Did you know that there’s a pretty high chance that the friendly stranger you’re chatting with in your DM (Direct Messaging) on social media might be a hacker? If you think this is impossible, read on to understand how.
For those with a good grasp of social engineering and cyber security, you already have an idea on what I am talking about. For those who don’t, I hope you gain some insight and protect yourself better from possible attacks after this.
There are many forms of social engineering and other forms of hacking, but I am specifically going to focus on this one because it is very common and you could be a victim too. It relies on patience, wit, playing on your weaknesses and kindness to exploit and take advantage of you.
This is different from what you watch in movies where you are led to believe that all hackers are incredibly impatient, shy and too socially awkward to even start a conversation. So, they always sit behind a screen, create sophisticated software and use “Linux terminal install screens” to plunge your computer or internet profile into oblivion.
Let me introduce you to the charming hackers
Charming hackers (this term doesn’t exist, I just made it up) are individuals who spend their time searching for, studying and communicating with potential targets to identify weaknesses they can exploit to hack or manipulate their victims.
All these words will make sense in a few. We are going to come up with Susan (fictional character), a hacker from Vodova (fictional place) who makes money through exploiting her unsuspecting victims (real), but this hacker is a catfish… it secretly is a man pretending to be a woman (plot twist) but you would’ve no way of knowing since it’s all online.
Susan picks more than 20 potential people who fit the profiles she is looking for; such as desperate, lonely, “bad boys”, girls who have suffered a breakup, proud people, etc. This profiling changes depending on the objective.
So, Susan DMs (messages) all the ones whose profiles are public and don’t need her to follow first or be friends with to do so (privacy settings). As “she” waits for their responses, she follows or sends a friend request to the remainder and waits for their reaction.
Some of the males may respond sooner, because for some reason they are more trusting and eager to engage with women online than the females do. Susan can approach this in different ways, she can be overly friendly and engage in chitchat then straight away get to asking about where they work, where they were born, birthday, if they have pets and so on. (This seemingly harmless information is very important, you’ll see later)
Or she can decide to begin with an innocent chat that later becomes a vulnerable female seeking consul or a confidant. This is a play on psychology, if you fall for it, she then has your full trust and you’ll let her in on the same information as in the first scenario above since you perceive her as vulnerable and incapable of any harm.
Alternatively, “she” (remember we said that in this instance, it’s a man playing catfish) can pretend to be immensely into you, find you attractive and even pretend to feel embarrassed about telling you how she feels about you.
Susan will study your reactions and adapt as she sees fit, remember how we said the profiles are chosen to fit with the objective? Here she can target a male who is into topless models, sex, dating sites and use that to her/his advantage. The conversation can escalate in under an hour and she/he asks for the user to share some very personal images. Don’t be fooled that its impossible, many smart executives fall prey to this.
Similarly, Susan can target a woman suffering from a heartbreak or a major crisis and offer a shoulder while extracting personal information.
Weaponizing the information collected
Now, let’s look at how all this seemingly harmless information is used to hack you. In the first situation where our dummy account, “Susan” collected birthdays, pet information, address and other sensitive information; it can be used to formulate potential passwords to your accounts not limited to, online banking, social media, email.
Most people today still use their birthday or a variation/combination with the birthday in their password. If those fail, they can select “recover/forgot password” on your account and use some of this information to recover it especially for people who set these things as their answers to the security questions and don’t have Two Factor Authentication (2FA) enabled.
I think you now remember setting a favourite pet, mother’s maiden name, childhood street which you would have just given away thinking it is harmless?
The other scenario we talked about which is very similar to catfishing can work in numerous ways with the information or data gathered. The very “sensitive” videos or images sent can be used to blackmail you for hundreds (if lucky) or thousands of dollars (if Karma has a bone to pick with you) by the hacker in order for them to delete your data. This is entirely based on trust because you can pay and they keep exploiting you or even never delete the media and sell it to another person or hacker.
A less intensive form of this hack, commonly known as catfishing is where the person asks for money for their birthday, to buy for them items or assist them in a time of need. The amounts can be small to large either overtime or in one bulk request. Often when you ask to meet your catfish, they will make up excuses or accept and cancel at the last minute, pretend to be sick and if you persist too much or get angry, they will ghost or even block you.
There are many other forms or alterations of social engineering similar or even more complex than this that I have not covered or that we are yet to even learn about, and there are many people who have fallen victim to this without even knowing about it to date.
We all need to be more careful with the strangers we interact with online and also exercise the same or even more scrutiny to our activities the way we would do physically. We also need to teach more children about these dangers as they are at the highest risk to fall into these hacks and scams especially with the prevalence of get rich schemes, inheritance scams and the vast untraceable cryptocurrency landscape.
Have you experienced these incidents or been hacked before? I would love to hear your story.
Wondering why took long to write sometimes? This is – Why We Don’t Share Our Experiences, Thoughts and Lessons