Tools of the Trade: Browsing Through the Hack Store

It’s widely believed that “Education is the key to empowerment,” and it's true; just by learning how to use free or low-cost downloadable and widely available tools, hackers can empower themselves over just about any mobile or desktop device, as well as over supposedly secure on-line networks. While everyone knows what hackers do, not many know how they do it – or, more importantly, how easy it is for them to do what they do.

October – which is National Cyber Security Awareness Month – is the perfect time to bone up on how hackers operate. The FBI, according to associate executive assistant director David Johnson, “is doing everything we possibly can, at every level, to make it harder for cyber-criminals to operate. But we also ask that the public does its part by taking precautions and implementing safeguards to protect their own data.”

So it’s perhaps appropriate that the weeks leading up to October were exactly when a hacker who decided to “strut his stuff” by showing off one of his exploits slipped up and let the public get a full view of the tools of the trade – what hackers use to compromise systems, many of them costing just a few dollars and the price of a couple of hours with an instruction manual.

It should be noted that many of these tools were designed for legitimate purposes – network and device management, screen-sharing to enable access to devices that are not working properly, etc. However, hackers have learned how to repurpose them. Using these tools, they can easily target individual users and weaknesses in their security – and in the security of the supposedly safe sites they connect with, in order to allow them to raid the bank accounts of victims, or undertake other nefarious crimes.

The revelations on the tools hackers use to earn their daily bread came in a video posted on YouTube, in which the hacker demonstrates how to use SpyNote, a new type of Android Remote Access Trojan (RAT) that allows hackers to take control of a mobile device. The video shows how a hacker can access a device (without root access rights), view all messages on the device, listen to calls made on the device, list all the contacts on the device, listen live or record audio from the device’s microphone, gain control of the device’s camera, get the device's last GPS location, get its IMEI number, Wi-Fi MAC address, carrier details, and even make calls remotely.

If that were all there was, it would be bad enough, but in the video, the hacker displays screenshots of the device, showing their app array – many of them hacker tools that utilize various tactics to carry out their trade. Each tool has its role. Anonymizer/spoofing tools on the hacker's device such as TouchVPN, TapVPN, and Network Spoofer provide an easy way for hackers to commit long-distance fraud. For example, a fraudster using stolen credentials accessing a US bank from abroad (e.g. Eastern Europe) would route the traffic through a US based VPN service in an attempt to fool bank security systems – one less security flag on the transaction in a system that may be set up to identify such connections as suspicious, especially if the bank has no customers from that region. Another use of such tools would entail switching a device's IP address to hide the multiple attempts they make to access accounts using different accounts. Many banks have systems like velocity checks in place to detect such blatant signs of hacking. With spoofing tools, hackers can fool the system into “believing” that it is dealing with multiple customers.

Root hacking kits like RootKit enable hackers access to the device's system, allowing them to disable services like anti-virus programs, paving the way for installation of malware. Network management tools (PingTools, ZapperKillerTester, Diskinfo) provide a clear, easy to understand map of a device's attributes, and once a device's identity is known, they can begin to manipulate it, further spoofing their appearance to fraud management tools, such as device fingerprinting systems.

What’s more, perhaps the ultimate control tool – TeamViewer – helps hackers conduct a RAT attack, enabling them to completely take over a device. A hacker will send out a phishing e-mail with a trojan-laced attachment, or dispatch a link that almost compels the reader to click (“exclusive photos of Brad and Angelina together again!!!”), dispatching the trojan that way. Once that trojan is installed, the rest is history; at the pre-appointed time, it will download malware that will install a remote access tool, like TeamViewer, that will enable the hacker a direct line to the system, no password required, as the system is already active and the port being used to communicate with is already open (there is little chance the average user will be checking for ports that are not open).

Once in, a hacker can install any of the above tools or, more conveniently, something like Spynote, an all-in-one hack tool that lets a hacker completely take over a device, either overtly or covertly. With access to the device, it's just a short internet hop to sensitive sites, like a user's online bank account. If a victim has a banking app installed, it's a simple matter for a hacker to connect; since most mobile apps use trusted device protocols – meaning that they assume that the person who entered the password to access the device is the same one using a banking app – hackers don’t even have to steal usernames and passwords to access those apps. They can open and use them at will.

Statistics show that more than nine out of 10 pieces of malware in targeted attacks are passed onto devices via phishing scams, and mobile devices, which provide multiple ways for hackers to spread malware, such as text messages, WhatsApp links, and good old e-mail, provide many opportunities to conduct such scams. So for users, the best way to avoid becoming a victim is the oft-said truism - “just don't click.” However, that's probably not very realistic; in an era when hacking is rampant, it is up to the websites that are likely to be compromised to defend themselves as well.

So, how can sites protect themselves? Well, making sure the user who logs in to an online account is the “right” user who operates inside the account and throughout the session is a good start. In that scenario, the site does continuous authentication to ensure that the legitimate, registered user is the one working throughout the session, and has not been “interrupted” by a hacker who may have hijacked the connection. The key to this scheme is to analyze the behavior of the person on the other end of the device – not the device itself, or the authenticator being downloaded. Unfortunately, there are no easy answers; in some ways, it's easier to be a hacker than to defend against them. Education in this case can be very empowering – allowing users to take back control over their online transactions.

What’s Hot on Infosecurity Magazine?