Lale Çorumlu

Cybersecurity company ESET has reviewed the methods hackers use to steal passwords and provided information on dos and don'ts.

The concept of password has been in our lives for centuries, and the introduction of passwords into the world of computing is even older than most of us can remember. We live in an age where the average person has 100 logins to remember, and that number is growing. Many people take shortcuts for their own convenience, resulting in security issues. Considering that the only thing between a cybercriminal and your personal and financial information is the password, we can understand why crooks are so eager to steal or crack their login information. Passwords are the virtual keys of the digital world. It provides access to online banking, email and social media services, Netflix accounts and all data in cloud storage.

What hackers with login credentials can do:

• Stealing personal identity information and selling it to other criminals
• Selling the ability to access the account itself to others. These credentials are traded on criminal sites on the dark web. Malicious people who receive this information can gain access to everything from free taxi rides and video feeds to discounted travel with compromised air miles accounts.
• Using passwords to log into other accounts where you use the same password.

How hackers steal passwords?

1. Phishing and social engineering

Humans are error-prone and predictable creatures. We are also prone to making wrong decisions when we are asked to hurry. Cybercriminals exploit these weaknesses through social engineering. Social engineering is psychological trickery designed to make us do something we shouldn't. Phishing is probably the best-known example of this. In phishing, hackers impersonate real people, such as friends, family, and companies with whom you have business relationships. The email or message you receive appears to be genuine, but the email or message contains a malicious link or attachment. When you click on this link or attachment, you will either download a malware or be redirected to a page where you have to enter your personal information.

There are many ways to spot signs of a phishing attack, as we explain here.

Scammers often pretend to be technical support engineers by calling their victims directly to get their login and other personal information. This technique is called “voice identity theft” (voice-based identity theft).

2. Malware

One of the popular ways to get hold of your passwords is with malware. Phishing emails are the primary vector for this type of attack. You can become a victim by clicking on a malicious online ad (malicious ad) or visiting a compromised website (inadvertent download). As ESET researcher Lukas Stefanko has shown many times, malware can even be hidden in a genuine-looking phone app, often found in third-party app stores.

There are various types of malware that are used to steal information, but some of the most common are designed to record keys you press or take a screenshot of your device and send that image to attackers.

3. Trial and error attacks

The average number of passwords the average person needs to know has increased by 25% in 2020. As a result, many of us choose easy-to-remember passwords and use them across multiple sites. However, this situation can open the doors for techniques called trial and error attack. One of the most common of these is identity theft. In this technique, attackers upload large volumes of previously compromised user/password combinations to an automated software. This tool then tries to find matches by trying combinations across multiple sites. In this way, hackers can take over many of your accounts with just one password. According to one calculation, it was calculated that there were 193 billion such attempts worldwide last year. Recently, the Canadian government has fallen victim to this technique.

Another trial and error technique is password spraying. In this technique, hackers use automated software to crack your account password by trying common passwords.

4. Prediction

Although they have automated tools for obtaining your password by trial and error, hackers can sometimes obtain your password without the need for these tools with just a simple guess, in contrast to the more systematic approach used in brute force attacks. The most used password in 2020 was “123456”, followed by “123456789”. The word “password” was in the fourth place among the most used passwords. If you, like many people, use the same password or set a similar password on multiple accounts, you make it easier for attackers and increase your risk of identity theft and fraud.

5. Sneaking over the shoulder

The password breaches we have examined so far were the methods implemented in the virtual environment. But as restrictions ease and many employees resume working in the office, it's worth remembering that some tried-and-tested listening techniques also pose risks. This is not the only reason why sneaking over the shoulder still poses a risk. Recently, ESET employee Jake Moore conducted an experiment to show how easy it is to hack someone's Snapchat account using a simple technique. In the high-tech version of this attack, which is carried out by eavesdropping over Wi-Fi and known as "monitoring the connection", hackers who monitor public Wi-Fi connections steal your password while you are connected to the same network. Both techniques have been used for years and continue to pose threats.

How can you protect your login information?

You can do many things to circumvent these techniques. You can add a second authentication to your password, manage your passwords more effectively, or take steps to stop the thief before the attack occurs. ESET experts summarize what you can do to protect your information:

• Only use strong and unique passwords or passcodes for all your online accounts, especially your banking, email and social media accounts
• Avoid using the same login credentials across multiple accounts or common password mistakes Switch to two-factor authentication (2FA) on all your accounts
• Use a password manager that stores strong, unique passwords for all sites and accounts, making login easy and secure
• Change your password as soon as a provider notifies you that your information has been breached · Only use HTTPS sites to log in
• Do not click on links or open attachments in unverified emails
• Download apps only from official app stores
• Invest in security software from a reputable provider for all your devices
• Make sure all operating systems and applications are up to date
• Beware of those sneaking over your shoulder in common areas
• Never log into an account if you're using public Wi-Fi, use a VPN if you need to log in

In the next ten years, it is predicted that passwords will become a thing of the past. However, alternative methods to the password still face difficulties in replacing the password. Therefore, users should take the initiative in this regard. Be careful and keep your login data safe.

Source: https://www.eset.com/tr/about/newsroom/press-releases/basin-bultenleri/bilgisayar-korsanlarinin-parolalari-calmak-icin-kullandigi-5-yoentem/