A few years ago, if you wanted to wreak havoc online, you needed some skill. You needed to understand coding and how to break into other computers. You needed to develop attack bots and probe for vulnerabilities.
Now you just need to point and click.
Aside from the rise of social media, which seems to have unleashed the nastiness in many people who might not otherwise express it, the most troubling recent aspect of internet culture is the democratization of hacking tools and destructive software. Dangerous, damaging, and life-altering tools are now usable by nearly anyone who can find them online.
As observed last year on Security Boulevard, “This easy access to all sorts of hacking tools may be responsible for the significant spike in cyberattacks of all kinds in recent years. To hack a system, you don’t need the professional programming skills you once did; it’s enough to download an appropriate tool from the malware repository and follow the instructions on one of the myriad “how to hack” websites. The threat pool just grew by thousands of percent.”
The author describes a social engineering toolkit, which is a preprogrammed Linus application to automatically steal user credentials from a sign-in site. “The application has various modules designed to fool users into sharing their credentials and/or get them to click on links that will install credential-stealing malware on their systems.
For example, a hacker can choose to use the Web-Jacking Attack module, which provides a legitimate-looking URL (i.e., not connected to a malware site) that, when clicked, opens a pop-up window that contains a different URL, one that leads to a malware site where a keylogger or other malware can be installed. All the hacker has to do is choose the malware, choose the site they want to forge, and create a web link. It’s all free, and, as the site notes, ‘for educational purposes only.’”
In recent weeks, other proto-hackers have been “educating” themselves with easy tools. According to Ars Technica, a hacking tool called Trickbot is a for-hire botnet that has infected more than a million devices since 2016, selling access to the illegal network to anyone who wants to commit crimes online. The botnet has been so harmful that an industry taskforce led by Microsoft has been working to bring it down, initially managing to take down 62 of the 69 servers that Trickbot has used so that Trickbot was forced to use the servers of a competing criminal group to distribute its software. Microsoft Corporate VP for Security & Trust Tom Burt, “who has overseen several global botnet takedowns in the past, said the industry is getting better at them. After identifying new Trickbot servers, Microsoft and its partners have been able to locate their respective hosting providers, initiated required legal actions, and taken down the new infrastructure in as little as three hours.”
Apparently, some of the world’s most skilled hackers are sharing the most sophisticated hacking tools as “prizes” for poker tournaments, poetry competitions, and rap battles during the worldwide COVID crisis. Prizes include not only access to stolen credit cards and personal information but also scripts to automate the creation of cloned websites and e-shops used to harvest user credentials and e-wallets. Even more troubling this week is a report from Wired that a new pornbot can be used by nearly anyone to create Deepfakes to target women online. The article claims that the tool has targeted more than 100,000 women online, operating on the messaging app Telegram since July, and can be used to create nude images of regular people known to the person operating the tool. Apparently, the quality of images could pass for genuine. “The still images of nude women are generated by an AI that "removes" items of clothing from a non-nude photo. Every day the bot sends out a gallery of new images to an associated Telegram channel which has almost 25,000 subscribers. The sets of images are frequently viewed more than 3,000 times. A separate Telegram channel that promotes the bot has more than 50,000 subscribers.” According to Wired.
The Washington Post covered this terrifying tool also, writing, “Ten years ago, creating a similarly convincing fake would have taken advanced photo-editing tools and considerable skill. Even a few years ago, creating a lifelike fake nude using AI technology — such as the “deepfake” porn videos in which female celebrities, journalists, and other women have been superimposed into sex scenes — required large amounts of image data and computing resources. But with the chatbot, creating a nude rendering of someone’s body is as easy as sending an image from your phone. The service also assembles all of those newly generated fake nudes into photo galleries that are updated daily; more than 25,000 accounts have already subscribed for daily updates.” As anyone who follows the recent history of technology knows, once a tech tool is good enough to use and gains popularity, its makers keep improving its effectiveness. So expect better customizable pornbots in the future.
As these tools proliferate and become easier to use, anyone can destroy lives or businesses just by following a few simple instructions. If we are concerned about fake news and conspiracy theories now, in a blink of an eye, our fears will be justified by Deepfakes showing real people in fake situations and making comments on video that they never made. Laws exist in some states to address revenge porn like that being created with the pornbot, but they are not consistent or available in every state. And they don’t address other kinds of revenge Deepfakes.
Renting entire botnets, winning hacking tools in poker games, easily creating Deepfakes, and effortlessly stealing web credentials are just the start. When this trend continues to expand, none of us will be safe.