The primary purpose of this site is to help you “think like a bad guy” – that is, how the cybercriminals are operating and how they wreak havoc on our lives. You may have heard the phrase “we don’t hack machines, we hack people”. That is a very true statement.
Let’s say I’m a bad guy (yeah, I know that’s hard to imagine), and I am looking to attack a person – maybe for money, perhaps for spite, or even just for fun. The most popular way to do this is via a phishing email. And I don’t even have to put a lot of effort into it.
Given the rise of Artificial Intelligence, these attacks are a lot more realistic than they have been in the past. There are many packages out there that provide the necessary components to craft very effective phishing emails – and AI is integrated. Take Darkula for instance. This is actually a “phishing-as-a-service” platform that allows the user to spoof any brand online – and it doesn’t take any technical skills whatsoever to accomplish. As noted in the 2/20/2025 post on Netcraft.com by Harry Freeborough, version 3 of Darkula allows users to build content aimed at the largest brands. The article shows just how easy it is to build the phishing kit using any brand. Because of the realism, many people a tricked into inputting their credit card information. Credit card information that is gleaned from this attack is scanned and added to a digital wallet, which can then be used or sold.
Believe it or not, but the all-inclusive package can be purchased via a private Telegram group for around $500/month. Also note that there are other phishing-as-a-service packages that are a lot cheaper (some are even free)…but these usually have a component that allows the developer to log in and also get the credentials or credit card information that has been harvested.
Typically, if I’m the bad guy, I’m going after your username and password – because I know that most people use the same password (and usually email address for username) on every account they own – Netflix, Banking, Amazon, etc. Once I have your email and password, I’m going to hit every major retail site out there – until I score. And I’m pretty confident it won’t take long.
So how do you protect yourself against these attacks?
- Develop a sense of “healthy paranoia”. Trust your gut – if you get an email from your bank asking your to log in and verify something, call them, don’t click a link
- Do NOT use the same password on multiple accounts – use a password vault (my favorite for this is Nordpass)
- For accounts with the ability, use a passkey (if you’re not sure what a passkey is – pc magazine explains it well)
- Use Multi-Factor Authentication. This is an additional layer of protection for your accounts, in which you are asked to verify that it is you by responding to a text message, email, or by using an authenticator application.
© 2025, Think Like A Bad Guy. All rights reserved.