Internet privacy and security course
About translation
Previous Next

Chapter 20

Mass hacking of devices

In this chapter, you will find about the dangers of mass hacking. You probably know that every day your computers, Wi-Fi routers, smartphones, smart home devices are scanned by hackers worldwide for any weaknesses or breaches in protection.

If they identify a poorly protected or vulnerable device, they will exploit them for sending spam or mining cryptocurrency. In the worst case scenario, they will lock your data and demand a ransom for releasing it or use your computer for illicit activity which will put you on the radar of the law enforcement.

This chapter will focus on mass hacking of devices, a danger every one of us is exposed to. I've broken this chapter up into several parts: what devices get hacked, why devices get hacked, how they get hacked and how you can protect yourself from it.

Types of devices that get hacked

Actually every device as well as smart home devices can be hacked. On one condition: this device can be connected to the Internet. Hackers take a keen interest in computers, servers, mobile devices and routers as it’s easier to make money off them.

In the first place, a perpetrator will resort to automatic extortion of money through compromised devices, for instance, by breaking into and locking down the files on your computer. There is a very high likelihood that your computer has the information you will be more than willing to pay a ransom. All the stages – from network scanning to data locking are carried out automatically, the perpetrator just has to maintain the performance of the system and keep withdrawing the poor victim’s money.

It’s a bit harder to make money off hacking a smart washing machine. On the other hand, you must’ve heard about “botnets” – a number of interconnected devices that comprise smart things: washing machines, fridges, TV sets, electric kettles, coffee machines and other consumer appliances, even smart toys and video cameras. Similar botnets are capable of sending junk mail, perform DDoS attacks (on a quite impressive scale) and mine bitcoins though they are much inferior to hacked personal computers.

IoT Mirai is the most infamous botnet to date. This botnet led a massive attack on Brian Kreb’s blog that belongs to an independent journalist who specializes in cyber-crime. Mirai silenced Kreb’s blog launching DDoS attacks against it. But Krebs is not Mirai’s most high-profile victim. Mirai showed what it is truly capable of in one of the biggest cyber assaults of all time on October 21st, 2016 when it disrupted Dyn, a major U.S. DNS provider, brought down the sites of such tech giants like Twitter and Amazon and caused the network across the East Coast states to function intermittently. The day has come when kettles and coffee machines can rise to attack an entire government though for the time being it can be done only on the Internet.

Later Mirai was improved to mine bitcoins using smart devices. Though the efficiency of smart devices for mining bitcoins is minimal, it’s quite cost-efficient. Though Mirai is the most infamous IoT botnet attacks, it’s not the only one out there, other botnets like Hajime have become prominent by operating in a similar manner.

Why devices are hacked


The most profitable way to make money is to hold the contents of a user’s device for a ransom. A perpetrator hacks a victim’s computer, locks his hard drives, and the decryption key is sent to the perpetrator’s server while the victim receives the information how to pay a ransom and then unlock his data. Here’s an example of a ransom message:

As a rule, to obtain the decryption key, a victim is required to pay from $300 to $1,000.

We will reveal more about it in the chapter devoted to malware, but even if you have your data encrypted, don’t rush to take your money to scammers. For instance, a range of ransomware can be beaten by decryption software without having to pay any money. For instance, GandCrab, XData, Bitcryptor and a number of other malware programs can be defeated this way.

Some programs only imitate encryption, hiding files and demanding ransom. They are also called fake ransomware, for instance, Fake Cerber belongs to this malware breed. In the majority of cases the problem is solved by rebooting your device, in rare cases you will have to spend some time adjusting the settings to release the hidden files.

Sometimes the developers of ransomware outright cheat innocent users since their software can only encrypt data while unable to decrypt it. Wiper malware designed to look like your typical ransomware operates in this manner. For instance, Petya was a notorious piece of wiper malware that seized data on users’ computers and demanded ransoms. However, the victims never got their files back because the virus never checked who the payments arrived from nor offered any chance of decrypting them in actuality. Petya is not ransomware, this is a cyber-weapon of mass destruction aimed to destroy user’s computers and leave them inoperable. Sometime ransomware becomes wiper malware because of an error. This happened to ransomware AVCrypt that removed users’ files to an unrecoverable state because of a malfunction overlooked by its developers.

 Some ransomware doesn’t even have to encrypt files or fake their encryption: it just threatens to leak their private details and pass them, for instance, to intelligence agencies. LeakerLocker is the type of Android malware that threatened to send user’s pictures, SMS, history of calls, Internet browsing history to every person on his or her smartphone or emails contacts list. The malware demanded that users pay within 72 hours. Many of us would rather prefer losing data than having it sent to all our friends, co-workers and family members. All the more so LeakerLocker asked for a $50 payment, a comparatively modest ransom amount.

Cryptocurrency mining

This is probably one of the most innocuous ways to monetize a hacked device. A compromised device is used simply for mining cryptocurrency. The victim will feel a drop in performance of his system, the components of the device will degrade faster because of the constant high load, and his electricity bills will increase respectively. In some countries where cryptocurrency mining is forbidden, you may face legal issues.


Plainly speaking, DDoS attacks involve overwhelming targets with simultaneous online requests, thus incapacitating websites. As a rule, a DDoS attack targets the server, but in reality it can be performed even against Wi-Fi router by cutting Internet access for the victim.

Then the perpetrator uses the compromised computer to flood the website with requests, other unwitting victims perform the same thing until the target of the attack runs out of resources to handle the traffic. Simultaneously some real customer, while attempting to connect to the site, for instance, to purchase an item, await the processing of his request to complete or fails to connect to the site entirely. Naturally, the customer will leave, most likely to go to a rival company, and the business will lose customers and revenue.

There are two main methods of monetizing a DDoS botnet model. The first one is to launch attacks against commercial projects and demand ransom. Suppose, you own a major online shopping store, your website generates revenue when a DDoS attack is launched against your site. You start losing money, and at this moment the orchestrator of the attack offers you a deal: you pay him money, and the attack will cease.

You have three options: continue to lose revenue and wait for the perpetrator to quit – this is clearly not the best option for your business. Option number two: pay the services of DDoS mitigation companies and finally pay money to the perpetrator.

While the second option looks the most sensible – use protection from DDoS attacks, it has obvious disadvantages: to secure reliable protection, you’ll have to pay a lot and on a regular basis, adjusting protection if you don’t have experts on your payroll will be time-consuming, while the perpetrator is ready to stop the attack right now for less money. And many victims share the same sensibilities: they choose paying the perpetrator though, of course, they don’t have any guarantees that the attacks will be stopped or the attacker won’t launch the offensive again.

You probably think about the consequences of a victim’s inadvertent participation in a DDoS attack. I have never heard that a person who unwittingly aided a DDoS attack got prosecuted for that, but there is a very high probability that this person will have problems when going on the Internet. Your IP address will be added to compromised IP bases, and your activity will be restricted by websites’ policies.

For instance, Google and many major websites may require you to enter captcha, smaller sites can simply forbid access for you. Your ISP can restrict access and demand you resolve the issue, you can find a lot of complaints related to Internet access blocking due to malicious activity if you search them on the Internet.


Every user must’ve received an unsolicited message on social networks or in instant messaging clients when a compromised computer of your friend starts sending you suspicious links. At least once in your life you have received an unsolicited ad that bypassed your spam filter.

SPAM is a huge business infrastructure of illegal advertising. Spammers’ services are mainly used by the sellers of illegal goods such as counterfeit medicines or by organizers of fraudulent investment operations.

As a rule, these are lucrative businesses, and they are ready to allocate considerable funds to advertising. They are banned from using major advertising platforms such as Google or Facebook (though there are ways to circumvent such ban) so they actively buy advertising on the underground market.

Sometimes SPAM is used for fraudulent intentions, for instance, after hijacking an account on a social network, a perpetrator starts corresponding with a victim’s friends asking them to borrow money.

If your accounts are used for sending SPAM, they can be blocked, and your friends will not be grateful for giving the fraudster their own money. If your email account is exploited, your IP address can be spam blacklisted, and the mail sent from your computer will be caught by spam folder (when delivered from the installed email client).

 You will have more serious problems if your ISP spam blacklists IP addresses, and then it may ultimately cut Internet access for you. Such incidents occur pretty often in Russia.

Covering up criminal activity

Cybercriminals have to hide their true whereabouts, and for these purposes they resort to different tools: remote desktops, VPN, SSH and proxy.

A victim’s compromised computer can be used as a remote desktop that will run a program for illicit activity. For instance, carders use remote desktops to play poker for stolen money in order to cash it out.

A perpetrator can hack a Wi-Fi router to deploy a VPN and engage in illegal activity. A compromised mobile phone can be used as a proxy.

In this case the victim may face far more serious consequences: hacked devices can be used for drug dealing, terrorist activity, carding, fraud. It won’t necessarily lead to a search warrant or arrest for the victim though there has been a number of such cases, however the victim runs the risk of ending up on the law enforcement’s list of suspects.

Performing computer attacks

To perform a computer attack, a perpetrator would need to scan the network and, depending on the type of attack, undertake brute-force cracking or exploit vulnerabilities. All these actions are a burden on resources. The perpetrator would have to rent servers, pay money, the servers will experience occasional blockages because of attendant complaints, require regular maintenance… But there is an alternative, freeloader’s way: a victim’s computer can become a link in the perpetrator’s chain and used for breaking into other devices. Most malware has exploited this scheme exactly to propagate through the systems: a compromised computer infected other computers that spread the infection further.

This may lead to serious problems since in the process of the attack the compromised device will scan the network and search for any devices that can be attacked. It can be government servers, or, for instance, the FBI’s website. Law enforcement is obligated to respond to this kind of attacks.

Displaying ads

This monetization method is, as a rule, used for hacked Wi-Fi routers. The goal of this attack is to replace the primary DNS server configured on the compromised Wi-Fi router to redirect the requests to websites to the perpetrator’s server, leaving the victim to view advertisements on top of it.

The simplest DNS replacement method is to occasionally redirect users to advertising landing pages, no matter what website’s name a user would be typing in his or her browser.  A more complicated method involves the replacement of Google’s advertising blocks and banners on existing websites.

You have probably guessed that perpetrators are pretty unscrupulous about the means they use to reach their ends. They can offer you to install malware, purchase dubious goods, invest in all kinds of fraudulent schemes, for instance, financial pyramids.

Usually during this process perpetrators would be hijacking your accounts on social networks, email clients, dating websites, forums and other resources. We will reveal more about the DNS server replacement attack in the chapter devoted to DNS.

Account hijacking

Your accounts on Gmail, Facebook, Twitter, dating sites are items for purchase, and they can be sold off on the black market. Hijacked accounts will be further used for sending spam, performing fraud and other illicit action. 

Account hijacking may occur when a DNS server is replaced or through some malware infecting the system. Account hijacking is not the ultimate target for a perpetrator, usually hackers use it as an extra monetization method.

But it’s a completely different story if they are dealing with bank and payment system accounts. They are often the main goal for many malicious organizations. Hacker either cash out hijacked accounts or sell them off on shadow forums for a percentage of the balance.

Sometimes hackers don’t resort to hijacking, they just replace your account details. For instance, you copy your friend’s bitcoin wallet to transfer him some money. Some malware analyses your clipboard and replaced the copied bitcoin wallet with the hacker’s wallet. Thus after copying your friend’s wallet, you are actually sending money to hackers, and there’s a high probability that it will take you time to take notice of what has happened.

Hackers can also replace wallets directly on websites, and in this case you will be copying an already altered wallet. We are going to reveal more about the capabilities of malware in the respective chapter.


This is a very straightforward monetization method. A perpetrator that hacked your device sells another perpetrator an installation of any software on your device. This may be ransomware, remote access Trojan, a miner for mining Bitcoins or any other program.

How your system is hacked

There are two common approaches to attacks: repeated password guessing (brute-force) and exploiting vulnerabilities.

Brute-force attack

Brute-force or password guessing is the most common attack due to its simplicity. A user just has to install readymade software and launch an attack. Usually this is done by script kiddies – hackers who use existing computer codes because they are unskilled to write their own programs.

Such attacks are incredibly effective against Wi-Fi routers when users don’t change the default password or set up a precariously simple password. Hackers always have a base of logins and passwords for all kinds of Wi-Fi routers, and they constantly scan the network trying to identify them.

All IP addresses are regularly scanned by attackers for exposed servers. When found, hackers usually try to locate the open port 22 (standard SSH port), check the most common logins such as root, admin, support, user and passwords. The more capacity a perpetrator has, the more possible passwords he can try.

Don’t be misled by the thinking that there is little chance of hackers ever reaching you: are you going to use VPN servers, proxy-servers? If you set up a VPN or proxy using CrowdShield, this program will automatically perform all the steps required for your protection. First, it will replace a standard SSH port for a random five-number port. Your login and password will be changed for a combination that no script kiddie or even NSA’s security experts will be able to crack.

A fail2ban system – special protection from brute-force attacks that is set up for the servers configured by CrowdShield. After a few attempts to crack the password, the IP address of the attacker will be blocked for a period of time. Given such multilayered protection, you can forget about the threat of having you login and password brute-forced.

If perpetrators are dealing with computers, they will be searching for computers activated by Remote Desktop Protocol that is designed to provide remote access to user. Usually RDP servers listen on port 3389, but to be sure, attackers check the range from 3350 to 3500 since administrators often change the port. Naturally, the connection is protected by a password – this is what the attackers are usually after. I recommend disabling RDP on your home computer even if you don’t use it. If you do use RDP, change the port and make a strong password. We will show how to do it when we will guide you through setting up operating system security.

Exploiting vulnerabilities

May 2017 saw the biggest cyberattack in ten years on computers running on Windows. The massive attack hit thousands of companies and organizations locking staff out of their computers, including the machines belonging to Russia’s Interior Ministry and one of the largest telecommunications provider Megafon. All the victims face the same unpalatable choice: the virus locks down all sensitive information on their computer and asks to pay up 300 USD by transferring the money to a Bitcoin wallet in exchange for the decryption key.

Usually such infections originate through physical penetration: for instance, a compromised flash drive or email containing malware, but this time the hackers didn’t have to resort to any of the traditional means of contagion. Computers were simply hacked, and the broadest and most damaging cyberattack ever was dubbed WannaCry.

The attackers exploited a loophole in a network file-sharing protocol SMB that enables a user to access resources on a remote server, such as files and printers. The perpetrators scanned the network for open 445 ports over which SMB operates. Then the attackers took advantage of the vulnerability known as EternalBlue and exploited it if the system was exposed to it. EternalBlue was leaked by the Shadow Brokers hacker group and allegedly developed by the U.S. National Security Agency.

Routers are just as vulnerable to vicious exploits, every year security researchers identify dozens of critical vulnerabilities in popular models of routers. As soon as hackers find out about a weakness, they start working on an exploit and scanning the network for any exposed devices.

In most cases users who haven’t updated their systems fall victims to such attacks. It happens to all owners of MikroTik routers that don’t have the latest security patches. While we were working on the release of this article, Hajime botnet was still out with massive scans for MikroTik routers.

But if the owners of MikroTik routers can at least get the latest security patch for their protection, sometimes an engineering team doesn’t patch a vulnerability at all or is too slow to release their security patches. In the chapter focusing on setting Wi-Fi security, you will learn how to choose a safe router and update it.

Hackers scan for similar vulnerabilities in mobile devices, smart home machines and even web cameras. Unfortunately, this attack is much more dangerous than a brute-force attack, and we are going to reveal how to protect yourself from it in the next part of this chapter.

How to protect yourself

Brute-force attacks

There are several ways to protect yourself from brute-force attacks:

Change a standard login and password for a stronger combination. In this course you will change passwords to router, RDP and learn how to create a strong password and securely store it. The program CrowdShield can automatically change your VPN and proxy servers passwords.

Change SSH and RDP ports. This will rule out most brute-force attacks as scanners search for standard ports. You will learn how to change RDP port in the chapter focusing on remote computers, while CrowdShield can change your SSH port of your VPNs.  

Block brute-force attack attempts. We have already mentioned fail2ban, an effective tool that prevents targeted brute-force attacks. Some Wi-Fi routers offer such functionality. 

Exploiting vulnerabilities

Timely updates of the system are your primary tool against vulnerability exploits. This course will show you how to securely update everything: from Wi-Fi routers to web camera’s firmware. You should keep yourself current with the latest vulnerabilities especially if the devices you are using can be exposed to them.

In addition to mastering updates, you will learn how to set up comprehensive security for your devices. For instance, we will cut down access from the external network to Wi-Fi router control, disable RDP and SMB, set up firewall negating dangerous attack possibilities.