Wisdom says that two wrongs don’t make a right – but if you hack the hackers back, I think that gets you on Santa’s Nice List this holiday season.
This blog looks at a hacker who helped investigate and report a cyber-smishing ring that stole nearly half a million credit card numbers with a holiday-themed scam.
It’ll also show you how you can use Immersive Labs to learn the knowledge and skills required to conduct the same type of offensive investigation. This case study and a step-by-step methodology will help you build valuable skills and advance your cybersecurity career.
Imagine the following scenario…
You receive a text message from a “delivery service”. It asks you to click a link to validate your personal information so they can deliver a parcel. Thinking it’s a precious holiday package from one of your many online orders, you click it. You input your credit card number to validate the order, and you enter your address to ensure it’s delivered to the right place before you have time to realize what’s just happened… 💥
You’ve given all your information to a scammer! 🤯This is textbook smishing, but that doesn’t change the fact that it’s incredibly effective.
This exact situation happened to Grant Smith – however, he just so happened to be a certified Ethical Hacker. Smith shared his story and subsequent investigation details with Wired. In the article, we learn that:
- In total, people entered 438,669 unique credit cards into 1,133 domains used by the scammers.
- More than 50,000 email addresses were logged, including hundreds of university email addresses and 20 military or government email domains.
- The victims were spread across the United States, with more than 1.2 million pieces of information being entered in total. California, the state with the most, had 141,000 entries.
Nobody wants to be part of this user cohort, but smishing attacks are becoming more common and more sophisticated. Around the holiday season, we interact with more businesses and technologies across multiple digital channels – and urgency only increases the closer we get to Christmas, growing your personal threat surface.
You can help reduce your chances of being a victim of cybercrimes by upskilling with these labs:
Ready to take the reins of the sleigh and get into an investigation like Smith’s yourself?
For a holiday-spirited investigation around a phishing attack – start with A Christmas Catastrophe: A Christmas Phish.
From there, you can build a gingerbread house solid foundation for your security skills. Consider exploring the Introduction to Penetration Testing and Hack Your First Computer collections.
If you’re ready to dig deep and build knowledge and skills to use open-source tooling at the next level, you can follow Grant’s steps with Immersive Labs collections!
- Scan with Nmap
Nmap is one of the most popular network scanner tools available. In this introductory collection, you‘ll learn what Nmap is and how to use it to enumerate for hosts, ports, and services on a target.
- Intercept web traffic with Burp Suite
Burp Suite is a popular tool used for pen testing and assessing web application security. This skill collection will take you from the basics of configuring and using Burp Suite to expertly traversing and applying its range of tools and features.
- Scan with NsLookup in Introduction to Networking
This collection focuses on core networking concepts and the basics of networking connectivity, network topologies, and general networking concepts including IP addresses and domain name systems (DNS). Name Server Lookup allows users to query the DNS to retrieve information like IP addresses associated with domain names.
- Analyze web socket communications with Packet Analysis
Reading packets and understanding the structure of packet captures are essential skills in cybersecurity. This collection introduces the main packet analysis tools and how to look for flags inside packet headers.
- Conduct Web Log Analysis
This collection introduces you to the log files produced by web application servers and how they can be interpreted. You’ll be shown how to use common command line tools to analyze the log artifacts, what you can infer from the information captured in logs, and how this information can be helpful when responding to a suspected incident.
- Use SQL Injection Basics and SQL Injection to access databases
Learn core SQL injection techniques and build on those skills to extract information from databases. When a vulnerability exists, this data can be accessed in various ways.
- Conduct advanced database investigations with Introduction to Linux Exploitation and Linux Command Line
Gain foundational knowledge on Linux-based software exploitation, commonly used tools, and how the Linux Command Line Interface (CLI) can be used to perform different tasks. The labs in this skill collection range from navigating around a file structure to combining multiple commands to achieve a specific goal.
One such avenue is the Internet Crime Complaint Center. Or, if you’re working on an internal investigation for your employer, you should ensure strict adherence to your processes and playbooks for threat escalation and remediation processes.
While you may not need to complete end-to-end tasks like the above frequently, it’s an asset to understand an offensive security mindset and key open-source tooling to conduct an investigation.
Put your Nice List skills to use by continuing your offensive security journey and consider a Certified Ethical Hacker certification. You might even just earn an invite to the North Pole!
Or, keep upskilling in Immersive Labs to earn more security badges and advance your career as an offensive security practitioner. You can be the light that guides the sleigh through the dark world of cyber criminals!
Share your thoughts
Did you find this case study interesting? Did you find some cross-functional training to bookmark for your personal growth? Please share your thoughts in the comments below!
Give those hackers some coal to put somewhere special – their stocking, of course! Make sure you're following the Human Connection Blog to get updates to your inbox!
Immerser