- Laura Kankaala started as a white-hat hacker and now works for a cybersecurity firm in Finland.
- She said ransomware attacks used to be few and far between; now, new scams are appearing daily.
This as-told-to essay is based on a transcribed conversation with Laura Kankaala, head of threat intelligence at F-Secure, a Finnish cybersecurity company. The following has been edited for length and clarity.
I've always found hacking fascinating. Shadowy people who take advantage of weaknesses in technology. It had a mystique.
I liked the idea of doing the same thing, but without the criminal intent: finding those problems and fixing them.
I've been into computers since I was a kid. When I started my career, there were no university degrees in hacking. I taught myself and learned through experience.
I've worked in cyber security for almost 10 years now. I started as a consultant, doing what we call "penetration testing": hacking into companies' websites, mobile apps, and IT infrastructure to fix vulnerabilities in their systems. I've also helped companies to recover from hacking incidents: we call it "incident response."
I've been head of threat intelligence at F-Secure, a cybersecurity company in Finland, for two years.
I analyze internet attacks and conduct research into how people are targeted. Once we understand how a scam works, we add it to our database and can innovate new protections.
I find it worrying how technology can be misused — and the kinds of misuse are only increasing.
Cybercrime is usually about getting money out of the victim
Cybercrime is almost always about money. Sometimes, it's a ransomware attack, where malware — software designed for malicious intent — makes a system inoperable. The company or individual is then asked to pay for the release of their IT infrastructure, data, or whatever has been stolen.
If someone gains access to your online accounts or gets malware installed on your devices, it's very likely that the stolen data ends up being for sale on the internet.
Every year, cybercriminals steal — or attempt to steal — more money from companies and individuals.
At the start of my career, many of the threats we saw were somewhat abstract, and their impact wasn't as widespread. I remember some of the first instances of ransomware that hit Finland. At the time, these attacks were few and far between.
But over the course of my career, technology has become a huge part of our lives: we carry our phones with us all the time, work remotely, have email and phone numbers, and use social media, dating, and gaming platforms.
We have so much exposure on the internet, which makes us easier to target. Our data is becoming more valuable, and there are more ways that cybercriminals can benefit from stealing it.
Hackers can access more information than you'd think possible
As part of a Finnish TV series to help people understand the impact of hacking, we hacked into a person's computer with her permission. The volunteer still fell for our scam, even knowing she would be hacked.
We created fake profiles online, taking time to craft them so they'd appear as real people. On LinkedIn, for example, we gained as many connections as possible so that she would accept without question when we reached out to our target.
After we'd accomplished that, we directed her to a phishing site we had developed. It was a website that looked like Google, which we used to steal her credentials. We created a piece of malware that we convinced her to install, giving us full access to her PC and its data. We even turned on her webcam and recorded her.
This flashy example was made for entertainment, but it still showcased how real criminals use fake profiles, phishing websites, and malware to compromise a person or company.
New scams are being developed every day
I see multiple new scams or cyber security problems every day.
My team have uncovered a Telegram bot that generates and shares malware in the language based on the country code of the user's phone number; we discovered a scam where Android malware was disguised as wedding guest invitations; we have looked into scammers creating fake profiles based on recently deceased people online.
Scams and the whole ecosystem around them are becoming more sophisticated, and I think they will continue to do so.
Scammers have developed phishing toolkits that are freely available on the internet: step-by-step guidance on how to set up phishing attacks or ready-made websites that look like social media platforms with built-in phishing tools, so scammers don't need to know how to write code. You can even buy malware online, which comes with a kind of help desk for users.
Cybercrime is easier to do than ever before, and these toolkits will become more advanced and widely available. It's a big problem.
AI is increasingly being used as a tool for these attacks. It's creating better-looking scams, while deepfakes, voice clones, and video filters make it easier to fool people into believing things on the internet.
We're seeing romance scams where scammers are using deepfake video filter tools to pretend to be celebrities, for instance. They find people on dating apps, take the conversation to an instant messaging app and have a video chat, using filters to mimic someone else's appearance.
I've seen it used for investment scams, and there have been instances where a CEO's voice has been cloned with an AI tool and used to send a voice note over WhatsApp asking for money.
Thankfully, cyber security is being taken more seriously than it used to be.
Sometimes, I feel like I'm banging my head against a wall, and nothing is changing. But I do think that my work is doing something good every day and helping people. I'm hoping to do more of that in the future.