Five techniques cybercriminals use to steal your passwords

The password is often the only thing standing between cybercriminals and the user’s personal and financial data, which is why they are currently one of the main targets of their criminal practices.

These keys are the Achilles’ heel of many people’s digital lives, especially since the average user today must remember a hundred access credentials, and the number has only increased in recent years.

Cybersecurity firm ESET has compiled the five most common techniques used by cybercriminals to obtain passwords for people to access their accounts.

Phishing and social engineering

The most commonly used attack technique takes advantage of the human tendency to make wrong decisions, especially when they make a decision in a hurry. Cybercriminals are taking advantage of these vulnerabilities through social engineering, a psychological fraud trick designed to get people to do something they shouldn’t.

Phishing is one of the most famous examples. In this case, the criminals pretend to be legitimate entities, such as friends, family, businesses the user has dealt with, etc.

These emails or texts will appear genuine, but include a malicious link or attachment that, if clicked, will download “malware” or take you to a page that provides personal data.

Malware

Another common way to get passwords is through “malware” or malware. Phishing emails are a primary means of this type of attack, although you can also fall victim to clicking on a malicious advertisement (“malicious advertisement”), or even visiting a hacked website (“by downloading”).

As ESET explained, “malware” can hide in a seemingly legitimate mobile app, which is often found in third-party app stores.

There are several types of information-stealing “malware”, but some are designed to record keys a user presses on a keyboard or to capture device screenshots and send them to attackers.

brute force

It is estimated that the average number of passwords a person has to manage increased by 25 percent year-on-year in 2020. Many people use easy-to-remember passwords and reuse them across multiple sites, but this may open the door for that- called techniques Massive force.

Credential checking is one of the most common attacks. In this case, the attackers inject large amounts of combinations of previously stolen usernames and passwords into automated “programs”.

The tool then tests them across a large number of sites, hoping to find a match. This way, criminals can open multiple accounts with one password.

By one estimate, there were 193 billion attempted attacks of this type around the world last year. One of the most notable victims of late has been the Canadian government.

Another brute force technique is random password testing. In this case, hackers use automated “programs” to test a list of commonly used passwords against an account.

puzzles

Although cybercriminals have automated tools to enforce password deduction, sometimes they are not necessary: ​​even simple guesswork – unlike the more systematic approach used in brute force attacks – can achieve the goal.

The most common password of 2020 was “123456”, followed by “123456789”. In fourth place comes the password and the password in English.

to look over the shoulder

Although there are many ways to steal the password by default, it is worth noting that there are still ways to find out the password in the physical world that pose a risk.

This is the case of what is known in English as “shoulder surfing”, which is simply called “looking over the shoulder” in Spanish. Not only does this affect the credit card PIN, ESET has conducted experiments that show how easy it is to guess a Snapchat password using this system.

protection measures

To help protect Internet users, ESET has shared a series of recommendations so users don’t end up suffering from having their passwords stolen.

Some of these tips are recurring, such as using only strong and unique passwords or phrases across all accounts, especially bank, email, and social media accounts. This includes avoiding credential reuse.

Another recommendation is to enable two-factor authentication (2FA) or use a password manager, which will store strong, unique passwords for each site and account. It is also important to change your password immediately if the service provider reports data theft.

Users should be aware of HTTPS websites and only use them to log in, don’t click or open attachments in unsolicited emails, and download apps only from official stores.

It is also recommended to use cyber security “software”, always use updated operating systems and applications, be careful with potential “intruders” in public places and never connect to accounts from public WiFi networks, VPN tools are recommended.