How End-User Devices Get Hacked: 8 Easy Ways
Security experts share the simplest and most effective methods bad guys employ to break into end-user devices.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt657a4b27c828b1c4/64f0d85e7de67f8ac300e127/easyhack-intro.jpg?width=700&auto=webp&quality=80&disable=upscale)
When it comes to scamming consumers and businesses, the most effective strategies aren't necessarily the most complex.
Hackers seeking funds, data, and access to corporate systems don't need advanced techniques when tried-and-true tactics consistently work on their victims. There are two primary types of attacker motivations: opportunistic and targeted.
"The attacker does not care who the victim is," says Rob Ragan, managing security associate at Bishop Fox, who uses the two categories to differentiate cybercrimes. "They want access to any and every device that can be compromised. This is a numbers game."
Targeted attacks are different because the threat actor has a specific reason for wanting access to a particular device. While opportunistic attacks are often financially motivated, targeted threats aim to scam a particular person or access specific data.
Ragan says attacks are often platform-based and payload matters less than delivery method. "The payload may be ransomware, but the delivery mechanism can be anything from coercing a user to running an email attachment, to a worm that exploits unpatched systems," he explains.
"Hacking a device takes technical acumen, and in some cases, access to the device," says Michele Fincher, chief operating officer at Social-Engineer. Much of the time, the easiest route to device takeover is tricking the user.
Because it can be a "full-time job" to stay current on the latest threats, most users are not aware of the many ways their devices are at risk. Here's a look at the easiest and most effective ways for cybercriminals to attack end-user devices.
"Phishing is still the easiest way to compromise a user," says Ragan. Spear phishing hits specific users with a malicious attachment; for example, an Office document with macros enabled or a PowerShell script that overtakes their system.
Fincher agrees phishing is the simplest means to an end for cybercriminals looking for easy targets. She consistently sees users tricked into clicking on links via email or text, a method known as SmShing.
"The cost and threat is low, requires low technical ability on the part of the attacker, and has the potential to reach many targets as once," Fincher adds.
These attacks occur when a cybercriminal injects malicious payloads into an end-user device, or compromises their Internet traffic and redirects them to installing malware. This can be relatively easy because there are many tools available, says Ragan.
For example, a "wifi pineapple" can compromise an end-user device via wireless attack. An attacker could use this tool to cause an end-user to dissociate from their wifi network and associate with the same one as the threat actor. This would enable the attacker to accept traffic and inject malicious code.
Ragan notes this is only possible with physical proximity to the victim; wireless hijacking can't be done across broad geographical regions.
"The two biggest vectors to hack a device are SmShing or phishing," says Social-Engineer CEO Chris Hadnagy. Phones that are jailbroken or allow for side-loading of apps heighten the risk for users.
As previously noted, SmShing attacks require users to click malicious links sent via text messages. Hadnagy recalls the recent Wells Fargo breach, when there was an influx of SmShing scams with malware and bad links sent to victims.
"The one danger I don't personally see addressed often enough is BYOD policy at the corporate level," says Fincher, explaining the growing risk of end-users bringing devices into the workplace.
"With smartphones, laptops, and tablets being so readily available, many organizations don't realize the risk that they take by NOT explicitly addressing whether or not it's okay to check company emails on phones, or even examining devices prior to approval," she continues.
BYOD increases the risk for organizations because with one successful end-user attack, an attacker can compromise an entire business, says Hadnagy.
Impersonation is commonly used to reset passwords, transfer control of phone numbers, or bypass other security controls, Ragan explains. For example, a hacker may target a specific carrier to hijack a phone number and intercept two-factor authentication tokens and messages. It's a "pretty easy" form of compromise that doesn't require attackers to have a high technical skill level.
"If I, as an attacker, am able to obtain VPN credentials to a corporate network with a phone call, I don't actually need to hack any device at all - I can potentially log in as a legitimate user and browse away at proprietary information," says Fincher. Most end-user attacks are conducted by individuals posing as a legitimate entity.
"With just a little bit of open source intelligence gathering (OSINT), attackers can find just enough information to appear to be a bank, a boss, a customer, or a friend with a normal request," she continues, noting that most people are too busy or careless enough to send personal information without question.
"Physical access to someone's system is almost always game over," says Ragan. With enough time, motivation, and skill, he explains, a threat actor can "almost always" get into a stolen laptop. Physical access attacks could also involve a malicious USB drive, stolen hard drive, boot attacks, or keylogger.
Mobile devices can prove tougher to crack, especially with the right security configurations. Apple's decision to update the iPhone to a 6-digit passcode, and forced lockout after too many login attempts, both protect mobile devices from threat actors.
This is another strategy that relies on human manipulation to download malware and compromise devices, and another that doesn't require much technical expertise for attackers to be successful.
"The recipe goes, take something people want badly and make them install something before they get access to it," says Ragan. The "something" could be anything from a blockbuster movie to a celebrity sex tape.
Malvertising is an effective and accessible way to scam users in an opportunistic attack to hit as many people as possible, he adds. Threat actors need only to pay to run a fake advertisement, and someone who isn't paying attention will fall for it. Ragan recalls a recent example of someone who clicked a bad advertisement after searching to download Adobe Acrobat online.
Unpatched vulnerabilities are among the easiest vectors for cybercriminals to launch attacks, says Ragan. Attackers frequently exploit unpatched flaws by scanning the Internet looking for vulnerabilities, or targeting specific environments, to gain entry. He cites the recent WannaCry ransomware attack as an example.
"It's the lowest-hanging fruit, especially if there's a known exploit published for it," Ragan continues. Publicly known exploits make it easy for threat actors to break into unpatched software and infect the host.
"If there is no known exploit, it's up to the skill set of the attacker to know how to create one," he says, noting how this is more difficult. Attacks on unpatched vulnerabilities target all platforms; Windows, Android, and iOS are all at risk.
These types of attacks involve payloads sent via JavaScript, which may be injected through Tor proxies, all the way through to typo-squatting attacks that deliver malicious applets or Flash exploits when someone miscorrectly types a website address.
Ragan says these types of attacks have become more complex as browser security has improved. It's tough to do on Chrome, for example, because it does automatic updates. It's easier on Firefox or Microsoft Edge.
"It's really tough to develop these exploits because browser developers have stepped up their game, but if there is a known issue or unpatched issue, it's relatively easy for attackers to repurpose that," he explains.
These types of attacks involve payloads sent via JavaScript, which may be injected through Tor proxies, all the way through to typo-squatting attacks that deliver malicious applets or Flash exploits when someone miscorrectly types a website address.
Ragan says these types of attacks have become more complex as browser security has improved. It's tough to do on Chrome, for example, because it does automatic updates. It's easier on Firefox or Microsoft Edge.
"It's really tough to develop these exploits because browser developers have stepped up their game, but if there is a known issue or unpatched issue, it's relatively easy for attackers to repurpose that," he explains.
When it comes to scamming consumers and businesses, the most effective strategies aren't necessarily the most complex.
Hackers seeking funds, data, and access to corporate systems don't need advanced techniques when tried-and-true tactics consistently work on their victims. There are two primary types of attacker motivations: opportunistic and targeted.
"The attacker does not care who the victim is," says Rob Ragan, managing security associate at Bishop Fox, who uses the two categories to differentiate cybercrimes. "They want access to any and every device that can be compromised. This is a numbers game."
Targeted attacks are different because the threat actor has a specific reason for wanting access to a particular device. While opportunistic attacks are often financially motivated, targeted threats aim to scam a particular person or access specific data.
Ragan says attacks are often platform-based and payload matters less than delivery method. "The payload may be ransomware, but the delivery mechanism can be anything from coercing a user to running an email attachment, to a worm that exploits unpatched systems," he explains.
"Hacking a device takes technical acumen, and in some cases, access to the device," says Michele Fincher, chief operating officer at Social-Engineer. Much of the time, the easiest route to device takeover is tricking the user.
Because it can be a "full-time job" to stay current on the latest threats, most users are not aware of the many ways their devices are at risk. Here's a look at the easiest and most effective ways for cybercriminals to attack end-user devices.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024