From social engineering to looking over your shoulder, here are some of the most common tricks used to steal passwords.
The concept of a password has been around for centuries, and passwords were introduced to computing long before most of us can remember. One of the reasons passwords are so enduring in popularity has to do with the fact that people instinctively know how they work. But there's also a problem: Passwords are the Achilles heel of many people's digital lives, especially since we live in an age where the average person has 100 login credentials to remember, and this number hasn't made another which has been increasing in recent years. Therefore, it is not surprising that they choose to shorten roads and, as a result, their safety suffers as a result.
Since the password is often the only thing that stands between a cybercriminal and your personal and financial data, criminals are more than eager to steal or crack these logins. It is for this reason that we should spend at least the same amount of effort to protect our online accounts.
Passwords are the virtual keys to your digital world, providing access to online banking, email and social media, accounts like Netflix or Uber, as well as all data stored in cloud storage. By obtaining your logins, a cybercriminal could:
Learn what techniques cybercriminals use most to steal passwords to be better prepared to minimize the risks of becoming a victim:
Humans are fallible and suggestible creatures. Also, we are prone to making the wrong decisions when we rush. Cybercriminals exploit these weaknesses through social engineering, a psychological trick designed to convince us to do something we shouldn't. Phishing is the best known form of social engineering. Through these types of attacks, cybercriminals impersonate legitimate entities such as friends, family members, public organizations and well-known companies, etc. The email or text you receive will look authentic, but will include a malicious link or attachment that, if clicked, will download malware or take you to a page that requires you to enter personal data.
Fortunately, there are many ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly obtain logins and other personal information from their victims, often posing as technical support engineers. This is known as vishing (voice-based phishing).
Another popular way of obtaining passwords is through malware. Phishing emails are the main vector for this type of attack, but you can also fall victim to malware by clicking on a malicious ad (malvertising) or even by visiting a previously compromised website (drive-by-download). ). As ESET researcher Lukas Stefanko has shown many times, malware could even hide in a legitimate-looking mobile app, often found in third-party app stores.
There are multiple varieties of information-stealing malware, but some of the most common are designed to record your keystrokes or take screenshots of your device and send them to attackers. Among them, keyloggers.
The average number of passwords a person has to manage increased by an estimated 25% year-on-year in 2020. As a result, most people are inclined to use easy-to-remember (and easy-to-guess) passwords, and make the mistake of using the same passwords to access multiple sites and services. However, what is often overlooked is that weak passwords can open the door to so-called brute force password cracking techniques. One of the most common types of brute force is credential stuffing.
In this case, attackers dump large volumes of previously compromised username/password combinations into automated software. The tool then tests the credentials against a large number of sites in the hope of finding a match. In this way, cybercriminals could unlock several of your accounts with a single password.
Last year there were approximately 193 trillion such attempts worldwide, according to one estimate. Recently, the Canadian government has been a notable victim of this attack.
https://twitter.com/digitalcdn/status/1294670901011722240
Another brute force technique is password spraying. In this case, criminals use automated software to test a list of commonly used passwords against your account.
Recommended reading: Most brute force attacks aim to crack short passwords
Although cybercriminals have automated tools to brute-force and crack passwords, sometimes they don't even need them: even simple guesswork, unlike the more systematic approach used in brute force attacks can get the job done. The most common password in 2021 was “123456”, followed by “123456789”.
And if you're like most people and recycle the same password or use a close derivative of it to access multiple accounts, then you're making things even easier for attackers, putting yourself at additional risk of identity theft and fraud.
All of the password-compromising options we've explored so far have been virtual. However, it's worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This isn't the only reason why prying eyes over users' shoulders remains a risk, and ESET specialist Jake Moore recently conducted an experiment and demonstrated how easy it is to compromise someone's Snapchat account using this. simple technique of looking over someone's shoulder.
A more high-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can allow hackers inside public Wi-Fi connections spy on your password while you enter it if you are connected to the same network. Both techniques have been around for years, but that doesn't mean they're no longer a threat.
There are many things you can do to block these techniques, whether it's adding a second form of authentication, managing your passwords more effectively, or taking steps to stop theft in the first place. Consider the following options:
Password extinction has been predicted for over a decade. However, alternatives often have a hard time replacing the password itself, meaning users will have to take matters into their own hands. Stay vigilant and take care of the security of your login credentials.
Phil Muncaster