A Hacking Scenario: How Hackers Choose Their Victims

By: David Ellis

Business owners who have suffered a data breach at the hands of some hacker often say, “Why me? Why did the hacker choose our business?” Many people think hackers selectively pick each business they hack. However, I suspect that in 90% or more of the businesses that are hacked, it all began based with the random discovery of a hackable vulnerability. 

Hackers typically begin a data breach scenario by conducting port scans across large ranges of IP addresses, specifically looking for certain open ports that may provide them a place to start digging. 

Let me take you through a typical hacking scenario.

SEE ALSO: Takeaways from PCI DSS 2016 Data Breach Trends

1) Scan for open ports

The hacker starts by running a port scan to probe a large range of IP addresses, and then he heads off to bed and lets the scan run all night. 

The goal is to find particular open ports to exploit a known or potential vulnerability. 

In the morning the hacker peruses the results of last night’s port scan, looking for certain ports that are actively “listening” (meaning they’re open). He likely has some automation at work that gives him a list of IP addresses with port numbers, 20, 21, 23, 513, 3389, 5631, 5632, and so on. 

He’s interested in these exact ports (and a handful of others) because they all relate to some form of remote access into their networks. 

For example, if a hacker sees ports 5631 and 5632 are open, he knows the remote access application pcAnywhere is installed and active. Or if he sees port 3389 is open, he knows Windows Remote Desktop is likely configured. If he can hack the remote access credentials, he doesn’t have to worry at all about complex firewall configurations or other perimeter protections.

If the remote access application was not configured to require two-factor authentication, he can probably guess the username and crack the password, and once he’s done that, he’s in. 

Everything on your system that you can see, he can see as well.

SEE ALSO: Infographic: Cybercriminals Love When You Use Remote Access

2) Try out default passwords

Many users fail to change or delete the default username or password that was configured with their remote access product when it was first installed. So, the hacker merely begins by trying the known pcAnywhere (or Windows Remote Desktop, or VNC, or FTP or whatever other remote tool) default username and password. 

At this point, does the hacker know that he’s attacking Acme Hardware? No. And he doesn’t care. He’s simply attacking a potential vulnerability via port 5631. The IP address might be for a business or it could be my grandmother’s ten-year-old PC. 

If the default password was left on the system, the attacker has now successfully gained access to the system. 

If the default password tactic doesn’t work, it’s just a minor inconvenience. Password cracking tools are plentiful and are getting more powerful all the time. At this point, the hacker runs his password-cracking tool and takes off for lunch while the tool does the heavy lifting. When he returns in an hour, or a couple of days, his tools have often detected the needed password, and he’s in.

SEE ALSO: Two Factor Authentication – Security Beyond Passwords

There are other, even less technical ways to breach perimeter security like imbedding malware in online games or other legitimate website activities and waiting for users to inadvertently download a RAT to their system. (RATS are remote access trojans, and can be purchased online for just $40. They give the hacker covert remote access and establish persistent backdoor access to your system.) These types of malware can also be accidentally installed by the user through an email phishing scam.

3) Once he has control

Whether the hacker cracked your remote access credentials or you opened a malicious email link, you’re now in the hacker’s clutches and he begins prospecting. Up to this point the hacker still doesn’t know if he’s hacked a business or a personal computer. 

Now, he looks for evidence that the system holds information of value, such as credit card account numbers, banking, real estate, or healthcare records (since these often contain social security numbers or other data that he can turn into a payday). To discover the nature of the environment where he has landed, the hacker will often run keyword searches. 

For example, if his keyword searches discover the system he’s hacked is a Micros system, he knows he’s in a business that accepts credit cards. (Micros is a provider of POS hardware and software used by many hotels, restaurants and other small businesses.) He will probably try Micros default passwords to try to get into their server. 

4) Install malware

If the hacker is successful in breaching a commerce environment, he will attempt to install data-capturing malware on the POS system. His malware will seek to detect credit card data, capture it, and export it out of the system. He then either reproduces the stolen credit cards or sells the stolen account data on the black market. 

Depending on the malware installed, from the point of malware installation through the moment that the breach is detected and eradicated, every single customer credit card transaction made on that computer (and perhaps on the entire network) would be at risk.

SEE ALSO: Is Your Business Infected? Malware Trends of 2016

5) Search for affiliated IP addresses

By now, the hacker has probably sifted through enough company data to realize he’s hacked Acme Hardware. The hacker realizes he’s hit a potential jackpot, because Acme Hardware is a national chain (in this scenario). 

Since the hacker doesn’t know the IP addresses of the other chain locations, hacking them could be difficult. However, if he finds remnant data on the system that includes the other IP addresses, or connections to the corporate servers, Acme Hardware could be in some serious trouble (we’ve seen many cases where the breach of a single locale lead the hacker to the corporate environment and all of the stores in the chain). 

Remnant data left on systems does occur. In a forensic investigation we conducted, a POS installer inadvertently left a partial client list on a POS system that contained the names and IP addresses of 28 other clients. All 28 were also hacked because of a careless installer. 

6) Leave no trace

At this point, the hacker has a couple of choices: he can leave the malware in place and harvest customer credit card data until the breach is discovered and/or the vulnerability is closed (the most common alternative in commerce breaches), or he can choose to clean up his tracks and get out of the hacked system (seen in cases of corporate espionage or theft of corporate secrets). 

Most attackers cover their tracks to avoid detection. They encrypt card data before transferring it out of a system, erase or modify security logs, run malware from RAM instead of the hard drive, which often goes undetected by most antivirus software, and employ many other “anti-forensic” tactics in order to escape unseen. 

SEE ALSO: How do Hackers Hack?

Hackers don’t care who you are. They just care how rich you can make them.

Now that you understand hackers don’t pick and choose their hacking victims out of the phone book, you should also understand the flaw in the common belief held by small businesses, “I’m too small for a hacker to care about me!”

A hacker doesn’t care if you’re small. He just cares if you have data from which he can profit.

Tweet

So it’s more crucial than ever to implement data security! 

Need help securing your data? Talk to one of our consultants! 

David Ellis (GCIH, QSA, PFI, CISSP) is Director of Forensic Investigations at SecurityMetrics with over 25 years of law enforcement and investigative experience. Check out his other blog posts.