• ORNA

Hacking the Human Mind: The Art of Manipulation

Identifying insecurities in network devices is an art form. For us, it’s the ultimate puzzle. The rush that comes with finding and exploiting a vulnerability is exhilarating and virtually incomparable with almost anything else.


For most of us, hacking isn’t a job. That is unless we’re getting paid bounties for the vulnerabilities we find. Either way, it’s a fierce passion, and we are deeply devoted to it.


Hire a hacker. You will be glad you did.


Vulnerabilities, as we know, come in a variety of forms and are often created through human error such as overlooked security issues, relaxed security protocols not being enforced, outright incompetence, and just forces that are beyond our control. As I always like to put it, computers are like a house of cards.


Let’s focus on human error for just a moment. While even the most hardened security can be formidable enough to defend against a hacker’s attempt at an intrusion, social engineering is a tool that is often difficult to detect, and a threat vector often overlooked.


The following is a collection of my experiences as an insider threat actor, and the human vulnerabilities I found that granted me favorable outcomes in my conquests.


In many regards, thinking like a hacker is a power that enables the facilitator to bend the will of another, whether it’s some form of code or that of human will. While the coding structure of web applications can be manipulated, or network protocols assaulted with requests in an attempt to crack a password, the truth of the matter is thus: hacking the human mind is the ultimate weapon in the toolkit of a cunning hacker.


Social Engineering


The context of the following scenario might not be applicable in most normal settings, but nevertheless, this occurred. Back between 2007 and 2008, my hacking group was at war with a rival hacker group.


What transpired was the fight to see who could outsmart the other. Because I did not make myself an easy target due to the fact that our website wasn’t known to the public, the odds were in my favor. But the same couldn’t be said about our enemy.


However, he had an extremely savvy web security team, who took care to patch any known vulnerabilities, making exploitation out of the question for the time being. Without a tool in my toolkit that could grant me access to his website, and not wanting to strike it with a denial of service attack, which could eventually restore access to the site, I opted for the next best thing social engineering.


Posing as an attorney, I contacted the host’s administrator and informed the person that their hosting provider was allowing hosting space to a subscriber whose platform is being used for illegal purposes. I told the admin that I myself was a victim, and intended to pursue the matter in court by threatening litigation if they did not terminate the subscriber’s access.


Within an hour, the website disappeared.


Similarly, around this same time period, a rival of mine claimed to have incriminating evidence of my hacking activities and assured me she intended to report them to the FBI.


My first response was to react. However, after I gathered my wits, I proceeded to phone her, pretending to be a private investigator, I supposedly hired to look into a matter to determine whether or not I needed legal counsel.


I managed to extract the necessary information I needed out of her, discovering, much to my relief, that she had been bluffing the entire time and therefore, had no intent to cause me harm other than to ruffle my feathers.


Sometimes we might be contacted by individuals claiming all kinds of things to try and pressure us into performing certain functions. Just because they sound professional, courteous, or exhibit knowledge of jargon doesn’t validate their identity. Always verify the identity of the person making asserting claims that seem believable.


Another instance when social engineering came in handy was when I was in prison for hacking and needed a civil attorney for litigation. However, the prison staff did not find this agreeable and strove to try to prevent me from being able to communicate with the attorney.


Using the computers available to me at the law library, I researched the name of a previous employee at the facility who had similarly pursued a lawsuit against staff for allegations of misconduct.


Now, knowing that my mail was being vigorously monitored, I sent letters to family and fictitious persons alluding to having connected with a previous prison official, in addition to a current officer, in an attempt to demoralize them, sowing distrust amidst their ranks in order to drive a wedge between them and control the way they communicated with one another.


Just because a threat actor makes a claim, regardless if it is legitimate, the important note to keep in mind is that if they are attempting to engage you using communication, it could be a ruse to control the way you react to the incident.


Deep Sleeper Agent, Double Life, Provocateur


I’m sure if anyone’s ever been on the online dating scene, they’ve had their fair share of catfishers. Fake accounts are a resourceful hacker’s secret weapon. We can be anyone, and you’d never even know it. Ever.


What started as a low-key social experiment ultimately evolved into one of the biggest operations of my life as a hacker. I utilized the highest-end photo filtering technology at the time to recreate myself as the ideal woman, complete with an archive of photos, a distinct and engaging personality, and an uncanny ability to weaponize sexism to my advantage in order to control individuals to do my bidding.


Using her appeal, in addition to my knowledge of hacking, I was able to infiltrate hacker groups and persuade them to listen to my direction and call to action through subtle provocative activity.


In order to satisfy the cyber sleuths who might try to divulge into her past, I created a large social media presence on various platforms. Ostensibly, the profile was more popular than I was.


Any time I needed to rally troops to support a cause that was important to me, I operated this puppet personality, and you know what? It worked. Every time. Whilst I cannot divulge the scope of the operations, without devoting it to another article, my ability to maneuver through the cyber underworld unseen is a specialty of mine.


If you suspect you are being catfished, or want to try to verify the authenticity of the photos being displayed in a person’s profile, I suggest using these free resources. TinEye is a free reverse photo search engine. Google Images is just as good.


Additionally, PimEyes is one of the best reverse image search engines because it uses facial recognition algorithms alongside machine learning to match faces with concise parameters. I'm not ready to describe how to spot fake photos just yet, but it's coming.


These rudimentary examples remind us that just because someone may use a picture depicting to be someone, or if we receive some form of communication from someone purporting to be, know, or intent to do something, verifying whether that person is who they say they are should be our first response.


Attorneys have BAR association numbers. Police officers have verifiable badge numbers and departments, and so on. If you cannot verify the identity of the person contacting you, dismissing them is a safe bet. I would rather be safe than sorry.


An article by

Jesse McGraw


Edited by

Ana Alexandre


82 views
Screen Shot 2022-06-13 at 4.57.16 PM.png

Detect, respond, prevent and SOAR with ORNA

Subscribe

Weekly cyber insights

Thanks for submitting!