Since passwords are often the only barrier between cybercriminals and personal and financial data, criminals aim to steal or crack these logins. The average person has 100 login credentials to remember, and that number has been increasing in recent years. So it’s no surprise that the shortened path was chosen, with security compromised as a result.
ESET, a leading proactive threat detection company, advises on the 5 most common ways cybercriminals steal passwords, so you can be better prepared to minimize the risk of becoming a victim and protect your online accounts.
Passwords are the virtual keys to the digital world as they provide access to online banking, email and social networking services, accounts like Netflix or Uber, and all data stored in cloud storage. By obtaining login information, cybercriminals can: Steal personally identifiable information and sell it to other criminals on forums.
- · Selling access to the account itself. Criminal dark web sites quickly market these logins. Shoppers can use the access to get everything from free taxi rides and streaming video to discounted travel for accounts with committed airline miles.
- · Use a password to unlock your other accounts that use the same password.
ESET warns of the 5 most common password-stealing techniques used by cybercriminals:
1. Phishing and social engineering: Social engineering is a psychological technique designed to convince someone to do something they shouldn’t, and phishing is the best known form of social engineering. With these types of attacks, cybercriminals impersonate legitimate entities such as friends, family, public organizations, and well-known companies. Received emails or texts that look genuine but contain malicious links or attachments that, if clicked, download malware or take you to a page that asks you to enter personal data. Fortunately, there are many ways to spot the warning signs of a phishing attack. Scammers even use phones to get login and other personal information directly from victims, often posing as tech support engineers. This is called phishing (voice-based phishing).
2. malicious software: Another popular way to obtain passwords is through malware. Phishing emails are the main vector for this type of attack, but you can also fall victim to malware by clicking on malicious advertisements (malvertising) or even by visiting a previously infected website (drive-by downloading). As ESET researcher Lukas Stefanko has demonstrated several times, malware can even hide in seemingly legitimate mobile apps, which are often found in third-party app stores.
There are various types of information-stealing malware, but some of the most common are designed to record keystrokes or take screenshots of the device and send them to the attacker. Among them, the keylogger.
3. Brute force cracking: By 2020, the average number of passwords a person has to manage is estimated to grow 25% year-over-year. This leads most people to tend to use passwords that are easy to remember (and guess) and make the mistake of using the same password to access multiple sites and services. What is often overlooked, however, is that weak passwords can open the door to so-called brute-force password-cracking techniques.
One of the most common types of brute force attacks is credential stuffing. In this case, the attacker dumps a large number of previously compromised username/password combinations into automated software. The tool then tests the credentials against a large number of sites, hoping to find a match. In this way, cybercriminals can unlock multiple accounts with one password. According to one estimate, there were approximately 193 trillion such attempts worldwide last year. In recent days, the Canadian government has fallen victim to this attack. Another brute force technique is password spraying. In this case, criminals use automated software to test an account’s list of commonly used passwords.
4. Deduction: While cybercriminals have automated tools to perform brute force attacks and crack passwords, sometimes they don’t even need them: Unlike the more systematic methods used in brute force attacks, even a simple guess can get the job done. The most common password in 2021 is “123456”, followed by “123456789”. And, if the same password is reused or similar derivatives are used to access multiple accounts, it’s easier for attackers to get started, raising additional risks of identity theft and fraud.
5. Looking back (Shoulder surfing): It’s worth remembering that some eavesdropping techniques also carry risks. That’s not the only reason snooping over users’ shoulders is still a risk. A more technical version, known as a “man-in-the-middle” attack, involves Wi-Fi eavesdropping and allows hackers to snoop on passwords on public Wi-Fi connections. If you are already connected, enter your password to the same network.
There are many ways to thwart these techniques, whether it’s adding a second form of authentication, managing passwords more effectively, or taking steps to stop theft in the first place. ESET provides the following tips to protect login credentials:
- Activate two-factor authentication (2FA) on all accounts
- Use only strong and unique passwords or passphrases for all online accounts, especially banking, email, and social media accounts
- Avoid reusing your login credentials across multiple accounts and making other common password mistakes Use a password manager, which stores strong, unique passwords for each site and account, making logging in simple and secure If the provider warns that data may have been compromised compromised, please change your password immediately
- Login using only HTTPS sites
- Do not click on links or open attachments in unsolicited emails.
- Only download apps from official app stores.
- Invest in security software from a reputable vendor for all your devices
- Make sure all operating systems and applications are updated to the latest versions
- Beware of prying eyes over your shoulder in public places
- Do not log in to your account if you are connected to a public Wi-Fi network. If you must use this type of network, it is recommended to use a VPN
“Password extinction has been predicted for over a decade. However, alternatives are often difficult to replace passwords themselves, meaning users will have to do it themselves. Staying vigilant and keeping your login credentials safe is the first step in protecting personal information” , says Camilo Gutierrez Amaya, head of ESET’s Latin America Research Lab.
Learn more about computer security in the ESET news portal: https://www.welivesecurity.com/la-es/2022/01/11/formas-cibercriminales-roban-contrasenas/
ESET invites you to discover Conexión Segura, its podcast to understand what is happening in the field of computer security. To listen to it, visit: https://open.spotify.com/show/0Q32tisjNy7eCYwUNHphcw