than to click on an ad offering a free iPod, but Quintin figured he could tempt me with someone else. He’d pretend to be a whistleblower from Palantir—Peter Thiel’s very secretive and very controversial government contracting firm—sending me documents from the inside.
It would be the dream of a tech journalist. And if I let my thirst for a scoop overcome my good sense, I would open the hypothetical file that Quintin sent me. It would then release a payload of malicious code and compromise my computer.
Luckily for me, Quintin didn’t have a payload on hand. “As you can see, this isn’t something I do very often.”
With enough time and resources, Quintin could have socially engineered my colleagues, my editors, my family, my phone company, my utilities company, my bank, and beyond.
But Quintin showed me the Social Engineering Toolkit, a sort of all-purpose tool for the lazy hacker. It’s billed as a toolkit for penetration testing—an internal test of a company’s security, rather than actual criminal hacking. In reality, SET—which is open source and can be acquired by anyone—is probably used by a lot of people who aren’t exactly benign auditors.
A colorful ASCII menu presented a wide array of options: “Spear-Phishing Attack Vectors,” “Website Attack Vectors,” “Infectious Media Generators.” Quintin picked a category, and then looked ruefully at the list of possible payloads, all of them designed for Windows. “None of those are going to work. Because you’re a millennial, so of course you use a MacBook.”
It was going to take time and effort for Quintin to compromise me by malware, and it was starting to get late. We agreed he would next construct a very easy, basic attack: By impersonating my friend, he would get me to give up my password.
A command line query easily revealed that I used Google Mail. From there, Quintin took a lazy route: He copied an existing invitation to a Google Doc and changed the links to redirect to a fake version of a Google login page that he quickly set up on his own fake web address. “If I wanted to do this properly, I’d buy a domain like. Although I’m sure that’s already bought.” (It’s not. Anyone can buy that URL for $10.69 a month and set up a seemingly fake, spearphishing-ready site of their own.)
A scan of my public web presence (a.k.a. Twitter) revealed that I was friends with Parker Higgins, that we shared an interest in the Oracle v. Google lawsuit, and that we’d written together in the past. Quintin modified the text of the invite so it appeared to be from Parker, and swapped out the profile picture of the sender for Parker’s. If I were careless, I would have missed all the teensy details cluing me in to Quintin’s scam—the fact that Parker’s e-mail address was misspelled, or that the button to open Google Docs had redirected to a URL that wasn’t the real Google.
Even if I had managed to maintain airtight security 100 percent of the time, everyone I know becomes a potential weak link. With enough time and resources, Quintin could have socially engineered my colleagues, my editors, my family, my phone company, my utilities company, my bank, and beyond. I could warn them—assuming I knew I (and they) was under attack. Once people wised up, the only repercussion to Quintin would be that he would have to abandon that avenue of attack. It would be difficult to trace the attacks back to him as long as he used anonymous e-mail accounts, spoofed numbers, and burner cell phones.
But such a relentless campaign would take time and energy, and it was getting dark outside. The janitor was already making the rounds at Quintin’s office. So we called it a night. “When you write about this, you’re probably going to get a bunch of people trying to spearphish you,” he told me. “Can you do me a favor and forward those e-mails to me?”
Quintin and his team at the nonprofit Electronic Frontier Foundation study these kinds of attacks as part of their work. The science of what makes people click on bad URLs may not sound immediately relevant to digital rights and the freedom of expression, but Quintin says that the malware that governments use to spy on dissidents is almost always delivered via social engineering. (Amnesty International has documented spearphishing attacks against dissidents in Azerbaijan.)
I promised that yes, I would gift him with all the spearphishing attempts that I could.
Every year at Defcon, the world’s largest hacking conference, hackers flex their skills in a game of Capture the Flag: social-engineering edition.
Capture the Flag, in this context, is a treasure hunt with oddly sinister overtones and a lot less walking around. In 2016’s contest, players were given a list of target companies three weeks in advance, and they could use that time to collect as much openly available information about the companies as possible. Then, at the Capture the Flag competition, each competitor was placed in a soundproof booth for 25 minutes, during which he or she could make as many phone calls as possible to employees at the target companies. The goal was to gather as many “flags”—a.k.a., pieces of information, like “Is IT support handled in-house?” or “What operating system is in use?” or even “Do you have a cafeteria?”
Someone trying to collect a flag might pretend to be another employee working in a different department of the company, an outside salesperson making an inquiry, or the IT help desk. The goal is to pass under the radar; to be a boring, routine communication you answer without thinking twice. Good social engineers persuade people to give something away without a second thought, because the request is so innocuous—like a friend asking me to look at his or her Google Doc. Spearphishing is just another form of social engineering.
Ironically, the more sophisticated forms of hacking are easier to address: a zero-day exploit (a vulnerability that exists in software from the day it’s deployed) can usually only be abused so many times before a company fixes it; viruses can be reverse-engineered and inoculated against; broken encryption can be replaced. For many problems in security, you can “sell a box”—a solution, a product—to fix it, says Quintin. And since there’s a market for boxes, money gets poured into studying those forms of hacking, instead of studying social engineering. You can’t sell a box that stops people from trusting their daughters, from missing a typo in an e-mail address, from being a little too tired to check the URL of a link.
You can’t sell a box that stops people from trusting their daughters, from missing a typo in an e-mail address, from being a little too tired to check the URL of a link.
Sure, there are small steps you can take to lower the likelihood of getting hacked, like using a password manager or enabling two-factor authentication (y’know, when you log in to a site and it demands you also input a random number texted to your phone). But those only protect the personal information that you can control. And you can’t control everything.
In 2016, Lorrie Cranor, the chief technologist of the Federal Trade Commission, had her phone service hijacked when a hacker walked into a store, pretended to be her, and “upgraded” her phone to the most expensive model available. A customer representative kindly transferred Cranor’s phone number to the hacker’s new iPhone. Once a hacker has control of your phone number, two-factor authentication by text message will get you nowhere. Cranor escaped unscathed, but the same attack was used again later that year to hack activist DeRay McKesson’s Twitter account, which had two-factor authentication turned on. As long as his phone number was tied to the hacker’s new phone, two-factor couldn’t protect him. McKesson’s story proves that you can turn your digital life into Fort Knox and still be undone by an overly trusting salesperson behind a desk.
One of the first hackers to be prosecuted under the 1986 Computer Fraud and Abuse Act was Kevin Mitnick. He engaged in “phone phreaking”—a now vintage form of hacking that used dial tones to connect long-distance calls at no cost to the phreaker. But he infiltrated the telcos in other ways, acquiring unlisted phone numbers and passwords for billing systems through social engineering. One of his tactics was to play a tape of Pacific Bell’s hold music back into the phone to create the perception that he, too, was a Pacific Bell employee.
By the time the law caught up with Mitnick and he landed in front of a federal judge, these crimes had morphed into a legend of staggering absurdity. The prosecutor asked the judge to hold Mitnick in solitary, claiming he had the ability to launch nuclear missiles by whistling into a payphone.
The judge, taking this claim at face value, agreed to it.
Throughout the history of hacking, the painful banality of social engineering has always been ignored in favor of more exotic digital terrors. And in this sense, 2017 is no different from the 1990s of Mitnick’s escapades. News headlines obsess over the possibility that foreign agents remotely hacked the final tallies of the 2016 election, or the capabilities of the CIA malware arsenal as revealed by WikiLeaks. But these are—for the most part—theoretical vulnerabilities: interesting, and probably worth looking into, but disproportionately blown up compared to the known vulnerability that is People Opening Bad E-mails.
It’s possible that social engineering gets short shrift, not because it’s less interesting than the other forms of hacking, but rather because it’s more disturbing to think about.
There’s an impulse to think of hackers as socially inept, inarticulate savants, cut off from the rest of society—what President Trump referred to as “somebody sitting on their bed who weighs 400 pounds.” The popular image of a hacker is someone who understands machines, not people. But successful social engineers are not just perfectly capable of interacting with human beings—they are talented manipulators who take advantage of our willingness to trust our colleagues, friends, and family.
“Social engineering is kind of just a fancy word for a confidence scam. It’s just a fancy word for conning somebody,” Quintin told me. “The basis of conning somebody hasn’t changed since the con was invented. The technology has changed, but the general principles behind it don’t.”
As long as hacking is mysterious and exotic, getting hacked makes you the victim of a godlike genius wielding powers beyond your ken. But being the victim of something as tedious and uninteresting as social engineering just makes you a stupid sucker, and stupid suckers deserve to get screwed.
But protecting yourself against social engineering is an ongoing chore, like living through an endless April Fool’s Day. Your paranoia must be constantly pitted against a hacker’s persistence. For now I’m turning on my two-factor and my password manager, and squinting at web addresses—living as though the Internet is out to get me. Every day I stake my digital life on the hope that any would-be hackers will run out of time, money, and attention before I run out of luck. And whether you know it or not, you do, too.