Password Security

4 Ways Hackers Can Steal Your Password

Hollywood likes to portray hackers as intelligent nerds that sit in front of computers all day. They’re usually stationed in front of a dated computer observing lots of matrix-style code as it cascades throughout the screen. When they “hack” their targets, they make it a point to show furious typing and repeated “access denied” notifications.

While it may look natural in a movie, real hackers couldn’t be more different.

Hackers are criminals that use advanced software and special techniques to gain entry into systems for data exploitation. These data breaches and cyberattacks are a lot more common than people think – 50 percent of small and midsized organizations reported suffering at least one cyberattack in the last 12 months.

Global spending on cybersecurity products and services are predicted to exceed $1 trillion over the next five years, from 2017 to 2021. And yet, hackers are still attacking more businesses than ever. Without proper cybersecurity measures in place, you face a very real risk of losing your data to a criminal

Let’s look at four of the most common ways that hackers can steal your password.

1. Brute Force Attacks

This form of attack is nothing more than a random trial-and-error session. Specialized programs operated by the hacker work tirelessly to guess your password, conducting a high number of attempts per minute. The hacker will point the software to focus on words that they know matter to you. This can include your pet’s name, your birthday, names of your loved ones, etc.

You’re probably not considering the fact that hackers can and will specifically target you. A hacker needs only a few minutes to find your online profiles, such as LinkedIn, Facebook, Twitter. Using the information they find on these sites will allow them to guess more relevant passwords, giving them a better chance at accessing your data.

2. Spidering

Sometimes, the hackers will skip the personal information hunt completely. They know that many people prefer to keep their work passwords related to their jobs. Therefore, they study up on corporate terminology and relevant facts about a certain company. Spidering is typically reserved for bigger companies, as they usually have more information online and are more likely to have standardized passwords.

Spidering is especially effective for gaining access to WiFi passwords. Most office routers are protected by simplistic passwords related to the business itself. Without much effort, hackers can break into the WiFi network and steal sensitive data.

3. Keyloggers

Keyloggers are a form of malware. They’re spread through infected attachments and are difficult to spot without the aid of a comprehensive antivirus software. They burrow deep into your computer’s file system and wait for you to type things. As you type on your keyboard, the keylogger (living up to its name) will log every keystroke and send it to a receiving hacker.

Upon receiving this information, the hacker will have everything they need and more. Keyloggers are especially dangerous because they completely expose all of your actions and not just your passwords. You may type sensitive information meant for only a select number of people … only to have it end up in the logs of a hacker who can use it for extortion and ransom.

4. Shoulder Surfing

It’s not as fun as it sounds. Shoulder surfing is probably the simplest way for a hacker to gain information, but it’s still surprisingly effective. As the name implies, a hacker will simply look over your shoulder as you enter in passwords and other sensitive information. Shoulder surfing is more common with ATMs, credit card machines, and any other device that requires the input of a PIN.  

Part of practicing proper password security is not leaving your password in plain sight. Part of shoulder surfing is also when hackers simply search around your computer for any mention of passwords, which many users foolishly leave on sticky notes on their monitor or under their keyboards.

Bolster Your Password Security

We’ve listed four of the most common ways for hackers to swipe your password, but there are many more. The best way for you to avoid having your password stolen is a combination of effective network security devices and software and end-user training.

Having your employees create passwords that are complex and difficult to crack will deter hackers from even trying to break into your systems. If they do try to break in, having strong passwords in place will buy you the valuable time you need to catch them and lock them out of your infrastructure.

At Diverge IT, we’re no strangers to keeping hackers away from businesses. If you’d like to learn more about how your organization can avoid these cyber criminals through helpful security solutions, reach out to us today.

Image of Phishing

Your Go-To Guide for Identifying Phishing Attacks

To a cybercriminal, you’re nothing more than a big, juicy fish. You’re slow, you’re hungry, and they don’t expect much from you in terms of intelligence and strategy. That’s exactly why they throw their “worm” in the water and hope you gulp it down without a second thought. But you’re not the only one – the cybercriminals cast a gigantic number of lures out to try and snag anyone who is willing to take the bait.

The practice is called “phishing”, and it’s a pretty apt name for this type of cybercrime.

PhishingWhat phishing IS:

In short, it’s a type of cybercrime that aims to convince you to divulge information to the criminal. Instead of malicious code and software, the cybercriminal depends on deception and simple trickery to gather personal or sensitive information from the victims. From there, they gain access to critical files and data.

hackerWhat phishing IS NOT:

Phishing is often confused and grouped with hacking. However, hacking requires the knowledge of programs and code that exploit (or create) gaps in security infrastructures. In other words, hacking extracts information involuntarily, while phishing requires users to hand over information willingly.

Though phishing isn’t necessarily invasive, it doesn’t mean it’s conducted without effort. Phishing attempts often rely on expertly crafted emails, documents, and even websites. If it can be copied or mimicked, cybercriminals will use it to phish for information (a process known as “spoofing”).

But it doesn’t stop there. Phishing isn’t a straightforward trick that you can easily ignore. It requires constant attention, intelligence, and a basic sense of awareness. Phishing attacks have become a natural part of running a business: the total number of phishing attacks in 2016 was 1,220,523, a 65% increase over 2015.

But all hope is not lost. The multiple different types of phishing attacks have their own unique twists that you can spot if you know what to look out for.

Pull Quote

Clone Phishing

When cybercriminals get their hands on an email, they can do a lot with it. For starters, they analyze everything – from the user-sender relationship to the tone and kind of language used in the email. With this information, they can create an almost identical email that can be nearly impossible to distinguish from the real version. The difference with the clone is that it usually claims to be a “resend” of the original email due to one reason or another.

Usually, the email that they clone will be one that contains attachments. When they resend the email, they send an infected attachment with the same filename and size. This helps them to gain a foothold within an infected machine, possibly infecting others within the same network. These can be tricky and may require assistance to confirm authenticity when you have concerns.

Website Forgery

This web-based attack is also known as a “deceptive site”. The cybercriminal goes through the process of building a site that is nearly an exact replica of the target website. When a user arrives on the site, they browse it like they would for the original site, since it contains the exact same functionalities. Often, the user won’t be able to tell that they’re on a fake site because a fake URL will be overlaid over the address bar on the site.

Once the user submits any information on the site (such as email addresses, passwords, credit card info, etc.), the criminal has won. This attempt is hard to spot and even harder to defend against. The credit giant Equifax recently fell for a website forgery attempt, and actually directed its users to go to the fake site on accident.

Man using phone

Phone Phishing

Phishing attempts don’t always find you through an email or a browser. Sometimes, the most convincing attempts actually come from phone calls. Usually, the cybercriminal will use untraceable VoIP services to conduct the calls.

The attempts usually go something like this: first, they claim to be important services, such as debt collectors, banks, and hospitals. Then, they prompt their users to enter in information such as account numbers and PINs. When the criminal has what they want, they simply hang up and move on to their next victim. It’s helpful to remember that most important account notifications or confirmations requiring personal information will not be delivered or requested by phone and usually not via automated voice service.

Spear Phishing

Generally speaking, phishing targets the masses. More than a fishing pole, it’s more accurate to think of it as dragging a large net. It’s imprecise, and it tricks only those that don’t know what to look out for.

But spear phishing is nowhere near as clumsy and imprecise as most other types of phishing.

Pull quote

Spear phishing targets a specific company or group of individuals. Criminals behind this approach take their time; they gather as much information as they can before taking any action. Because of this, spear phishing attacks often take many months, and in some cases, even years. In other words, while the approach is usually like types of phishing, there is a massive amount of research behind each and every word. According to Symantec, spear phishing emails have targeted more than 400 businesses every day, draining $3 billion over the last three years.

Whaling

The most dangerous type of phishing is actually a variant of spear phishing. Whaling earns its name because it goes after the biggest targets in a business – the executives. The content of whaling attempts typically deals with executive-level issues while carrying itself as an important email. Often, they disguise themselves as legal subpoenas, customer complaints, or as fellow executives needing important information.

Once the executive of the company falls for the scam, the company can suffer greatly and even shut down completely.

So What Can You Do?

There are no two ways about it – phishing schemes are tricky cyberattacks to deal with. The number-one defense mechanism against them doesn’t come in a pre-packaged box, and isn’t sold in stores.

 

The best defense is user awareness and proper security training.

Diverge IT can help you attain and maintain proper security awareness. We’ve been protecting businesses since 1999 from hackers and all kinds of malicious cyberattacks. If you’d like to learn more about what we can do, reach out to us today.

Training employees on phishing attacks.

Breaking Down a Phishing Attack

Dearest Reader,

You’ve caught me at a very critical moment. It is in both of our best wishes for me to extend a lucrative business opportunity forward to you. My name is Prince Obviouso Phishingscamman. My father, King Blantanto Phishingscamman has tucked away his massive fortune of over $15 million. Unfortunately, the wicked Fakemenistan regime has locked him away for good, with bail set at $3 million.

However, with your help, I can exploit a loophole where I can send money overseas to you. I received your email address from a very reliable source so I know you can be trusted. Once my father is free from his prison, I will send the remaining $12 million to your bank account as a show of good faith. All I require is for you to open an bank account within our borders. It will require a small fee of $500 and some information of yours.

Please make the haste. I am looking forward to working with you in the near future.

The most regards,

Prince Obviouso Phishingscamman

What Just Happened?

If you’ve been around for more than 20 years, you’ll probably recognize the format of the “email” above as the classic Nigerian prince email scam. While it seems far-fetched, many people fall for this kind of email all the time. It’s known as a phishing email, named aptly so because it tried to “phish” for information by getting you to spill the beans willingly. In fact, 91% of cyberattacks and resulting data breaches begin with a phishing email.

Let’s take a look at some of the signs that shouted “phishing scam” in the email above.

1st Sign: Your Email

I received your email address from a very reliable source so I know you can be trusted.”

The chance of someone stumbling across your email is low. The chance of them getting your email from a faraway foreign land where you have no ties? Even lower.  These cybercriminals typically use sophisticated tools to harvest email addresses from the internet. They also purchase lists that contain many thousands of email addresses. Once they’re ready with the email, they send it out to everyone they can.

2nd Sign: The Spelling

“All I require is for you to open an bank account.”

It’s not a rule set in stone, but emails from phishers often come filled with typos. The sentence structure is sometimes fragmented, and they don’t always get their point across clearly. This particular email wasn’t really poorly written (aside from the occasional and purposeful spelling mistake here and there), but some phishing scams can be absolutely flawless.

3rd Sign: The Catch

It will require a small fee of $500 and some information of yours.”

As with any scam, there’s a catch. Phishing emails will always require more information from you. In this case, the scammer asked for money and information, which happens often. Sometimes, the criminal is more patient; they don’t ask for anything on the first email or so, but if you respond to them and keep the conversation going… things begin to get dicey. They build a huge backstory, complete with numbers that you can call and businesses that you can look up.

In other words, the longer the communication goes on, the harder it is to break away from it.

Defending Against Phishing Scams through Employee Training

So what is the best way defend against these emails? Time and time again, studies have shown that employee training is the way to go. When employees know what to look out for, they can identify and flag the phishing attempts without putting your company at risk of a breach.

You should train your employees by showing them real examples of phishing attacks. Some companies go as far as to employ people to run a “friendly” phishing attack on their business to see who falls for it.
If you’d like to learn more about how we can help increase your employees’ security awareness, reach out to us today. Our comprehensive network security plans will ensure that both your company and your employees alike stay protected against any cyberattack that comes your way.