How are webcams hacked?
In this article we go into more detail about the processes used to infect computers enabling webcams to be hacked.
Although certain processes are common regardless of whether it's an individual or a company being targeted, the fact remains that between the two, the computer equipment and contexts are different. This creates the need for different types of attacks.
Hacking the webcam of an individual
Emails linking to trap websites
(joining a botnet)
Nowadays most information (adverts / certifications / invoices, etc...) is transmitted by email. This leads hackers to be particularly inventive in their ways of infecting us with viruses.
Here are some examples of methods used, which as you will come to understand, evolve regularly.
The infected attachment
This method involves the insertion of a file into an email attachment that the hacker sends to you (as part of a spam campaign for example). The file is intended to be opened by the victim.
This infected file could be an audio file, a PDF, an Office file (Word/Excel/PowerPoint) or even an embedded webpage (html extension).
Once the file is opened, it invisibly takes control of your computer, and grants access to the hacker.
A link to a compromised and infectious website
Since the previously mentioned method is quite widespread and therefore well known, hackers have managed to innovate. A variant is to place a link intended for the victim in an email. Once again the goal is to encourage the victim to click on the link, leading them to visit a compromised website that could potentially infect their computer upon visiting the webpage (instead of upon opening an attachment).
Just like the previous method, the infection creates a file on your computer that invisibly takes control of it, and grants access to the hacker.
Your friend's/neighbour's USB drive
Unless you have a keen hacker for a neighbour, very often the method that plays out is just a continuation of the previously mentioned method. Most of the time people that have infected USB drives have them unknowingly.
When a computer is infected, it's possible that the virus is capable of spreading via USB drives subsequently connected to the infected computer. These USB drives, when shared with other people or used on other computers, enable the virus to attempt to infect the computers to which it is connected.
Website and phone application traps
One particularly effective method is the utilisation of infected webpages.
This is used as a second step in the infection process after an email is sent to the intended victim and also as a first step.
A hacker may choose to create a website containing enough words of interest to appeal to a wide audience. Visitors become victims whose computers are infected by malicious scripts that run when the webpage is opened.
A hacker can also choose to create a malicious website to trick you into downloading a virus posing as the legitimate application you are searching for on the internet, sold to you at whatever price the hacker sees fit. Such programs are often executable files (for example myfavouriteprogram.exe) which once launched, invisibly compromise your computer.
Finally, perhaps you have deduced that this scenario also applies to (often free) applications downloaded from your phone's Google Play Store or App Store.
Hacking the webcam of a professional / company
Employees and their superiors: prime targets
As a hacker, the human element is never ignored, it's a well known vulnerability. The more employees there are, the more likely attacks are to succeed.
The methods used in this context are very similar to those mentioned in the "Individuals" section.
Businesses and more specifically employees (at all levels) are regularly confronted by spam and malicious emails.
The peculiarity of the corporate context is that hackers can use very clever scenarios to entice employees into opening a malicious attachment or visiting a compromised website.
To provide an example scenario, thanks to standard company information available on the internet, hackers can see a manager's email address, and proceed to use it as the sender address for their own email. They could then send a spoofed email to an internal accounting manager asking for urgent validation of an estimate present in an email's attachment under the guise of a big business deal.
The accounting department opens the attachment therefore involuntarily executing the virus that will eventually allow the hacker to enter the company's internal computer network.
Another equally effective scenario may be to use the company's business applications to target employees.
Some companies receive many external requests via internet form submissions often including attachments.
In such a situation, hackers can also try to integrate malicious files into the attachments of form submissions destined to be opened by company employees.
The term "0-Day" refers to a security flaw or vulnerability for which there are no protective measures or patches available to prevent the vulnerability from being exploited.
The main reason why this term is mentioned here is because hackers are particularly fond of such flaws since they allow their attacks to go under the radar with the greatest chance of outmaneuvering up-to-date antivirus software and other protection.
This is why some experienced hackers and also computer security companies dedicate themselves to the search for vulnerabilities indefinitely.
Unpatched servers/forwarding & bad VLAN partitioning
Would you consider acquiring and installing, as the front door to your home, an old door from the 1900s that may sometimes be opened more easily with a key-like object than with the key itself?
Similarly in computing, some may be tempted for various reasons, often economic, to retain old or outdated equipment. There is certainly a perpetuating mindset that if something works well then there's no need to change it or fix it. Although that mindset may have some merits, it does not defeat the analogy of the home and the computer. Often we find companies that have been compromised for several months or years without any warning signs until the time comes for internet publication of their confidential or compromising information. As you already know, at this point it's too late to remedy the error, the damage is done, the data has already been leaked long ago...
Primarily, there is regularly one (possibly even several) old accounting servers or business applications that have failed to be updated for years, or a corporate firewall dating back a few years, not to mention bad VLAN subnetting allowing hackers to move from an employee subnet to the server subnet.
Contractors with uncalibrated access
Without a doubt you have already seen in TV series or movies, an agent who aims to access the server room under the guise of performing maintenance. This is a cliché but in the spirit of refining the scenario, it is still fully relevant and sometimes difficult to spot.
An electrician changes the neon lights of your unattended server room, an air conditioning technician who comes to do maintenance...
Most of the time, these people are there to just do their work, but for APT situations (targeted attacks) that we mentioned in the previous article, this remains one of the best entry points because it allows one to have direct access to the internal network of the target company without having to deceive a user.
Among the traditional tools to create remote access, there is the USB drive containing a malicious program, connected to the back of one of the servers, or via a module that connects directly to the internal network such as on a switch or a slightly hidden network socket with a 4G uplink to the computer hacker.
Other risky situations for company security are site visitors and ill-intentioned prospective hires.
Fortunately this is not a risk with every visit or job interview, but as in the case above, this mostly occurs in APT situations.
Among current practice, there exist network setups where visitors have access to the guest WiFi network that is clumsily connected directly to the internal company network. From there and without much difficulty visitors are able to test the availability and access of servers and computers and establish remote access to allow access to be retained after the company visit which would then be accessible outside the physical walls of the company.
There's also the case of the job candidate who, after passing an interview test on a poorly partitioned company computer, runs their malicious program, again in order to create remote access for a future, more in-depth attack.
This candidate could also leave a malicious file on the common file server, wait for an employee to run the file and infect the computer, which would have the same outcome of opening a malicious email attachment.
APT (Advanced Persistent Threats)
Here we come to the last part of the article which is certainly the juiciest part for hackers. In the previous article we discussed APT in the context of hacking stemming from corporate competitors and state organisations. In these contexts, hacker's imaginations are at full speed. APTs are often the combination and iteration of several malicious actions combined with precision.
Here are the main phases for the realization of an APT:
Determine the objective(s) of the attack (data, access control)
Plan out the various viable scenarios (Plan A, B, C)
Carry out the intrusion into the infrastructure of the target
Identify and report on present target systems
Compromise systems and recover identifiers, accounts, addresses
Establish persistent access to the target network
Search for new potential targets & further develop the malware used for targeting
Use obtained privileges to access data
Covert extraction of data
Some of these steps can be quick but usually they are time consuming because the main goal must be achieved without arousing suspicion or triggering alerts. This is why attacks can be recognised or detected several months after the initial intrusion.
After reviewing this series of methods, it is clear that ending up with an infected computer is very common today. Few of us could boast of having never been infected with a virus. And if one did make such a boast, one would suspect that this may be a delusion.
Faced with this, some simple actions can reduce both the risk and impact, and that is what we explain in the next article.