A 22-year-old Canada-born hacker by the name of Karim Baratov has pleaded guilty to charges of assisting Russian federal officers in accessing hundreds of millions of Yahoo accounts.
According to the case proceedings, Baratov’s mode of operation involved utmost simplicity where he would access the Yahoo accounts that are of interest to the Russian Federal Security Service (FSB) and provide them with the login credentials of the targets at a fee.
The Canadian was charged alongside three Russians earlier this year, prior to his recent guilty plea.
Two of the defendants hail from the Russian state agencies involved in security and intelligence gathering, whereas one was just a standalone hacker in Russia.
All parties supposedly worked collaboratively in the operation to infiltrate the Yahoo accounts.
According to court files, the two defendants from the Russia state agencies were responsible for directing the hacks and would only contact the hackers when their target was using a specific system.
Generally, hackers become specialized in a given area by studying the vulnerabilities of a particular system in an in-depth manner.
A cyber fraud who has investigated and analyzed a given system probably took the necessary time and effort to perfect their work.
This is why outside organizations and individuals will often look to highly trained black hat hackers to contract for hacking-related projects.
The Russians are well aware of this fact and just like anyone else, through the art of leverage, they can trade expertise with a hefty amount as witnessed in the case of Karim Baratov.
However, the exact number of accounts the Russians requested Baratov to infiltrate remains unknown.
But what is for sure is that, through the tactics used, he could gain access to hundreds of millions of Yahoo accounts.
The Canadian hacker first came into contact with the Russians officers through posting his services on a popular Russian site.
Of course, online websites on the dark web have provided a perfect hub for black hat hackers to sell their services, and Baratov did take advantage of the situation to get more high-profile clients.
So once contacted by a customer, he would then swing into action and access the emails accounts by spear phishing, which makes emails look as if they had come from a hosting server that the recipient assumes is a trusted source.
Then, when the receiver clicks on the email to check the content, the attacker will then gain access to the recipient’s information.
A recent increase in such attacks has awoken many businesses, governments and organizations to the need to prevent this from happening to them.
This year, many companies spending time and resources toward educating their employees about spear phishing attacks.
Among the topics taught are detection and prevention.
For those unfamiliar with phishing, there are certain measures to take to ensure that individuals are aware of the various types of phishing methods so they can avoid them in the future.
Other ways in which phishing can occur is through spoofed email addresses and online messages transmitting links with viruses attached to them.
The choice of a phishing attack will depend on the expertise, skill and experience of the attacker.
For this reason, ways to prevent phishing attacks include checking the security of the system on a regular basis to facilitate updates which seal loopholes.
Then, it’s necessary to apply automated spam filters on individual email accounts in order to detect viruses before they’re opened.
Although some innocent emails with no ill motive will get directed to the spam folder, this is still a valid measure to take.
Other steps include data encryption, installing an up-to-date anti-virus software and developing a security policy that regulates how data is accessed and used.
Hackers, too, are smart and will employ a variety of methods to ensure that their goal is attained.
Thus, following the tips explained above will minimize the risk of cyberattacks.
It is important to note than spear phishing, which is applied to a specific target, is different from standard phishing, which is used on a large group.
In the past, there have been many successful incidences of spear phishing attacks where hackers made away with millions of dollars.
In the past few years, companies have lost billions of dollars as a result of such types of attacks, although many of the involved companies will not publicly admit these attacks as they may cause reputational damage.
The most well-known spear phishing attacks of the past include:
- Ubiquiti Networks, which lost $46 million in 2015 as a result of fraudulent requests from an outsider targeting the finance department.
- Aerospace parts manufacturer FACC, which lost almost $50 million through a similar hack in 2016.
- Facebook and Google together lost a cumulative total of over $100 million through a phishing scam initiated from servers based in Lithuania.
For the Yahoo hacker, it is unclear if he has any involvement with other high-magnitude hacks that occurred across the globe.
But as far as things are, the charges he faces of identity theft and computer fraud are all factual since he has pleaded guilty.