This essay is based on a transcript of a conversation with Laura Kankaala, head of threat intelligence at Finnish cybersecurity company F-Secure. The following has been edited for length and clarity.
I was always interested in hacking. Shadowy figures exploiting weaknesses in technology. There was an air of mysticism about it.
I liked the idea of doing the same thing without criminal intent: finding those problems and fixing them.
I’ve been interested in computers since I was a child. When I started my career, there was no college degree in hacking. I was self-taught and learned through experience.
I’ve been working in cyber security for almost 10 years. I started my career as a consultant, performing so-called “penetration testing” – breaking into companies’ websites, mobile apps, and IT infrastructure to fix vulnerabilities in their systems. I also helped companies recover from hacking incidents, which we call “incident response.”
I was Head of Threat Intelligence at F-Secure, a Finnish cybersecurity company, for two years.
I analyze internet attacks and do research on how people are targeted. Once I understand how a scam works, I can add it to my database and devise new protection measures.
I am concerned about the potential for misuse of technology, and the types of misuse are only increasing.
Cybercrime is usually aimed at extorting money from its victims.
Cybercrime is almost always motivated by money. Sometimes this is the case in ransomware attacks, where malware (maliciously designed software) renders systems inoperable. Companies or individuals are then asked to pay to release stolen IT infrastructure, data, or other items.
Related articles
If someone gains access to your online accounts or installs malware on your devices, there is a very good chance that stolen data will be sold on the internet.
Cybercriminals steal or attempt to steal more money from businesses and individuals every year.
When I started my career, many of the threats we saw were a bit more abstract and their impact was not as widespread. I remember some of the first cases of ransomware hitting Finland. At the time, these attacks were quite rare.
But throughout my career, technology has become a bigger part of our lives: We carry our phones with us all the time, we work remotely, we have emails and phone numbers, and we use social media, dating, and gaming platforms.
Our high exposure on the internet makes us easier targets, our data is becoming more valuable and so are the ways cybercriminals can steal it and profit from it.
Hackers have access to much more information than you might think
As part of a Finnish TV show to make people aware of the impact of hacking, we hacked into a person’s computer with their permission, and although the volunteer knew they would be hacked, they still fell for our scam.
We created fake online profiles and spent time perfecting them to look like real people. For example, on LinkedIn, we built as many connections as possible so that when we contacted our target, she would accept us without question.
After that, we directed her to a phishing site that we developed, a Google-like website, which we used to steal her credentials. We created malware and got her to install it, giving us full access to her PC and its data. We even turned on her webcam and recorded it.
While this flashy example was created for entertainment purposes, it shows how real criminals use fake profiles, phishing sites and malware to compromise individuals and businesses.
New scams are developed every day
Every day, new scams and cybersecurity issues emerge.
My team has found Telegram bots that generate and share malware in a language based on the country code of a user’s phone number, we’ve uncovered scams where Android malware was disguised as wedding guest invitations, and we’ve even looked into scammers creating fake profiles based on recently deceased people online.
Fraud and the entire ecosystem that surrounds it are becoming more sophisticated and will likely continue to do so in the future.
Crooks have developed phishing toolkits freely available on the Internet, including step-by-step guides for setting up phishing attacks and ready-made websites that look like social media platforms with phishing tools built in, so they don’t need to know how to write code. Malware can also be purchased online, which comes with a kind of help desk for users.
Cybercrime is becoming easier than ever before, and these toolkits will only become more sophisticated and widespread. This is a big problem.
AI is increasingly being used as a tool in these attacks: it’s creating better-looking scams, while deepfakes, voice clones and video filters are making it easier to trick people into believing things online.
For example, we are seeing romance scams where scammers use deepfake video filter tools to pose as celebrities. They find people on dating apps and then move the conversation to instant messaging apps to video chat, using filters to mimic the other person’s appearance.
We have seen it used in investment scams and there have been instances where CEOs’ voices have been replicated using AI tools to send voice notes on WhatsApp requesting funds.
Thankfully, cybersecurity is being taken more seriously than it used to be.
Sometimes I feel like I’m banging my head against the wall and it feels like nothing is changing, but I see my job as doing something good and helping people every day, and I hope to do more of that in the future.
