How a cyber criminal can steal your identity

Mark Cutting Analysis, Investigation, Ransomware, Security, Strategy 6 Comments

This article is number three in a series of three that I’ve been asked to write by one of my followers. The first article in the series can be found here, and the second, here. As always, feel free to ask me any questions !

Given the recent announcement in the news around the 711 million email addresses and passwords leaked via the Onliner Spambot, I thought I’d put the below together.

Panorama aired a program back in 2015 (#HowHackersStealYourID) that did a superb job of highlighting the very real threat of how cyber criminals can steal your identity – in fact, despite being two years old, every issue raised in this documentary still exists, and is as widespread today as it was when the documentary was first aired. As it’s not possible to cover all aspects of cyber crime in 60 minutes, I put this article together to address the most common (and not so common) attack methods, and ways you can arm yourself against this increasing threat.

Identity theft is not a new concept – it’s been around for a number of years. However, the onset of technology and it’s rapid advances over a very short space of time have made it much easier to commit cyber crime, and assume the identity of someone else. If you stop for a moment and consider what your identity says about you, and what is at risk, you may want to think twice about your online habits.

Cyber criminals and identity theft

Below is the original full documentary. As part of this article, I’d recommend watching this documentary when you gave some free time (it’s over an hour long, but well worth watching)

Cyber criminals base most identify theft on the trust of the target. In the example, impersonation was the technique used by the criminals to steer the victim to their bank account. You may wonder how a simple phone call leads to a complete stranger being granted access to your bank account – it is all about gaining the trust of the individual.

One of the more common approaches adopted by cyber criminals today is to convince Windows users that they have a virus on their machine, and then offer to clean it for them (for a fee of course). In actual fact, the user is a victim of two kinds of perpetration. Firstly, it is very common for Windows to log errors, and most of these can be ignored. The criminal uses these errors, along with frightening explanations to convince the target that their system has been compromised.

Secondly, the target is then convinced to pay for the non existent threat to be removed. The fee in this case varies dependant on the criminal and the target – in other words, the higher level of trust often results in a higher fee being requested. Once the criminal has been able to extract the fee, the target is usually added to what is known as a “Suckers List” (more on this later).

Unsolicited and unexpected calls

If you start to receive unsolicited calls concerning viruses on your computer, you may have been the victim of a cyber criminal already. Your details have possibly been extracted from an organisation that has been breached recently, and then sold on the dark web for other criminals to make use of. The best response here is not to engage at all, and end the call.

Interestingly, cyber criminals also make use of the fact that only the caller can end the call, ultimately leveraging a technique known as “No Hang Up“. You may have noticed before that if someone calls you (landlines only) and you put the phone down, the call is actually still connected as the originator has not ended the call. This technical quirk can be leveraged by a cyber criminal as a way of impersonating multiple parties in order to gain your trust. You call the police, but the phone is still connected to the cyber criminal. In this case, always check for a dial tone before making any calls – better still, use your mobile to make another call.

If you continue to receive unwanted calls, and wish to be able to police these yourself, you should consider a call blocking device. These typically assume control over the line, and if the correct passcode is not entered along with the dialled number, the call does not complete. There are other models that allow you to block calls with a button when they are received, although this process can become onerous after a short period of time if you are the recipient of several calls.

Use two-factor authentication

You should consider the use of a two factor mechanism to secure access to your email. Most providers recommend this. If your credentials were leaked, they are useless without the secondary factor (typically in the form of a one time security number, or validation in the form of an SMS message). Whilst the criminal has your username and password, they cannot possibly have access to the remaining component needed to fulfill the login request.

The danger with social media is the cross compatibility of accounts with other services. For example, there are hundreds of sites that allow you to login using your Google, Facebook, and Twitter accounts. The cyber criminal only needs one of these to assume control over a much wider range of services.

Have I been “pwned” ?

Yes, the name looks odd, but it is a well known term that describes the after affect of compromise. This site will tell you if your email address has been compromised by criminal activity, and also tells you where is was obtained from. It’s well worth keeping a bookmark of this site, and if you check regularly, you can reduce the risk of your personal identify being used against you. An example of a recently compromised account will look like the below

Whilst an email address that hasn’t been the subject of a breach will return

One other technique you can use is to subscribe to Google Alerts. In this case, you can be notified by an alternative email address if your primary identity has been listed on Pastebin for example.

If you’re wondering how the term “pwned” came about, it’s actually a misspelled word used to taunt, mock, and humiliate someone else – typically from the gaming scene. Opinions vary on the origin, but it is thought that the author originally intended to type “Owned”, and instead sent “Pwned”. In the case of cyber crime, it is used as a term to describe compromise or control of a target’s identity.

Check online accounts regularly

You should regularly check your online accounts for unexpected activity. This includes all social media accounts, email, your bank, and anything else that could be used to gain access. Email is often the target that most criminals go for, as it is the secondary factor required when resetting the password to your online accounts. If a cyber criminal gains control of this, they can assume your identity and reset your passwords. The cyber criminal then has complete control.

Your credit card is literally the gift that keeps giving. By this, I mean it can be used multiple times before you suspect any fraudulent activity. If your card details have been compromised, they can typically be purchased via the dark web for a minor cost – in Panorama’s case, less than $20. Obtaining these details is extremely easy, and anyone with access to a TOR browser can procure a complete list of cards that are UK based – for as little as £1 each.

You can never be 100% safe from hackers, and the information provided here is by no means exhaustive. Cyber criminals are now begining to appear in all walks of life, and where’s there is an opportunity to extract your hard earned money, they will take it.

About the Author
Mark Cutting

Mark Cutting

Facebook Twitter Google+

Mark Cutting is the founder of and He is a network, security and infrastructure expert with more than 27 years service in the Information Technology sector. Mark has a significant eye for detail, coupled with an extensive skill set. Having worked in numerous industries including trading, finance, hedge funds, marketing, manufacturing and distribution, he has been exposed to a wide variety of environments and technologies alike.

Leave a Reply

1 Comment threads
5 Thread replies
Most reacted comment
Hottest comment thread
4 Comment authors
Mark CuttingAziz RahmanMark CuttingMark Honeycutt Recent comment authors
newest oldest most voted
Notify of
Mark Honeycutt

As I sit here, having just brute-forced my way into a “members-only directory” for a certain non-profit group that opens up a lot of personal details about the members, I concur with your analysis! For those learning, with full names, addresses, DOB, phone numbers, etc., and those of their children, I could easily use that information to get access to their bank accounts, email accounts, etc. Easier, I could sell this info to data buyers.

Aziz Rahman

You people fascinate and scare me in equal measure