The old school for hacking websites pretty much concentrates on finding [tag]security vulnerabilities[/tag] either in a code of the website (i.e dynamic urls are not properly validated, or functions/ procedures used in web application contain a possibility for buffer overflow, or form’s data entries allow to execute SQL injections, etc).

There are 3 main purposes for such attacks:

1) steal products/ services offered on a website,

2) steal information stored in the databases (both personal information and credit card details)

3) proceed further and use initial vulnerability to gain additional privileges on a server and ultimately, to obtain root access to the server.

Let’s talk today about second purpose of website hacking - obtaining both physical mailing
address, and credit card records that could be used for Identity Theft or simply re-sold on
the Internet.

When hacker tests different methods to get unauthorized access to the website or web application, he most likely use slave computers for this purpose (also called slave bots) or proxy servers or the combination of two.

Granted, it might be difficult for investigators to establish the real source of attack, such as ip that was used for the attack execution, but still it could be potentially risky for hackers.

So the easiest way to get their foot in the door of the target system would be for hackers to obtain the login details of a legitimate user, and use those details to perform their further operations.

And it looks like this approach, combined with advanced fishing scams, became very popular lately. In addition to malware, spyware, viruses and worms we now have rather new phenomenon called ransomware.

Ransomware is what the name implies it is - a type of malware that could be used to take hostages and demand a ransom for a victim.

Only in this case “a hostage” is not a person, it’s a computer. Ransomware encrypts all the files on a victim’s machine, so average computer user is not able to decrypt them, and have to pay a ransom to get access to his/her own files again.

Of course if a person performs regular backups of his machine, this scheme won’t work.

Computer user would be able to easily restore all the files from a backup. But this scheme is very successful, so it’s just gives to show you that only a few people regularly backup computer files.

This exact scheme was used in a Monster.com ransom scam that became well-known lately.

Intruders first obtained access to the employer accounts on Monster. How they did it, is not important now - may be they tricked the account holders to open emails with malicious
attachments and installed Trojans on their computers, and then sniffed all the information

that was exchanged between that machine and the other ones. May be they sniffed out the
packets (note that Monster uses http for login screens, not https, hence login data are
past as a plain text) or they might use any other of the numerous hacking methods. The point is, they obtained unauthorized access to the employers’ accounts.

And people who contacted those employers were looking for the job, so they readily provided all their contact details to those employers including phone numbers, mailing addresses, etc.

After collecting approximately 1.6 million records of job applicants, attackers crafted very well written personalized emails to those applicants and tricked victims to open those emails. When email was open, a Trojan was installed on the victim’s machine. Financial information was stolen or files were encrypted and ransom demanded to “free up” the files.

And there is an evidence that similar scheme is now used at another website for job seekers – CareerBuilder.com.

What is the point of this story? It looks like pure hacking has been slowly replaced by the wholesale approach that doesn’t require too much skills – it’s enough to find the way to get millions of records, trick the recipients, install malware or ransomware, steal credit cards or bank accounts data or just encrypt the files on the victims computer– and voila – attackers got some serious cash in their bank accounts.

Be aware of this new wave of data stealing – I would call it “web hacking without hacking”,
and be extremely careful while opening emails from “employer” or any email from un-known
recipient, for that matter.