India’s hacking ecosystem has seen manifold growth over the past few years. And, today, there are thousands of hackers that are carrying out clandestine operations but have escaped the glare of cybersecurity experts.
Recently, BellTrox InfoTech Services, a little-known Delhi-based technology firm, which was at the centre of a hacking operation that targeted thousands of emails of high-profile people, had hogged the limelight.
Thousands of young people, mostly based in small Indian towns, often self learn how to hack or break into systems, devices and networks to figure out ways to make easy money.
“The BellTrox incident is not surprising. Several companies or individuals who provide services like social media management to their clients may be asked to do some kind of hacking. The money is better in such work, but not everyone will agree to do it,” said Rohit Srivastwa, a veteran of the cybersecurity industry who has recently published a book ‘My Data, My Privacy, My Choice.’
According to revelations by Canada-based Citizen Lab, and first reported by Reuters, the underlying technology Belltrox used to allegedly target “thousands of individuals and organisations on six continents, including senior politicians, government prosecutors, chief executive officers (CEOs), journalists, and human rights defenders is phishing.”
Phishing attacks could either be in the form of an email from a trusted source asking for personal information such as passwords, bank details and personal details, or it could mimic an existing website or webpage and trick a user into entering confidential information on the page.
These attacks have been getting increasingly more convincing and sophisticated. What BellTrox’s clients provided it with were emails, personal connections, their habits and personal details.
Phishing accounted for 29 per cent of all fraud attacks in the first quarter of 2019 and India was second to the US on the list of top phishing hosting countries, according to cybersecurity firm RSA.
“The technical aspect of what Belltrox did is not that difficult. It was just well planned because the clients gave them access to the right kind of information to make the phishing attack look convincing. The skill level required is not incredibly high but phishing itself has been getting more sophisticated,” said Indrajeet Bhuyan, independent security researcher.
Even if you want to “hack” yourself, the process is neither obscure nor expensive.
A simple search will lead you to not just companies like BellTrox, but also tools and plugins which can help you to “hack” simple things like email and public social media accounts.
“Skill is required for doing the kind of work Belltrox allegedly does, but hacking is often more like a personal hobby for some. Young people learn fast and they often do not see whether the task is right or wrong. They will look at how challenging it is and whether they are getting the right kind of money. Bigger cities are not hubs for such activity. Even smaller towns and cities have people skilled in hacking and it’s only a question of who gets caught when,” said Srivastwa.
A popular tool on the open source repository GitHub, says Bhuyan, is called ShellPhish, and easily enables anyone without major technical skills to be able to generate a phishing page.
“There are lots of tools available to mount a phishing attack. How convincing you can make an email or webpage look is your skill,” he added.
Phishing techniques have also become more sophisticated over time and the market is expected to be worth over a $1 billion by 2022, according to research by marketsandmarkets.