In our last post, we discussed the damage that can be done when our passwords are compromised. This post will share some of the ways Cybercriminals are able to access the passwords that they do this damage with. There are many strategies these hackers use to get ahold of your password and other private information.
Some hackers can purchase or steal lists of usernames and passwords. Sometimes the hackers have the usernames and passwords, but do not know what type of accounts they logon to. In credential stuffing, the criminals use a computer to try these usernames and passwords in as many accounts as they can until they hopefully can find a match.
Over 70% of hackers start with a phishing technique. Instead of stealing your information, they just ask for it! Phishing is a form of social engineering which attempts to trick a user into supplying their username, password, or other personal information. The victim believes it is a genuine request from a legitimate and reputable requestor. They may tell you that there has been a security breach and that they need to check your credentials. They might tell you that they need you to change your password to protect you or your company.
The criminals use strategies such as calling you, texting you, or emailing you pretending to be a representative from a company that you have regular business with. They ask for your password or private information. Other times they send you a link to a site that then asks you for personal information. Sometimes the link releases spyware, ransomware, or other malware onto your computer.
Do not take the bait! If you receive a message or call from someone who claims to be a representative from a company you do business with, check them out. Verify the number or email address they are contacting you from. Contact someone you know from the company and verify the person. Be sure that you can find their information to contact them back directly. Do not just reply or return the call.
Check emails that contain attachments carefully. Most phishing emails contain misspellings or other errors that are not difficult to find if you take a moment to inspect the message carefully. Email addresses may have the name of a familiar company in them but are not the accurate email address from the company. Check the actual URL of any links.
Perhaps 16% of attacks on passwords come from password spraying attacks. Password spraying uses a list of the most used passwords with a username until there is, hopefully, a match.
Ideally the hacker has a list of known usernames. They use software to try each username with each of these most common passwords. Most sites will detect repeated logon attempt and lock the account. Cybercriminals get around this by using multiple IP addresses so that they can try more passwords before detection.
Users can protect themselves from password spraying by being aware of the most common passwords and avoiding them. Many password managers provide lists. There are many online resources that list the most common passwords. Be sure that your passwords are unique and original.
Keyloggers record the strokes you type on the keyboard. The criminal need access to the user’s machine. They may phish to get the user to help them install malware that logs all the victim’s keystrokes. The best way to stay safe from key logging is to have good security software on your devices to protect you by identifying and blocking malicious activity.
Brute force is less common because it is difficult, expensive, and time consuming for the hacker. The hacker uses an algorithm against an encrypted password to crack the password and reveal it in plain text. Algorithms can test every word in the dictionary in just seconds.
Local discovery is when a cybercriminal takes advantage of an opportunity. Maybe the hacker finds a paper you have written down passwords on. They may go dumpster diving. Maybe they are standing next to or behind you when you are logging into your computer. Once the hacker has your password, they can use it repeatedly and you won’t even know that anything is wrong.
This is the rarest approach to hacking, but it is not unheard of. There is no secrecy or hiding it, the cybercriminal simply demands that you give them your credentials. They threaten to do something you won’t like if you refuse. The criminal must be able to threaten you with a consequence that you feel is worse than giving out your password. They may have embarrassing information to reveal, pictures or videos, sensitive information, secrets you have shared, mistakes you’ve made, or even threaten you or your loved ones physically. This blackmail requires a relationship with the victim to have the capability to harm or embarrass you in some way if you refuse their demands.
Many corporate passwords are made up of words that are related to the business. Cybercriminals realize this fact. The hacker can study corporate literature, the website, or anything else public about the business and create a list of possible passwords to try.
Sophisticated criminals have software called spidering software or web crawlers that search for the keywords and create the list for them.
All these techniques may sound scary. You might feel overwhelmed and that you could never protect yourself from all these strategies? Catapult Tech Solutions can help you feel safe and secure!
Are you on Facebook? We are, too. Let’s be friends!