MISCELLANEOUS

Curiosity Killed the Cat or at least hurt it really bad

When Hacking Social Network Accounts Goes Wrong

 

 

 

Introduction

This study focuses on privacy breaches perpetrated through the hacking of social network accounts. It offers an overview of concepts that appear to be problematic within the virtual world (e.g. identity, anonymity, legitimacy, regulation) because of the very nature of the environment they are placed in.

The study also aims to point out what motivates people to pry and get hold of secret information on the Internet. Aside from the easily identifiable motivators that pertain to human nature, it will be argued that perceptions of the virtual as a space that poses less constraints on human actions than the real world actually stimulates privacy trespassing because of a suspension of individual responsibility.

Several sets of statistic data reflect two quantifiable aspects of the password/account hacking phenomenon, namely: the likelihood of the spying intent and the spies’ most prevalent motivations.

Finally, an example of a “hacking project gone wrong” will illustrate an interesting mechanism of retribution: he/she who will spy on others on the Internet will be (at least) spied upon.

Perceptions of the Virtual Space

The very idea of the online being a fault-free universe populated by exclusively well meaning individuals is utopian. An individual sense of responsibility being the only instrument that can be relied upon in the absence of immediate coercive or punitive mechanisms somehow makes it easier for off-line rules to be disregarded in the online world. The online is perceived as a deregulated space. Actions on the Internet are virtual gestures the impact, consequences and moral/ethic ramifications are somehow buffered. Whether it’s a belief in virtues, a sense of duty, a fear of repercussions or a combination thereof there are some well-established real-life mechanisms that deter people from trespassing rules, laws, regulations and principles. However, these mechanisms basically rely on proving WHO did WHAT, WHERE, TO WHOM and, if possible WHY. With concepts such as identity, location and even legitimacy getting extra fuzzy on the Internet, it’s understandable why this space is associated with a sense of “infinite” freedom, despite the hope and will to contain individuals’ actions within limits set by real life principles.

A pervasive sense of decentralization is another characteristic of the virtual space that dictates how its inhabitants coagulate and interact. Illustrations of specific online activities mapped onto actual geographical areas indicate the rapid appearance and equally rapid disappearance of zillions of focal points inside a global network. Lacking boundaries and checkpoints, this space used to support and promote a different concept of “proximity”, namely a type of mental closeness. Keywords, search history and other forms of expressed preferences guide surfer’s steps towards relevant resources and towards likeminded communities.  However, with the addition of actual location trackers, more of the real-world geography and, implicitly, its systematization are poured into the virtual.

Despite national and trans-national legislations which seek to absorb and set limits for the various types of online conduct that are potentially harmful for the others, these dominant perceptions of the virtual space support a looser type of behavior (as compared to real-life actions) and even tacitly legitimate gestures that would be legally punishable offline. It’s a “click and download” vs. “actually doing it” dilemma. How free will a curious friend feel to actually dig into your purse to look for any document that might reveal a spicy secret? What are the legal consequences of this act? On the other hand, how free will the same friend feel to download a hacking tool and dig into your online accounts to find out the same secrets? A recent study published by topnews.co.uk reveals that “more than a fifth of university students in the UK have had tried hacking”, and, what’s even more interesting, that “[…] 84 per cent respondents [said] that hacking was wrong, but that did not stop all of them from attempting it.”

 Meet Your Evil Twin – Human Psychology Online

Perceptions of the virtual combined with the availability of hacking tools create the perfect background for various psychological motivations to kick in and to fuel Internet users’ conviction that spying on other people online is an acceptable practice. 

Two of the phenomena identified in studies focusing on the psychology of human interaction in environments lacking social cues, in general, and in cyberspace, in particular, are worth mentioning here: the “the reduced social cues theory”  and “the online disinhibition effect”.

The “reduced social cues theory” argues that, as social presence decreases, and with an absence of social signs, relationships become less personal and intimate. This results in a suspension of the limits imposed by face-to-face communication and into more aggressive reactions.

The online disinhibition effect, on the other hand, argues that by separating themselves from their real life and identity, therefore becoming anonymous (you don’t know me, you can’t see me), people tend to behave more freely online and suspend moral/ethic and other types of real-life limitations. In addition to that, when online, people undergo a de-individuation process, as a result of the fact that they feel to be mentally merging into a group. This spells out as a weakening of their opposition against harmful or disapproved acts and as an increased tendency to act according to what the group dictates.

Despite all arguments provided, this technological determinism approach is still under debate. What reigns undisputed in the question of cyber-psychology is that the motivations of hacking are very human. First comes curiosity; then there’s a need for reassurance (I cannot ask for a confirmation of x, so I go looking it up for myself); next in line, apparently legitimate concerns (e.g. see what my children are doing online) solved by not so fair means; there might also be the sense of power that one gets when managing to find out somebody else’s secrets without having to suffer the consequences.

 

Who wants to hack passwords?

A quick search on Internet has revealed that there are more than 2,000,000 results for password hacking and Google Trends™ demonstrates that this topic is riding high on the wave of public interest. (see figure 1)

 

fig 1

Figure 1: Google Trends™ on “hack [social network ] password” results

To further investigate the extent of this phenomenon, a BitDefender survey with a one week timeframe and 1,500 respondents was conducted. The respondents were asked whether they had ever tried to hack into somebody else’s social network account by illicitly retrieving the respective person’s password. They were also requested to motivate their actions. The test results showed that more than 89% of these persons had searched for a password hacking method on the Internet.

This was an interview-based survey (3 YES/NO questions), and the sample consisted of different social network users. The sample structure is presented in the table below.

Age

15-57 years  (mean: 30.3 years)

Sex ratio

~ 1:1

Nationality

From 21 countries

Sampling method

random

Table 1: Sample’s structure

As already mentioned, 89% of the interviewees declared that they had searched the Internet for password-hacking software. Only 11% of them stated that they were not interested in this type of applications. 98% of those who responded affirmatively to the first question also declared that they had installed and tried to use the hacking applications they had found.

When asked about their reasons in  breaking into someone else’s account, 72% of the respondents stated  that they had wanted to read their girlfriend/boyfriend/wife/husband’s personal messages, 64% had thought about changing the information in and password to their ex-boyfriend/ex-girlfriend’s social network account.  14% of the respondent pool declared to have wanted to spy on their parents’ online activity (personal messages) and 23% of them were parents that had wanted to read their children’s messages.

When hacking goes wrong

What can happen if, despite all warnings, someone actually sets out to find a hacking tool on the Internet?  A simple search revealed that a huge amount of information is provided to any prospective spy. Out of the various possibilities at hand, the application chosen for this experiment was one whose purpose is stated as transparently as possible: hacking the passwords to accounts opened on a very well known social network.

Cleverly defined as a “convenient tool for worried parents and spouses” (creating the impression that such a tool has emerged as a consequence of an identified common need of these two categories- parents and spouses- thereby legitimating the spy’s action as being the result of an honest concern that a whole group of people manifests) and subject to a limited availability free of charge, this password retrieval application is bound to be very successful.

fig2

Fig. 2 First step of the hacking process

By clicking the free download link, the user will be provided a whole list of other reasons why this application prevails over its peers:  “90% good results”, “Risks […] are 0.0% because this application uses proxies so it attacks the server from 125 locations”, a 15 day free trial.

fig 3

Fig 3. An extra bit of social engineering to boost download counts

Judging by the high number of downloads, approximately twenty thousand, there were quite a few persons who were tempted to try the hacking tool and downloaded it onto their systems.  And this is how a double piece of e-trouble, a worm and a trojan, landed on their PCs.  Useless to say that the hacking application’s creators will be able to get control over the respective PCs in no time.

Don’t do to others what you don’t want others to do to you. That’s how we can summarize this situation. If you go looking for some tool that will help you sneak up on others you might just end up downloading an application that will help your “fellows in curiosity” sneak up on you.  

Note: All product and company names mentioned herein are for identification purposes only and are the property of, and may be trademarks of, their respective owners.

About the author

Sabina DATCU

Sabina Datcu, PhD has background training in Applied Informatics and Statistics, Biology and Foreign Languages and Literatures. In 2003 she obtained a master degree in Systems Ecology and in 2009 a PhD degree in Applied Informatics and Statistics.
Since 2001, she was involved in University of Bucharest's FP 5 and FP6 European projects, as researcher in Information and Knowledge Management field.

In 2009, she joined the E-Threat Analysis and Communication Team at BitDefender as technology writer and researcher, and started to write a wide range of IT&C security-related content, from malware, spam and phishing alerts to technical whitepapers and press releases.