The Dangerous Web

The digital age has transformed the world into a global village. The internet has become our home, our workplace, our playground. But the digital world is also a breeding ground for threats.

The consequences of cyber attacks can be devastating. You could wake up to find your bank account drained, your files deleted, or your photos shared online. Just like that, your entire life could be thrown into disarray.

You might not think you’re at risk of this. But every person who uses the internet is a potential target for cyber attackers, just as every person who owns a home is a potential target for thieves.

In 2017, about a quarter of a million innocent people were hit by an attack called WannaCry. These people discovered a message on their laptops, declaring that all their files had been locked, and wouldn’t be released without payment.

It affected people all around the world – and it also affected businesses. As they scrambled to recover their computer systems, these businesses made combined losses of about $4 billion.

Most people never got their data back. Not even the ones who paid the ransom. Can you imagine losing your entire computer? Every photo, every file, every byte.

WannaCry wasn’t an isolated incident. Cybercrime is on the rise. According to research by Cybercrime Magazine, the annual cost of cyber attacks will reach a mind-boggling figure of $10.5 trillion by 2025.

To put that into perspective: that's more than the GDP of most countries. America and China are the only nations that bring in more money than cybercrime.

With so much at stake, this phenomenon isn’t just a danger to our personal data and systems. It’s also a danger to our global economy, and even our way of life.

Fortunately, there are plenty of ways to keep our computers safe. That’s the purpose of cybersecurity – a set of defenses that keep cyber criminals away.

A computer without cybersecurity is like a house without a door. A thief could easily walk right in, then stroll out again with your belongings piled high in both arms.

We’re not just talking about passwords, here. You’ll need a lot more than that to hold back cyber attacks.

And that’s what this pathway is here for. By the time you’re done, you’ll know exactly how to keep yourself secure.

The following text is a fictional interview with a victim of WannaCry.

TIMESTAMP 00:01:30
Do you remember how it started?

"I sat down at my computer, ready to start my day, and then... there it was.

A ransom note, right on my screen. 'Ooops, your files have been encrypted! If you want to decrypt them, you’ll have to pay $500.'

I just... I couldn't believe it. I felt this wave of panic wash over me. I didn't know what to do, who to call... I felt so helpless."

Timestamp: 00:03:11
Did you recover your files?

"No. I lost everything. My work files. My bank details. Even photos of my son as a baby.

I heard that some people tried to pay the ransom, but they didn't get their data back either.

I just... I never thought something like this could happen to me. The stress, the anxiety... it was a nightmare."

Timestamp: 00:04:27
Is there anything else you'd like to tell us?

"You know, the biggest lesson I learned from all this is that cybersecurity isn't just for massive businesses.

We're all at risk. And I wish... I wish I'd known that sooner.

So yeah, that's what I'd like to say. Protect your data – or regret it, just like me."

In the shadowy corners of the digital world lurks 'malicious software', or malware. Before learning how to defend against it, let’s find out what malware does.

A common example is a computer virus. This is a malicious code or program that spreads from one computer to another, much like how a biological virus spreads from host to host.

A Trojan is a type of virus. It’s named after the legend of the Trojan horse. A Trojan masquerades as a regular file, like an email attachment or an update – but when a user innocently clicks that file, a virus installs instead.

Once it gets inside, a virus can unleash its malicious payload, just like all those soldiers hidden in the horse. This payload might steal important data, corrupt your files, or cause other kinds of damage instead.

While viruses require a user to actually click on something – like pressing ‘install’ on a well-disguised Trojan – worms are another type of malware that can spread without user interaction.

Instead, they slither into systems automatically, exploiting the cracks in your defenses. Their ability to multiply and spread automatically means that worms are often hard to stop.

Imagine heading to a cafe, and connecting to the public WiFi. There might be a worm there, lying in wait. And as soon as you join, it slips inside your system.

A notorious worm, by the name of ILOVEYOU, spread itself via email. Whenever it infected a person’s system, it corrupted the hard drive, then automatically forwarded itself on to everyone in that person’s address book.

Ransomware is another type of malware. It might infect a system in a similar way to a virus or a worm – but once it gets inside, it performs a specific set of behaviors.

It starts by encrypting all of your files, effectively locking you out of your own data. After that, it will demand a ransom payment, promising to restore the encrypted files as soon as the ransom is paid.

Ransomware doesn’t discriminate. Anyone can find themselves at risk. For example, during the WannaCry outbreak in 2017, the UK’s National Health Service (NHS) was attacked.

As many as 70,000 NHS devices were affected. In some places, patients were turned away, as hospitals scrambled to regain some kind of control.

Spyware is another type of malware. After installing itself, it lurks in the shadows of a computer system, spying on user activity. It might collect information, like passwords or bank numbers, then send it back to the person who launched the attack.

Then there’s adware. After infecting a computer, it will bombard you with adverts, turning your entire digital system into a nightmare full of pop-ups, banners and clutter.

The Zlob Trojan, which was first discovered in 2005, is an example of a computer virus that combines elements of both spyware and adware. It used pop-up ads to trick users into downloading fake security software, which then collected their personal data.

Malware can also be used to turn a computer into a zombie. A zombie computer can be controlled remotely by another person, almost as though they’re sitting in the room alongside you.

This person might command your computer to send out emails, each one containing links to more malware. Or they might use it to store some illegal files, which they don’t want to keep on their own personal machine.

Cryptojacking is another threat associated with zombie computers. It uses your computer as a mining rig for cryptocurrency, which slows down your system and increases your energy bills.

In other words, there are lots of different types of malware out there. From viruses to zombies, it’s easy to see why the internet is such a dangerous place.

Malware doesn’t just pop into existence, or evolve of its own accord. Every piece of malicious software was made by a real-life person. By someone who wants to exploit the weaknesses of other online users.

Collectively, these malware-makers are often referred to as hackers. They’re talented and devious, and use their skills to access other people’s machines. Once they’re in, they’ll set up ransomware, or spyware, or whatever else they want to.

Not all hackers are bad. White hat hackers are individuals who use their skills for good. They identify weaknesses in computer systems, then help to fix those weaknesses before malware finds its way in.

But black hat hackers are a menace. If your computer is a fortress, then black hat hackers are the invading army who want to force their way inside.

When a black hat hacker develops a piece of malicious software, they’ll sometimes take a scattergun approach, just tossing that malware out into the world and waiting for the code to infect any systems it touches.

This approach was used for famous attacks like ILOVEYOU (2000) and WannaCry (2017). These worms infected millions of computers as they spread across the internet at random.

At other times, a hacker will take a much more targeted approach. Instead of attacking at random, they’ll specifically identify a person or business that they want their malware to attack.

It’s the difference between poisoning a local well, and infecting anyone who happens to drink there, versus breaking into a target’s house, and specifically poisoning their cup.

When a hacker targets a specific user, they’ll often try to access their system by guessing that user’s password. A single password can protect a wealth of sensitive data, from social media to online banking.

Brute forcing is a hacking technique that involves a hacker trying every combination of letters and symbols until they stumble across a user’s private password. It's like a persistent burglar trying every combination on a lock until a door eventually opens.

It's a painstaking process, which requires a lot of time and energy, especially for complex passwords. The more complex the password, the more combinations there are to try, and the longer the process takes.

But for simpler passwords, brute forcing can be quick and efficient. This approach is often an effective way for hackers to enter your system.

Black hat hackers also use an approach called a man-in-the-middle (MitM) attack. In this type of attack, the hacker doesn’t enter a system directly; instead, they target streams of data as they flow from one system to another.

For example, two users might be sending emails back and forth to each other. The hacker latches onto these emails, intercepting the communication without either of the users knowing.

From there, the hacker can eavesdrop on the private conversation – an invisible stranger listening in to everything those people have to say. They’ll be hoping to overhear some important information, like a clue to your passwords or bank details.

Sometimes, a hacker can actually manipulate the nature of a private conversation, tweaking emails as they pass. For example, they might attach a Trojan to an innocent email you just sent to one of your friends.

Some hackers will also use physical attacks to gain access to a user’s system. For example, they might upload a piece of malware onto a USB stick, then deliberately leave that USB stick lying around.

Someone might find it in a cafe or an office. Out of curiosity, they plug the USB into their laptop. Instantly, the malware flows into the system, bypassing any passwords along the way.

Shoulder surfing is another type of physical attack. It’s simple but effective: in a public place, like a cafe or a library, a hacker watches a user's screen over their shoulder. When the user types in their password, the hacker notes down the keys.

ATM pin theft is a common example of shoulder surfing. The attacker waits in line behind a target, like a predator watching its prey. When the target enters their pin number, the attacker suddenly has access to that person’s accounts.

Hackers are often masters of computer programming. You can’t write an effective piece of malware without knowing a lot about code. But they also have another talent: social engineering.

Social engineering is a catch-all term for manipulative tactics that play on our emotions, and trick us into letting hackers enter our private systems.

Leaving a USB stick lying around is an example of this. It plays on human curiosity – how many unsuspecting people would be tempted to plug that USB in, just to take a peek at what’s on there?

Or maybe a hacker will take a different approach, using a childish looking USB with unicorns printed on the side. This time, they’re playing on pity, or guilt. You want to return this USB to the child who must have lost it – so you plug it in, in the hope of finding some contact information inside.

The most common type of social engineering is something known as phishing. This is when hackers contact people while pretending to be someone they’re not.

For example, they might send you an urgent email posing as your bank. The email warns you that there’s been a security breach, and says that everyone should check their account. Nervous, you decide to follow the link, and try to log in–

The link was fake. You just typed your password into a decoy webpage, and the hacker now knows your details. Or maybe the link was a Trojan. When you clicked it, a virus installed on your personal system.

Every day, a staggering 3.4 billion phishing emails are sent out by hackers all across the world. They pose as banks and businesses, as medical professionals, as family members and friends.

A lot of phishing attacks are generic: the same email is sent to thousands of people, with hackers hoping that a few of these people will bite. But sometimes, attacks are targeted. This approach is known as spear-phishing.

In spear-phishing, a hacker will research their victim, and carefully tailor their communication to make it more believable. For example, they might find the victim’s social media page, and discover that their partner’s name is Jake.

The hacker can proceed to email the victim from an unknown address: “Hey, it’s Jake, I just lost my phone so I’m borrowing a friend’s. Can you send £20 to their bank account for me? They said they’d help me pay for a taxi.”

The personalized nature of spear-phishing makes the deception more convincing. If you received this email, would you fall for it? A lot of people would.

Phishing isn’t limited to emails. Hackers might also target people via text messages, social media, or even phone calls. To make things worse, these techniques are evolving, becoming more advanced and more dangerous with every passing year.

A new and potentially devastating development is AI voice phishing, or vishing. This technique uses artificial intelligence to mimic the voice of a trusted person, making the scam a lot more convincing.

In 2019, an employee at a UK energy firm received a phone call from his boss. On the call, he was told to transfer a lump of company money to the account of a Hungarian supplier.

The employee did as he was told – but later found out that the phone call wasn’t from his boss. Instead, a hacker had used deepfake technology to mimic the boss’ voice.

The following text is a fictional example of a chain of phishing emails.

Subject: URGENT!! Account Verification Required
Date & Time: 12/01/2024, 10:33 AM

Dear Mo,

We've noticed suspicious activity on your bank account. To keep your account secure, we need you to verify your account details.

Please CLICK HERE to verify your account. Remember, never share your verification code with anyone.

Best,
Alex

Subject: RE: URGENT!! Account Verification Required
Date & Time: 12/01/2024, 11:08 AM

Dear Alex,

I've just verified my account details as requested. Can you please confirm that my account is now secure?

Thank you,
Mo

Subject: RE: URGENT!! Account Verification Required
Date & Time: 12/01/2024, 11:15 AM

Dear Mo,

Thank you for your prompt response. We've received your account details and your account is now secure. We appreciate your cooperation.

Best,
Alex

Subject: RE: URGENT!! Account Verification Required
Date & Time: 12/01/2024, 11:27 AM

Dear Alex,

What's happening? I just got a message saying a large withdrawal has been made from my account. This wasn't me. Can you please help?

Best,
Mo