Blog: How Tos

The most hated man on the internet. Lessons to learn

Fergus Crossley 22 Aug 2023

A while ago I was scouring Netflix and stumbled across the 2022 The most hated man on the internet docuseries.

What’s that all about then?

The show is about Hunter Moore and his website (Wikipedia article), where abhorrent people uploaded naked / pornographic images, intended to shame or embarrass the subject. The website was shut down in April 2012. At its height it was getting 350K unique visits daily. Today that number could be monetised into $millions.

While some images were willingly submitted many were not. It was apparent that plenty of people, mainly women, had their intimate images uploaded without consent, and more worryingly those images had never been in the public domain before. They had gone to lengths to keep them private.

It transpired that many of the exploited women’s email accounts had been hacked. The Tactics, Techniques, and Procedures (TTPs) used to hack the accounts weren’t ground-breaking in the 2010s and they still work today. Typically it’s credential stuffing and spoofing of messages to friends in order to bypass 2FA. This isn’t APT territory, but it’s still effective.

Why have I written this post?

Like the TTPs used there, none of what I write is ground-breaking or state of the art. People’s digital lives are fairly easy to look in to as a consequence of social media and our increasingly connected lives.

At PTP we regularly use TTPs (TLAs in full effect!) in various engagements, TTPs that are covered in Netflix shows like The most hated man on the internet and also You. We use them to identify weaknesses in a client’s defences, and a significant part of those defences are human beings.

More and more we’re asked by the Board or Senior Leadership Team to conduct consensual Digital Footprint Reviews of its members, to identify potential angles or leverage a crook could use to bypass the most sophisticated tech a company can buy.

What lessons can we learn?

What we can learn from shows like this and the experiences of the victims:

  • Don’t give your password to anyone. Ever.
  • Double check and verify anyone who wants to connect with you, even if they seem like someone you know. Social media allows people to find out a lot about you and pretend to be someone you know.
  • Use a password manager and use different passwords for every account you have.
  • 2FA and MFA are good, but 2 step verification that relies on a text message to authenticate is weak. Someone needs to provide the phone number, right?
  • Question everything and anyone who requests personal information from you. Think about the worst thing that could happen and act accordingly.