When the WCRC met with convicted Welsh ex-cybercriminal Daniel Kelley: Part one

In October 2015, mobile phone provider TalkTalk fell victim to a £77million cyber-attack that resulted in 160,000 of its customers having their personal and banking details illegally accessed.

And it was all down to a small group of individuals which included one young Welsh student - Daniel Kelley – who at just 16 years old began an ambitious career in hacking and became known as a "prolific, skilled and cynical cybercriminal.”

It wasn’t just TalkTalk that fell foul to Daniel, he, along with a group of cybercriminals, targeted companies as far afield as Canada and Australia, attempting to hold bosses to ransom – even his own college, Coleg Sir Gar, was not exempt.

Yet, in 2016 the law finally caught up with him. The successful investigation was in fact led up by our very own WCRC Managing Director, Paul Peters and which ultimately led to Daniel being sentenced to four years in a young offenders’ institution.

And now, nine years later, Paul has had the opportunity to ask Daniel a series of questions to learn more about how a cybercriminal operates, what motivates them, how organisations are at risk and what cyber security measures businesses should be putting in place.

What was your thought process for selecting targets?

I had three approaches when identifying potential targets.

The first was through mentions on cybercrime forums and networks I was part of. Sometimes, someone would compromise a website and need help exploiting it further or people would pay others to hack specific websites, so targets would be provided that way.

The second way was using search engines. If I wanted to steal credit or debit cards, for example, I would think of common businesses where they would be accepted—like online stores or hotel chains—and target those with the goal of extracting the data I needed.

The third approach was simply going after low-hanging fruit. If I discovered a vulnerability that affected outdated web servers, for example, I’d write a script to scan the internet for all websites running that outdated software and see what I could find. In these cases, I wasn’t targeting a specific company, it was more a case of casting a wide net and seeing what I could catch.

Was there a particular sector that was more vulnerable or did you target at random?

Government and educational institutions were the worst in terms of vulnerabilities because of their massive attack surfaces but, essentially anything in the public sector. These organisations often have thousands of internet-facing assets, and with so many shadow IT systems, it was inevitable that I would come across something that could be used as an entry point into a larger system.

After that, small and medium-sized businesses were the next most vulnerable. They typically don’t have strong security measures in place, making them easier to compromise.

Were there particular times when it was easier to gain access to a business? Did public holidays or weekends help you mask attacks?

I wouldn’t say there were specific times when it was easier to get into systems, but there were occasions when I was more interested in compromising businesses. Christmas and Black Friday were two key periods because of the high number of people shopping online. Websites had more traffic, customers were looking for deals, and businesses were processing more transactions. This also created an environment where attacks could go unnoticed more easily.

What types of data were you looking for, and what did you do with it?

I was financially motivated and there were three main ways to make money from compromising an organisation:

1)  Steal data and sell access – I could sell both to other cybercriminals.

2)  Deploy ransomware – encrypt files and demand payment for their release.

3)  Extortion – threaten to leak stolen information unless the company paid.

If I had to rank the most valuable types of data, it would be:

1)  Financial information (credit cards, banking details, payment records).

2)  Medical information (high value due to sensitivity).

3)  Emails and passwords, followed by general info (name, address, etc.).

Every type of stolen data has some kind of value.

Did you ever attack the same company multiple times? If so, why?

Yes, I would return to the same company up to three times, primarily because I knew they would pay. My approach was based on extortion, if they paid once, they were likely to pay again. It was about greed and knowing that they would comply.

What was the most common method of attack?

Different cybercriminals had different approaches. The focus is now on social engineering (phishing, SIM swapping) because it requires less technical skill. For me, web application attacks were my preferred method because I understood them best.

If I were targeting a business today, I’d first map out their attack surface, while others might go straight for employees via phishing. It all depended on the skill set of the attacker.

Stay tuned for part two where Daniel explains where he thinks businesses are going wrong when it comes to their cyber resilience and what his top tips are to stay protected.

To find out more about the cyber security guidance, visit our services and  membership package pages or get in touch with a member of our team.