A journalist who challenged white hat hackers to see how vulnerable he was got more than he bargained for when they gathered information about his banking details, got on to his social networks and remotely shut down his laptop and iPhone.
Adam Penenberg from the PandoDaily Web site, challenged Nicholas Percoco, senior VP of SpiderLabs, to perform a penetration test on him. They agreed that Percoco couldn’t break any laws and would keep Penenberg’s children out of any investigation.
The investigators began by amassing information about Penenberg – most of it freely available in the public domain. From there, they formulated a plan of attack which outlined nine different ways of penetrating his systems.
Although some of the attacks failed, they managed to get what they needed by the simple expedient of sending his wife a realistic e-mail with an attachment that downloaded phishing malware on to her computer and giving SpiderLabs complete access to all of her data.
This data included Penenberg’s and his wife’s social security numbers, income tax returns and copies of bank statements. In addition, they found the password for their home router as well as login and passwords for their bank account.
Although online login is protected by verification if an attempt is made to log in from a device that is not usually used, SpiderLabs bypassed this by finding and copying cookies from the hard drive.
The team was able to access one password, which allowed them to crack others and access all of Penenberg’s online accounts as well as his social media sites, where they posted messages. They also hacked his iCloud account, giving him access to all of his stored information.
As a final act, the team shut down his laptop and iPhone while Penenberg was in the middle of giving a lecture.