untitled design

ESET: How hackers steal passwords and how to stop them

Passwords are the Achilles heel of many people’s digital lives, especially at a time when the average person has to remember dozens of passwords, and that number has grown steadily in recent years. Passwords are the virtual “keys” for the digital world, offering access to electronic banking, email, social networking services, Netflix, cloud data, and more.

With violated passwords a hacker can:

* To steal users’ personal information and then sell it to other criminals.

* Sell passwords directly, as “dark web” websites market this information roughly.

* Use passwords to unlock other accounts with the same password.

Cybersecurity company ESET has outlined five key ways hackers steal passwords:

Phishing and social engineering

In phishing, hackers disguise themselves as friends, relatives, companies you have worked with, etc. The email or text you receive will look authentic, but will include a malicious link or attachment to which if click, download malware or take you to a website to fill in your personal information. Scammers even use phone calls to extract direct passwords and other personal information from their victims, often pretending to be technical support agents. This method is called “vishing”.

Malware

Another popular way for hackers to get their hands on passwords is through malware. Fishing emails are a major driver of this type of attack, although you can also fall victim to malvertising or drive-by-download. Malware can even hide in a mobile app that looks legal, which is often found in third-party app stores. There are several types of malware that steal information, but some of the most common are designed to record typing or take screenshots of the device screen and send them to attackers.

Brute Forcing Attacks

The number of passwords that the average person has to manage is increasing by about 25% on an annual basis. Many people use passwords that are easy for them to remember (but also guess by someone else) and use them on many different websites. However, this can open the door to so-called brute-force techniques. One of the most common are those of the credential stuffing type, in which attackers feed into automated software large volumes of username / password combinations that have been compromised in the past. The tool then tests these combinations on a large number of web pages, hoping to find a match. This way, hackers can unlock multiple accounts with a single password. An estimated 193 billion such efforts were made last year worldwide. Another brute-force technique is password spraying, in which hackers use automated software to test a list of frequently used passwords on a user’s account.

Guessing

Although hackers have automated tools for cracking passwords, sometimes they are not even necessary: ​​even simple guessing – unlike the more systematic approach used in Brute Force attacks – can do the trick. . The most common password for 2020 was “123456”, followed by “123456789”. In fourth place was the word “password”. Most people use the same password or a derivative of it on multiple accounts, making it easy for scammers.

Shoulder surfing – Peeking over the victim’s shoulder

Some long-established spying techniques continue to be a danger. These presuppose the physical presence of the attacker close to the victim-user, so that the former has eye contact and can see the keyboard and screen of the latter. A higher-tech version, known as a “man-in-the-middle” attack that involves Wi-Fi wireless interception, could allow hackers connected to public Wi-Fi networks to track passwords, as well as unsuspecting user enters it while connected to the same node.

How can you protect yourself from all this?

* Use only strong and unique passwords or passphrases on all online accounts, especially banking, email and social media.

* Do not use the same password on different accounts.

* Enable 2-factor authentication (2FA) on all accounts.

* Use a password manager, which will store strong, unique passwords for each webpage and each account.

* Change your password immediately if a provider notifies you that your data may have been compromised.

* Only visit websites https: //

* Do not click on links or open attachments in junk e-mail messages.

* Download applications only from official app stores.

* Invest in security software from a trusted provider for all your devices.

* Make sure all operating systems and applications are upgraded to the latest version.

* Beware of poachers in public places.

* Never sign in to an account if you are on a public Wi-Fi network. If you must use such a network, use a VPN.

.

Source: Capital

You may also like

Get the latest

Stay Informed: Get the Latest Updates and Insights

 

Most popular