Phishing has become way more sophisticated

Jim Stickley shows companies how vulnerable their internal networks are to persistent and motivated hackers. (James Dunn / The Business Journal)


Selections of cybercrime information from expert Jim Stickley, Stickley on Security, keynote speaker at the CyberSecurity Conference sponsored by Exchange Bank and the North Bay Business Journal.

Hacking was cool

“Hacking was just cool. That’s all it was. By my late teens, early 20s, I realized, hey this stuff could get you in jail. As a kid, I didn’t pay for stuff very often — movies, Sea World, the zoo, Disneyland. If you give them a good story, they would let you in. Even if I had a date, I would tell them I lost my tickets. With corporations, I could pop my way into things. Five years ago, I had robbed over 1,000 financial institutions. I have robbed a lot of places (as a friendly hacker).”

“I talk very fast, like a monkey on crack. I got my first computer when I was 12, back in 1982, a Texas Instruments TI-99 (released 1981, 256 bytes RAM, 3 MHz speed, much slower than Stickley talks). I was immediately hooked. I couldn’t think of anything else I’d rather be doing than being at my little computer. For Christmas, I would ask my parents for programming books.” (By age 16, he was doing program development work for corporations.)

“I believe that there is always a way to solve a problem. When kids were mean to me, I was able to turn off their parents’ phone line (because he swiped programming manuals from telephone repair technicians parked in his neighborhood).”

Why cybercrime?

“It’s not like I have some better widget that is better than the next guy who is breaking into stuff. We all follow the same trends. Cybercrime is a growth industry. Returns are great. Risks are low. It’s just a business now. This is not some kid hacking from a basement. This is organized crime, state-sponsored all over the world. Technology is way better than it has ever been.”

Email poses huge risks

“With very few exceptions, it comes down to email. Every major breach since 2014 started with an email. That led to the compromise on the network. Email is a huge, huge risk. Hacking is hard. It’s a lot of work. If I can send one of your employees an email and get them to do something dumb that ends up giving me access to their desktop, I have bypassed all the internal security and I am on your internal network. It solves all my problems for me. All I need is one person to make a mistake. Email is your biggest risk.”

“Emails are the devil, whether it comes from your mom, co-worker, best friend. Doesn’t matter who. Start with the assumption it didn’t actually come from them. Assume it’s bad. Figure out what it wants from you. There’s going to be some angle. It wants you to click on a link, download some attachment. If it wants anything from you at all, take a deep breath. You opening that document could be a very bad decision. Treat every email with a really skeptical view. The more you know, the better off you are going to be.”

“I send an email on behalf of IT security guys to one of your employees (using IT security employee’s name). The subject is an emergency security patch. The security ID is an important part of this whole scam. (There’s an 800 number to call.) It has no links, no attachments. There’s nothing that tells them this is a bad email. They pick up their phone and dial the 800 number. You can buy an 800 number for $10 or $15 a month.”

“You’d think that phishing should be getting easier to detect. Actually, the trend is still continuing to go up. Phishing is becoming so much more sophisticated. It (looks as if it) comes from a co-worker to you, has your name in the email. It will look very, very real. Detecting that it’s fake is a heck of a lot harder. It looks like it comes from somebody you would trust.”

“When a company is attacked in a phishing attack, the first employee will fall victim within a minute and 40 seconds.”

“if you are a large corporation, you deal with limited network access. If employees don’t need email from the outside in for their job, they should not have the ability to receive email from the outside. Why are you putting your company at risk allowing them to have it? It’s crazy. Same thing with web access. If an employee doesn’t have a job function that requires them to browse on the Internet, they shouldn’t be able to browse on the Internet. Every employee has one of these (a smartphone). They can use their own phone. Don’t put it on your network. Reduce your risks by a lot.”

LinkedIn, what could be bad?

“LinkedIn is a hacker’s dream — a list of all your employees, their job titles, exactly what they do for that company, and how long they’ve worked there. With employees who have worked there four months or less, I have really good chance of success (in a phishing attack). These people don’t know anything. They don’t want to do anything to rock the boat. Whatever you tell them to do, they will just do. It’s not that hard to get email addresses.”

“All I’m looking for is one victim. I don’t need 100 people to be a victim.”

Hallmark secret admirer

“I send a Hallmark greeting card from their secret admirer. Everybody on the planet wants a secret admirer. Immediately you’re kind of pumped. You click the link to go to the Hallmark site. I have a server set up on the Internet that just waits for servers I’m compromising. I have a command prompt on that server. It doesn’t matter where they are in the world. I now have remote control of their computer. I have the server that’s compromised make an outbound connection to me (to bypass the firewall security). I can install any kind of malware at this point. The system is controlled by me.”


“How bad is it really? If you keep up with patches and with backups, this isn’t a problem. If you back up your stuff on a daily basis then one day all your stuff is locked up, you clean off your operating system, restore the stuff, you’re back to exactly where you were the day before. Not that big a deal. The problem is, people are terrible at backups. Just stay continually on top of backing up your systems. If you do, you’re going to be in very good shape. If everyone does backups, does that mean all cyber extortion is going away? No. Extortion pays.”

“All I’m looking for is one victim. I don’t need 100 people to be a victim.”

“Adobe Flash is a train wreck of a product. It has a new vulnerability every single month. If you have Adobe Flash on your PC and you haven’t kept up to date with the very latest patch, all you have to do is browse to a website, click a link to the site. (Even if you ) don’t install anything, don’t run anything, don’t approve anything. The malware will install on your computer without you ever seeing it happen. It is that simple.”

“If you have a web cam, we have remote control of everything. We can turn on that web cam and start watching you, which is really creepy if you are on your laptop at home. We can watch you at home. If I am attacking corporations and can get into computers in the boardroom, then I can also turn on the microphone so I can listen to board meetings or anything that’s going on. That’s really useful information.”