Online Hijacking

It used to be that hijacking was something only done in person, but as we discuss in this blog post, online hijacking—where someone or some service takes over an individual’s online account—is now a growing occurrence. Not all forms of online hijacking are “criminal”; for example, browser hijacking— when your Internet search function is diverted to websites you never intended to visit or when advertisements are misleading and redirect you from the main website—may be a nuisance, but it is mainly a marketing tool used to direct interest in certain products. But not all online hijacking is so innocuous, and in those cases where it is not—where the hijacking is an attempt to damage reputation or demand compensation—it is an emerging threat for law enforcement.

Several high-profile cases of online hijacking fit into this category, including the high-profile attack on Sony Pictures where hackers demanded that the studio not screen the movie “The Interview.” In retaliation for not meeting the hijacking demands, embarrassing emails from Sony executives were released, which had substantial financial repercussions. Sony Pictures estimates they will spend $15 million in the aftermath of the attack of their systems, and the Chair of Sony Pictures recently stepped down.

Online hijacking can also take the form of account hijacking. This is what happened to former WIRED magazine writer, Mat Honan, who had his email account wiped, Twitter account stolen, and computer hard drive erased. It turns out that the hacker simply sought Honan’s prized three-letter Twitter username. This is a familiar style of online hijacking where friends inadvertently send spam through Facebook or email, a common indication that their account has been hijacked—stolen and used for a different purpose than originally intended when the account was created. Once again, the consequences were serious. Although Honan was able to recover his Twitter username, he was not able to recover the material on his wiped hard drive, which included losing all the pictures of his newborn daughter.

Yet other high-visibility examples of account hijacking can be seen in the Associated Press and Central Command (CENTCOM) cases. In 2013 the Associated Press’ Twitter account was hijacked, which led to changes in the U.S. stock market based on false information presented in the hacked account. Though not as far-reaching in damage, CENTCOM had its account hijacked in 2015 by alleged Islamist hackers.

Typically, this type of online hijacking can be reversed by resetting passwords and presenting credentials to account managers, and in the cases of the Associated Press and CENTCOM, the problems were immediately flagged and recognized. But cases like these cause real damages, and as these attacks grow in sophistication, they may be harder to detect and resolve and may involve even higher personal loss and damage—something law enforcement officials should be aware of going forward.


IACP Conference