Blake Dowling
Hacking hit Florida in a new way this summer with the arrest of one of our state’s youths.
The most common assumption is that most hackers are overseas. But rest assured, there are plenty right here, both in the USA in Florida.
For today’s story, it was not just the FDLE after this kid; it was everyone— the FBI, IRS, Secret Service and FDLE got their man (a minor, actually).
Just what led to 17-year-old Graham Clark of Tampa (who runs in hacker circles as “Kirk”) to be investigated and arrested? Only one of the most devious social media breaches ever.
What did he do exactly? He hacked Twitter, allegedly. That makes him the David Lightman of our time (sort of).
Hacking happens all the time; what makes this one different?
First, I don’t think people grasp how insidious or rampant the hacking world is (see dark web hacking forum link below), and that they (the hackers) communicate with one another, collaborate, and try and outdo one another.
Also, the dozens of major breaches that occurred have led to a robust marketplace for the sale of passwords and other sensitive materials — your materials.
Returning to Twitter. Imagine having control of Donald Trump or Joe Biden’s Twitter account (it’s said Joe’s account was actually hacked), especially around election time?
It boggles the mind to think of the “what ifs” of this situation.
Clark’s “hack” could have turned our state and nation into more of a battleground then it is already or (at worst) started a war.
Fortunately for the world, “Kirk” was more concerned with stealing money than creating social and international problems, so we can breathe a sigh of relief that Clark was not working with a foreign agent of some kind and that he was swiftly stopped.
So, how in the world do you gain access to Twitter?
One would assume the company has protective measures in place that would rival the DOD? They do.
Then how did he do it? It was the old fashion way, conning someone into letting him in, allegedly through an employee of the organization. This is called Social Engineering and, in this situation, Clark told a Twitter employee that he was with the IT department and he needed to log on to his/her account with their credentials. The employee (also allegedly) said OK. Ouch.
I certainly would not want to be that person.
Many of you may also cringe at this entry point of this cyber-incident. Particularly if you just spent $1 million upgrading your cybersecurity protections, just to have someone get in over the phone by conning a staffer.
Perhaps Clark looked this person up on LinkedIn, learned a little about them to make sure he knew where Twitter IT support was based, and other facts to lend credibility to his con.
Additionally, hackers work together (there are other defendants in this case) through such forums as ogusers.com — these are gathering places for such individuals.
You can read more on hacking forums here for a deeper dive into this world (social engineering is a big part).
The bottom line? Don’t give people your password. No legitimate or competent IT person would ask you for it in the first place (unless you already have a working relationship in place and personally knew one another).
The chaos didn’t stop after the arrest. During the hearing in Hillsborough County (via Zoom) hackers dove in displaying pornography and rap music. The judge was not amused and set bail at $725,000.
Hackers tend to have a pack mentality, so one can assume this was a fellow hacker who Zoombombed (something I wrote about early-pandemic) the hearing to cause disruption and show support for his/her fellow hacker.
As he awaits judgment, Clark faces nearly 30 counts and an uphill legal battle as during the breach, theft of info and funds, he also sent tweets from Biden’s account, Bill Gates’ account and even Elon Musk’s.
Speaking of Musk, I finally figured out where he got the idea for the design of the Tesla SUV (in my opinion).
Some of these bogus tweets would be along the lines of “it is time for me to give back” (tweeting as Gates, for example), and “for every Bitcoin you send me, I will match it and donate to charity.”
And people sent money, lots of it (via Bitcoin).
A search of Twitter shows those posts on the aforementioned accounts were deleted, but there are screenshots galore out there on how the scam worked.
You may be thinking Bitcoin is untraceable, right? Well, right and wrong.
Clark appeared to open an account with a digital currency exchange (called Coinbase) which needed a copy of your driver’s license to open. So, it didn’t take Sherlock Holmes to track that down (no disrespect to law enforcement). It was just a rookie move for a hacker.
Hackers are everywhere; they have high-tech tools and (worst of all) they have some really low-tech approaches that also work. Just as you should never “verify” any private info from an email, you should also never give out your private info over the phone.
If you are curious about an incoming phone call, ask for a call back number. They will usually hang up or ask them random sports trivia. I may have done that to one hacker who called saying he was from “Microsoft.” I drove him crazy before he hung up (I guess he didn’t like Gator Football in the 90s, and 2000s as much as I did).
(I would not recommend doing what I did. I am a professional, after all.)
Stay safe out there and keep your private info private.
___
Blake Dowling is the CEO of Aegis Business Technologies. He can be reached at [email protected]. Check out Dowling’s Biz & Tech monthly podcast on iTunes and YouTube, as well as his other columns from the Tallahassee Democrat and more.
