WhatsApp vs Telegram: Which messaging app should I use?

Popular instant messaging platform, WhatsApp, lost the trust of many dedicated users when it made what appeared to be sweeping changes to its privacy policy earlier in the year.

It seemed as though agreeing to the updates would mean WhatsApp could share users’ private messages with Facebook, its parent company.

However this was a misunderstanding and the changes actually referred to chats with businesses, which don’t get the same level of privacy as chats with friends and family. Nevertheless, you may still want to know whether WhatsApp is safe to use or not.

If you’re wondering if other apps such as Telegram are a better option, we’ll explain what you need to know about both Telegram and WhatsApp’s encryption and data collection processes.

Is Telegram more secure than WhatsApp?

Telegram, owned by Russian-born Pavel Durov, is just as popular as WhatsApp with around 500 million users. 

Durov hasn’t been shy about down-playing the security of WhatsApp and other rivals, even claiming WhatsApp is dangerous to use and that Telegram offers better privacy for its users.

However, what most people don’t realise is that, unlike WhatsApp, Telgram only provides end-to-end encryption for two-person ‘Secret Chats.’ By default, messages don’t benefit from that level of security, which means you could assume they’re private when in reality, there’s a possibility someone could see them.

That’s because they’re only encrypted (meaning your messages are turned into gibberish to anyone trying to read them) between the user’s device and Telegram’s servers. But they’re not encrypted on those servers. The risk of someone hacking those servers and reading your messages is low, but it’s there.

WhatsApp, on the other hand, offers end-to-end encryption for chats between two people as well as group chats and, now, chat backups as well.

Encryption isn’t the only thing you should think about, though. 

There’s also the data that each app collects and stores about you, personally.

Telegram has made it clear in its privacy policy that collects less than WhatsApp, and stores details like your IP address, devices and the history of your username changes, for up to 12 months.

WhatsApp, by comparison, which collects a lot more metadata which includes personal information such as your location, phone number and device ID. Unless you opt out, this type of information is automatically shared with Facebook.

However, the contents of messages and voice or video calls are fully encrypted. In one of WhatsApp’s FAQs it states that “…we will always protect personal conversations with end-to-end encryption, so that neither WhatsApp nor Facebook can see these private messages.”

Should I switch from WhatsApp to Telegram?

So, you now know that WhatsApp is – overall – a more secure option for sending messages, photos and videos than Telegram, especially if you chat in groups a lot. It also gives you the same end-to-end encryption for voice and video calls.

The only reasons you might still be considering leaving WhatsApp behind is because you still don’t trust it, or you dislike the amount of data collection outside of those encrypted messages. That, plus the fact that Telegram doesn’t limit you to using it on a single phone like WhatsApp does (though you can now use WhatsApp on up to four companion devices.)

Of course, it’s worth bearing in mind that although Telegram is just as popular in terms of users, those might not be the same people you see on WhatsApp, and so if you do switch, you may need to persuade your friends and family to install Telegram as well.

There are a few reasons to ditch WhatsApp for Telegram, but for us, WhatsApp remains the messaging app to use because of that system-wide end-to-end encryption. If the data collection and sharing with Facebook bothers you, don’t forget Telegram isn’t the only alternative. Signal is another option that offers end-to-end encryption by default and it’s open source, too.

Email Security Practices.

Emails continue to be one of the most exploitable attack vectors criminals use to target companies. A single employee opening a malicious link in an email is enough to enable a hacker to bypass all cyber defenses, which is why preventing email-based threats should be a top priority.

Use Strong Email Passwords

The easier the password is to guess, the more likely it is that someone will breach the email account.

Even if you do not rely on a password like “123456” or “password123” (which, unfortunately, too many people do), hackers have access to top-tier brute force attack tools that can crack even moderately complex passwords. For example, a password like “Pa$$word2211991” may look secure, but a high-end tool could crack that password in under a minute.

Each staff member in your company should have a solid and unique password for their email account to prevent brute force attacks (or someone simply guessing the password). A reliable password should:

  • Have at least 12 characters.
  • Rely on a mix of upper and lowercase letters, numbers, and special symbols.
  • Be random and unique.
  • Not include common phrases.
  • Not contain any personal info (names of family members or pets, companies, places of birth, birthdays, or any other info a hacker can discover by googling your name or spying on social media).

Prepare for Phishing Emails

A phishing email attempts to trick one of the employees into either providing helpful info or clicking on a malicious link. An attacker typically uses phishing to scam the target into:

  • Downloading malware.
  • Providing sensitive data (typically login details).

Phishing tactics are among the most common social engineering methods criminals use to exploit emails. Some of the standard strategies include:

  • Pretending to be a service provider and asking the target to “log in” via a link that leads to a fake website.
  • Imposing a superior and asking for sensitive data.
  • Pretending to be a part of the security team and asking the victim to “update” one of their passwords.
  • Sending an email with a malicious file that has a hidden program.

Unfortunately, there is no way to stop phishing emails. Your employees are bound to receive one from time to time, which is why educating the workforce is the primary way to protect your company.

The golden rule of preventing phishing is to not respond to, click links, or open attachments in emails that look suspicious. Employees should use common sense before interacting with an email and must be able to:

  • Recognize suspicious files and links.
  • Assess the reasoning behind the request within the message.
  • Inspect the sender’s address.
  • Assess the general state of an email (grammar, business context, the tone of voice, the lack of an email signature, etc.).

Use 2FA to Verify Email Logins

Two-factor authentication (2FA) requires an employee to provide an additional credential besides typing in a username and password. Another verification factor adds an extra layer of defense and is a vital counter to brute-force attacks and password cracking.

Besides providing a username and password, 2FA requires the employee to provide one (or more) of the following:

  • A unique item (token, card, etc.).
  • A PIN received via SMS, email, voice call, or a time-based one-time password (TOTP) app.
  • Biometric data (eye, fingerprint, face, or voice scans).
  • A barcode generated on a mobile device.
  • A prompt on a mobile phone that confirms the user is currently trying to log in.

Even if an attacker steals the email credentials of one of your employees, the use of 2FA will prevent the intruder from logging in to the email account.

Luckily, deploying 2FA is not as technical as it sounds. Most email platforms offer two-factor authentication by default, so there is no reason not to use 2FA to protect your company’s inboxes.

Train Employees on How to Handle Email Attachments

Attackers typically use email attachments to hide executable files or programs that inject malware into the system. Before opening an attachment, educate your employees to ask themselves the following questions:

  • Is the sender someone within my organization or someone I can trust?
  • Is the format right for this type of attachment (look out for .exe (executable program), .jar (Java application program) and .msi (Windows Installer))?
  • Does the email itself mention anything about an attachment?
  • Am I expecting this email attachment?
  • Is the sender’s address legit?
  • Is the person behind the attachment sending your emails regularly?

If there is even the slightest doubt, the employee should not open the attachment. Instead, they should first confirm the content with the sender to make sure that the email is real.

Ensure Employees Never Access Emails from Public Wi-Fi

If you allow employees to take office devices home or open work emails from personal devices, you must ensure workers do not access emails on public Wi-Fi.

A cybercriminal only needs basic skills to discover data passing through publicly accessible Wi-Fi, so both sensitive data and login credentials are at risk.

Employees should only access their email when they are confident in network security. A much safer option (although not as secure as opening emails only when using office Wi-Fi) is to use mobile internet or internet dongles for out-of-office use.

Have Periodic Password Changes

One of the simplest (and most effective) email security best practices is to ensure employees change their passwords regularly. You should:

  • Ensure each worker has a new email password every 2 to 4 months.
  • Use devices to force password changes instead of leaving it up to employees to update credentials.
  • Prevent employees from adding one or two characters to the current password to create a new one.
  • Prevent workers from using passwords they already had in the past.

Of course, each new password should follow the standard rules for strong passphrases (mix of lower and upper cases, numbers, symbols, etc.).

Never Give Away Personal Info in an Email

If an email asks you for any personal info (birthday, social security number, credit card number, password), the chances are that the message is a scam.

If an email asks for private info, you should call the company in question by finding their contact info online and not by following the instructions in the email. In all likelihood, you will discover that the company knows nothing about the email, and they will caution you not to send private data over email.

Never Reply to Scammers and Spammers

Some employees like to respond to phishing emails and spam messages, but you should ensure workers do not reply to scammers.

Sending a response to a scammer or spammer verifies that your email address is valid. While there is no immediate danger, letting a scammer know that you use that address opens the door to more attacks in the future.

Train Employees to Check Email URLs

Another simple but effective email security best practice is to train employees to inspect URLs when they get a link within an email (especially when the message comes from an unfamiliar source).

Before clicking on a URL, the employee should hover the mouse over the link. If the address does not contain the HTTPS extension, the chances are that the URL does not lead to a safe website. Scammers often try to lure a victim into clicking on a link that leads to a download page for malware. These unsafe websites typically have the HTTP extension.

Also, the URL may look like a familiar link, but is it? For example, a scammer can replace one domain letter to fool the employee into thinking the URL is legitimate (such as goggle.com instead of google.com).

Use a Spam Filter

Most email services providers have a built-in spam filter. A filter helps:

  • Separate legit emails from malicious messages.
  • Lower the likelihood of phishing and spamming.
  • Keep the inbox tidy and more manageable.

As an added benefit, a spam filter makes the number of emails less overwhelming. Employees will be more focused when navigating their inboxes and alert to suspicious messages.

While most associate spam with onslaughts of ads, a spam message can also contain malware or, even worse, ransomware. If a spam filter stops a ransomware email from entering an employee’s inbox, turning the feature on was worth the effort.

Prevent Employees from Using Business Emails for Private Purposes (or Vice Versa)

Workers should use business emails only for company-related issues and updates. There is no reason for an employee to:

  • Use the email for private purposes (such as subscribing to newsletters, making gaming accounts, etc.).
  • Send work-related stuff to a private email address.
  • Shop online with a professional email.
  • Use the address to exchange personal messages.
  • Post the address anywhere online (social media, forums, chat rooms, etc.).

Whenever an employee shares their email, they increase the chance of the address falling into the wrong hands. Hackers scan public websites to collect info they sell or target later, so every exposure of the address adds risk.

Another reason for stopping an employee from sending work-related stuff to a private email is that anyone who hacks the personal address (which is likely not as protected as a company email) will have access to whatever the employee sent from the business address.

Educate Employees About the Value of Email Security

Educating employees instead of just enforcing email security best practices is vital. Without awareness building, an employee might perceive demands for complex passwords and strict rules as pointless and unjust.

You should organize mandatory email security awareness sessions that explain:

  • All relevant email security best practices.
  • The latest trends in email-based attacks.
  • How to recognize signs of phishing.
  • The importance of using work emails only for job-related purposes.
  • How to inspect email addresses.
  • The traits of legitimate and illegitimate email requests.
  • How to create strong passwords.
  • Where employees can find the company’s email and password-related policies.
  • How employees should react to suspicious emails.

Ensure Employees Log Out of Email Accounts at the End of the Day

Another effective yet simple email security best practice is to ensure employees log out of their email platforms at the end of the workday. You can encourage workers to log out on their own, or you can use the email platform to log everyone out at a particular time automatically. This practice is beneficial when an employee uses an unfamiliar device or a network to check their email.

Use Email Encryption

Every email is at risk of being intercepted by an attacker or going to the wrong address. You can use data encryption to counter both threats.

Encryption scrambles the original email content and turns the message into an unreadable mess. The recipient can reveal the text with a unique decryption key, so any in-transit interception or a wrong recipient cannot lead to a data leak.

Common Email Security Risks

Unfortunately, there is no shortage of email-based threats. Some of the most common email security risks you can encounter are:

  • Social engineering emails: Social engineering tactics attempt to earn the target’s trust to steal info. Phishing is by far the most common email-based social strategy.
  • Malware-armed emails: These emails try to inject malware into your system. The attacker typically “arms” the malware in an attachment or on a fake website the victim is supposed to open. If the malware makes it into your system, the attacker can take control of devices, steal data, or set up spyware.
  • Spam: Spam involves various unwanted messages that can overwhelm an inbox with ads and trojan-infected messages. As around 60% of the world’s email traffic volume is spam, you should not overlook this threat.
  • Ransomware: If a malicious email contains a ransomware program, a single employee opening the wrong email can enable an attacker to encrypt your data or devices.
  • Botnet messages: An infected email can turn your company’s devices into a part of the botnet used to target other victims with DDoS attacks.
  • Business Email Compromise (BEC): A BEC is a type of spear phishing in which a hacker pretends to be one of the company’s high-level executives.

Unfortunately, cyberattacks (email-based and otherwise) are constantly evolving, so staying ahead is challenging. Hackers can be very clever and creative, so protecting your company’s inboxes requires keeping up with the latest threats.

How to protect your phone from hackers.

1: Updates

Make sure that your iOS is up to date. This is your primary line of defense against vulnerabilities. I know, I know, there are a lot of them, but that’s the world we live in these days.

It’s also a good idea to keep your apps updated too, but that’s secondary to keeping iOS updated.

2: Strong passcode

If you’re still rolling with 000000 or 123456 or something dumb like that, change it.

Do it now.

While web-based attacks do happen, the most likely way that your data is going to leak from your iPhone is by someone picking it up and unlocking it.

3: Reboot weekly

Most iPhone vulnerabilities rely on jailbreaking the iPhone.

The good news is that a jailbreak can’t survive a reboot, so adding a weekly reboot to your schedule is no bad thing.

How to Know If Someone is Hacking Your Phone

One or more of these could be a red flag that some has breached your phone:

  1. Your phone loses charge quickly. Malware and fraudulent apps sometimes use malicious code that tends to drain a lot of power.
  2. Your phone runs abnormally slowly. A breached phone might be giving all its processing power over to the hacker’s shady applications. This can cause your phone to slow to a crawl. Unexpected freezing, crashes, and unexpected restarts can sometimes be symptoms.
  3. You notice strange activity on your other online accounts. When a hacker gets into your phone, they will try to steal access to your valuable accounts. Check your social media and email for password reset prompts, unusual login locations or new account signup verifications.
  4. You notice unfamiliar calls or texts in your logs. Hackers may be tapping your phone with an SMS trojan. Alternatively, they could be impersonating you to steal personal info from your loved ones. Keep an eye out, since either method leaves breadcrumbs like outgoing messages.

What to Do If You’re Smartphone Has Been Hacked

You’ve learned how to identify if someone is hacking your phone. Now, you’re ready to fight back. Here’s how you cut those cybercriminals out of your personal tech.

First, you’ve got to eliminate any malware that’s infiltrated your device. Once you’ve rooted out the data breach, you can start protecting your accounts and keeping hackers out of your phone.

How to Remove the Hacker from Your Phone

These might include:

  • Online banking
  • Email (work and personal)
  • Apple ID or Google account
  • Phone passcode
  • All social media

Also follow up with any financial or online shopping services that have saved your credit cards or banking details (such as Amazon, eBay, etc.) This will help you to pinpoint any fraudulent transactions and be sure to report and dispute these charges with your bank.

How to Protect Your Phone from Being Hacked

Don’t download sketchy or unreputable apps. Look at reviews and research before installing if you are unsure. If you’re not confident in safety of app, do not install it.

Don’t jailbreak your phone. While it allows you to download from unofficial app stores, jailbreaking ups your risk of unknowingly getting hacked. Aside from malware or spyware, this means you’ll miss security patches in the latest OS updates. Jailbreakers skip updates to keep the jailbreak functional. This makes your risks of being hacked even higher than normal.

Keep your phone with you at all times. Physical access is the easiest way for a hacker to corrupt your phone. Theft and a single day of effort could result in your phone being breached. If you can keep your phone with you, a hacker will have to work much harder to get into it.

Always use a passcode lock and use complex passwords. Do not use easily guessable PINs, like birthdays, graduation dates, or basic defaults like “0000” or “1234.” Use an extended passcode if available, like those with 6 characters. Don’t ever reuse a password in more than one place.

Don’t store passwords on your device. Remembering unique passwords for every account can be difficult. So use a secure password manager instead, like Kaspersky Password Manager. These services allow you to store all your secure credentials in a digital vault — giving you easy access and the security you need.

Frequently clear your internet history. It can be simple to profile trends about your life from all the breadcrumbs of your browser history. So, clear everything, including cookies and cache.

Enable a lost device tracking service. If you lose track of your device out in public, you can use a lost device finder to trace its current location. Some phones have a native application for this, while others may need a third-party app to add this feature.

Keep all apps up to date. Even trusted apps can have programming bugs that hackers exploit. App updates come with bug fixes to protect you from known risks. The same applies to your OS, so update your phone itself when you can.

Always enable two-factor authentication (2FA). This is a second verification method that follows an attempt to use your password. 2FA uses another private account or something you physically have. Apple ID and Google accounts offer 2FA in case your device is used by unsavory actors, so always activate it for more security. Biometrics like fingerprints and face ID are becoming popular options. Physical USB keys are also a great choice when available.

Be cautious about using text or email for your 2FA. Text message and email 2FA are better than no protection but might be intercepted through hacks like SIM swapping.

Don’t use public Wi-Fi without a virtual private network (VPN).

How do hackers make money from your stolen data?

How hackers steal your data

There are many methods hackers can use to steal your data. The following is not an exhaustive list, but it does include some of the most common techniques:

1. Malware

There are many types of malware that can be used to steal your personal information, including keyloggers, info stealers, banking malware and more.

Most strains typically focus on login credentials, credit card information, browser autofill data and cryptocurrency wallets. Certain breeds, such as the infamous Vega Stealer, sniff out specific file types such as PDF, Word, Excel and text files and exfiltrate (transfer the data without authorization) them to a remote command and control server.

Malware typically spreads via malicious email attachments, malvertising, drive-by downloads and pirated software.

2. Phishing

Phishing is a form of low-tech social engineering in which cybercriminals attempt to extract sensitive information such as login credentials, credit card information and personally identifiable information (PII).

In a typical phishing scam, attackers pose as a reputable company such as Microsoft, Amazon or Netflix and claim there’s an issue with your account. The message encourages you to click on a link where you can supposedly resolve the issue by confirming your password or entering your credit card information. This data is sent directly to the hackers, who can then gain access to your real account and the information stored within.

Phishing attacks are typically delivered via email, but they can also be implemented through social media, text messages and phone calls.

3. Weak passwords

Hackers can also steal your data by cracking the passwords of your online accounts. There are a few ways this can be accomplished:

  • Password leaks: When major service providers are hacked, it often results in millions of passwords being leaked, which may be sold or dumped on the web for all to see. Because so many people use the same password for multiple services, attackers can simply use the leaked login credentials to try to gain access to the users’ other accounts. You can check if one of your accounts has been involved in a leak by entering your email address at Have I Been Pwned.
  • Brute force attacks: Hackers use purpose-made tools to input every possible combination of characters until the correct password is guessed. The shorter and weaker the password, the quicker it will be cracked by a brute force attack.
  • Keyloggers: Attackers use data-stealing malware such as keyloggers to track keyboard input data and steal your passwords.
  • Phishing: Hackers use social engineering to get you to willingly divulge your username and password. Phishing attacks can appear very convincing and may be sent from a legitimate account that has been compromised.
  • Post-exploitation tools: Some tools are made to harvest passwords and other valuable information stored on systems that have already been compromised. If your system has been compromised (e.g. by malware), an attacker can deploy post-exploitation tools like the infamous Mimikatz to view and steal login credentials that are stored deep within your system.

4. Unsecured connections

Attackers can also steal your data by preying on unsecured connections such as public Wi-Fi networks. Public Wi-Fi is often unsecured and unencrypted, leaving users vulnerable to a variety of attacks, including:

  • Man-in-the-middle attacks: Hackers intercept your data by positioning themselves in the middle of your connection to the public Wi-Fi. Attackers can access any information that passes between you and the websites you visit while connected to the Wi-Fi network, including your passwords and financial data.
  • Rogue hotspot: Attackers set up a Wi-Fi access point that resembles a legitimate hotspot, enabling them to eavesdrop on network traffic. Attacks may also be able to use the rogue hotspot to distribute malware or direct you to malicious websites.

How hackers monetize stolen data

Once a hacker has successfully stolen your data, the first step is to inventory it. They comb through your data for valuable information such as your login credentials, financial information, names, phone numbers, addresses and social security number, and organize it in a database. After the data has been collated, hackers have a variety of ways to monetize it.

Use the data themselves

In some cases, hackers may monetize your stolen data by using it themselves to make purchases or commit fraud. This is relatively rare as committing fraud is much more likely to attract the attention of authorities than anonymously selling large batches of data online. Nevertheless, it does happen.

Attackers can use your stolen data to:

  • Purchase items online
  • Extract money from your bank account
  • Apply for bank loans
  • Apply for credit cards
  • Make fraudulent health insurance claims
  • Pay off debt
  • Request money from your contacts using your email and social media accounts

Sell your login credentials

Usernames and passwords are often sold in bulk on the dark web. Buyers may use your login credentials to transfer money from your bank account, make online purchases and access various paid services.

Here’s how much your account credentials typically sell for, according to a Symantec report on the underground economy:

  • Gaming platform accounts: $0.50-$12
  • Video and music streaming accounts: $0.10-$2
  • Cloud service accounts: $5-$10
  • Online banking accounts: 0.5%-10% of the account’s value

Sell PII to buyers on the black market

Hackers commonly sell PII on underground marketplaces that are accessible on the dark web. Typically, PII will be sold in bulk batches. The more recently the data has been stolen, the more valuable it is.

Here’s how much your data is worth:

  • Name, social security number and date of birth: $0.10-$1.50
  • Medical notes and prescriptions: $15-$20
  • ID/passport scans or templates: $1-$35
  • Mobile phone online account: $15-$25
  • Full ID packages (name, address, phone, SSN, email, bank account): $30-$100.
  • It might not sound like a lot of money, but it’s important to remember that data is often sold in enormous batches. Attackers who are able to successfully breach a major company can sometimes walk away with the data of millions of users, which can collectively be sold for big bucks. In 2019, the hacker behind the Canva data breach put up for sale on the dark web the data of 932 million users, which he stole from 44 companies.

Sell your credit card information

Attackers will usually sell your credit card information in large bundles of hundreds or even thousands of stolen credit cards. This data is often purchased by “carders”, who try to avoid fraud detection by purchasing gift cards and using them to buy physical items, which may then be sold on the dark web as well as through legitimate channels such as eBay or Craigslist.

How much do hackers sell your credit card information for?

  • Single credit card: $0.50-$20
  • Single credit with full details: $1-$45

Hold your data to ransom

Some types of ransomware have data exfiltration functionality, which enables hackers to not only encrypt your data but also steal it via a range of channels, including FTP, HTTP, HTTPS, SSL/TLS and more.

Attackers can use your stolen data as extra leverage to encourage you to pay the ransom (the average is a whopping $84,000) and sell your PII on the black market for extra pocket money.

Sell valuable intellectual property

It’s not uncommon for hackers to launch attacks on large corporations and sell the stolen data to companies in developing nations. These are typically highly sophisticated, nation-sponsored attacks and can be incredibly lucrative for both the hackers and the country funding the attack. Chinese intellectual property theft is estimated to cost the U.S. economy $50 billion a year.

How data theft can impact victims

Being the victim of data theft can have significant repercussions. In the short-term, you’ll have to go through the time-consuming process of securing your compromised accounts, reversing fraudulent purchases and replacing stolen credit cards.

These are annoying but not life-changing effects. However, there can also be longer-lasting consequences.

For example, if your social security number is stolen and used for fraudulent activity, it could potentially impact your credit history and credit score. Undoing the damage can be very difficult, and may prevent you from making loan applications, purchasing a home or renting property. In addition, if your work-related accounts are used to deliver malware or phishing attacks, you may damage your professional reputation, cause business loss or have to face disciplinary action from superiors.

Conclusion

Data theft is usually financially driven. There are many ways for cybercriminals to get their hands on your personal data, including malware, phishing, password cracking and man-in-the-middle attacks. Once they have obtained your data, they may use it themselves to commit fraud, or they may sell it in bulk on the dark web.

What Do Hackers Do With Stolen Information?

What Hackers Do With Stolen Information

Hackers have been known to commit a variety of crimes using stolen information. These crimes include:

  • Using your credit or debit card information for fraudulent purchases
  • Applying for credit cards or loans in your name
  • Accessing your bank accounts, retirement accounts and other financial accounts
  • Filing fraudulent tax returns to get an income tax refund in your name
  • Using your health insurance to access medical care
  • Changing your billing address so you don’t notice the fraud until it’s too late
  • Filing for government benefits, such as unemployment, under your name
  • Renting an apartment or applying for a job in your name
  • Commiting crimes and giving your name to the police when they’re arrested
  • Applying for fraudulent identification such as driver’s licenses or passports
  • Selling your information to other criminals on the dark web

Hackers may also use your Social Security number (SSN) to create a synthetic ID—a false identity that merges your data with theirs. And identity theft can be particularly damaging for children. Hackers may steal a child’s personal information long before the child is old enough to have bank accounts or credit cards and receive bills. Often, the theft isn’t discovered until the child is old enough to apply for a credit card or student loan and is denied.

How to Protect Yourself From Hackers

To safeguard your personal data from hackers, make these preventive steps part of your routine.

  • Use strong, unique passwords. Choose a different password for every account. If you use the same password over and over, a hacker who breaches one account could access all of them. Consider trying a password manager app, which generates strong passwords and remembers them for you.
  • Use two-factor authentication. Protect critical data such as your banking, retirement accounts or health care data with two-factor authentication. After entering your password, you’ll receive a code to enter each time you log on.
  • Destroy old documents and data. Shred documentscontaining personal information before disposing of them. Wipe personal data before selling, discarding or donating computers or mobile devices.
  • Protect your hardware. Install antivirus software on computers and mobile devices and keep it updated. Enable automatic operating system updates for computers and mobile devices.
  • Monitor account statements. Review all bills, statements, letters and other communications from banks, credit card companies, insurance companies, government agencies and health care providers. A withdrawal, charge or service you don’t recognize might be the first sign of identity theft.
  • Protect your cards. Carry only the payment and identification cards you need. Shield the keypad from prying eyes when typing your PIN into an ATM or point-of-sale device.
  • Don’t let mail sit in your mailbox. Install a mail slot in your home or garage door to ensure mail is delivered securely.
  • Protect your SSN. Keep your Social Security card at home and commit your number to memory.
  • Be Wi-Fi wise. Don’t input passwords, share sensitive data or perform financial transactions when you’re using public Wi-Fi; it can be easily hacked. Keep your home Wi-Fi network password-protected.
  • Be wary of emails or texts from unknown sources. Never click on a link in a text or email unless you trust the source. Emails used in phishing scams often contain clues such as misspellings, low-resolution graphics, and email addresses that might differ from the supposed sender’s actual address.
  • Don’t share information by phone. Criminals “spoof” phone numbers to appear as though a legitimate organization—such as the IRS or your bank—is calling. Be leery of anyone who asks you to share or verify account numbers, SSN, driver’s license number, credit card number or other personal information over the phone. If you’re worried it really is your bank calling, hang up and call the number on the bank’s website instead.
  • Slow down. When you’re stressed or panicked, you’ll likely rush past red flags. Criminals count on this. If a call, email or text insists you must act now to avoid some kind of repercussion (such as jail time), be suspicious.
  • Limit social media sharing. Social media games and polls that ask for your pet’s name, birthplace or favorite band may seem innocent, but these clues can help criminals decipher your passwords.
  • Use credit freezes and credit locks. Worried your data has already been stolen? Put a credit freeze or credit lock on your credit reports. These prevent credit checks, so if a criminal tries to apply for a loan or credit card, they won’t be able to get it approved. You can lift the credit freeze or credit lock if you’re planning to apply for new credit.

The Bottom Line

One way to protect your personal data is to regularly review your credit report for suspicious activity. You can also sign up for free credit monitoring to get alerted when there are unexpected changes in your credit report, which can help you quickly respond to some types of fraud.

Wondering if your information has been sold to criminals? Experian’s free, one-time dark web scan checks for your Social Security number, email or phone number. Signing up for Experian’s identity theft protection plans can also provide even more peace of mind.

Monitor your Experian Credit Report

5 ways hackers steal passwords.

Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a hacker could:

  • Steal your personal identity information and sell it to fellow criminals.
  • Sell access to the account itself. Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts.
  • Use passwords to unlock other accounts where you use the same password.

How do hackers steal passwords?

Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:

1. Phishing and social engineering

Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cybercriminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.

Fortunately, there are plenty of ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly elicit logins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).

2. Malware

Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download). As demonstrated many times by ESET researcher Lukas Stefanko, malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.

There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.

3. Brute forcing

The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence, and reuse them across multiple sites. However, this can open the door to so-called brute-force techniques.

4. Guesswork

Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job. The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”.

And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.

5. Shoulder surfing

All of the paths to password compromise we’ve explored so far have been virtual. However, as lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This is not the only reason why shoulder surfing is still a risk, and ESET’s Jake Moore recently ran an experiment to find out how easy it is to hack someone’s Snapchat using this simple technique.

A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.

How to protect your login credentials

There’s plenty you can do to block these techniques – by adding a second form of authentication to the mix, managing your passwords more effectively, or taking steps to stop the theft in the first place. Consider the following:

  • Use only strong and unique passwords or passphrases on all your online accounts, especially your banking, email and social media accounts
  • Avoid reusing your login credentials across multiple accounts and making other common password mistakes
  • Switch on two-factor authentication (2FA) on all your accounts
  • Use a password manager, which will store strong, unique passwords for every site and account, making logins simple and secure
  • Change your password immediately if a provider tells you your data may have been breached
  • Only use HTTPS sites for logging in
  • Don’t click on links or open attachments in unsolicited emails
  • Only download apps from official app stores
  • Invest in security software from a reputable provider for all your devices
  • Ensure all operating systems and applications are on the latest version
  • Beware shoulder surfers in public spaces
  • Never log on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN

The demise of the password has been predicted for over a decade. But password alternatives still often struggle to replace the password itself, meaning users must take matters into their own hands. Stay alert and keep your login data safe.

Simple Ways Hackers Steal Your Data.

The main goal for a hacker is to gain access to private information, and to use that against a person or organization for ransom. Depending on the type of information, this can be detrimental to the success of a business.

While it is important to know how to keep your data safe and secure, it is also good to know the most common ways hackers try to attack your data.

The Guessing Game

The first step that hackers will take is simple. They target accounts with common PINS and passwords. Hackers do this by exploiting phone carriers’ websites with multiple attempts with simple-to-guess PINS, such as “1234.” Many of these password variations will be tested based on public information. As discussed in last month’s article, anything that is publicly visible should not be considered for a PIN or password. For example, using an old childhood address “4551” as a PIN isn’t recommended.

Gaining Your Trust

Gaining trust is the next step for hackers. To gain trust, hackers will mask behind a friend, company, or institution associated with your information. Typically, they will find a trusted number and spoof it. The term “spoofing” means changing the number that displays on the victim’s caller ID.

Spoofing is major business for hackers and spammers. The scary part is that anyone with the correct technology can spoof a number. Caller identifications are determined during the second ring of the call. In this short period, the hacker will use Frequency Key Shifting, which alters the binary format of the number. Changing the binary format can be completed through automated programs.

Human Weakness

Hackers that want to gain access to private information commonly resort to social engineering techniques. Social engineering is used by hackers because it is much easier to exploit a human for data than a website or network.

This technique allows skilled hackers to obtain details such as a phone number or email from institutions like cell phone carriers. With these bits of information, they can procure even more access to important accounts and backtrack to gather extended details.

How to tell if you are getting hacked

Individuals asking for your vital information should not be trusted. It is important to not release personal information over the phone. Several institutions, agencies, and companies have noted the following:

  • Financial institutions will never ask for your online password. They won’t use email or text to request personal information.
  • Federal and State Government agencies will never request personal information via phone, text, or email. This includes the FBI and IRS. Personal information is always acquired in person or through mail.
  • Technology support to remove malicious software or viruses won’t be detected remotely. Companies including Microsoft and Apple will never call to provide such support.
  • Debt consolidation, loans, and charities sometimes discuss personal information via phone; however, this information should only be released to a trusted entity that you called directly.

If you happen to get caught by a hacker, the first step to combat spoofing is to call the company, agency, or person back. The Federal Communications Commission (FCC) says to report any suspicious callers that asked for personal information. If you’re located in Canada, the suspicious calls can be filed under the Canadian Radio-television and Telecommunications Commission (CRTC).

Wi-Fi Isn’t Your Friend

Wireless connections aren’t as secure as many perceive. Wi-Fi networks to avoid include public or free wireless networks. Generally, these networks aren’t monitored or encrypted so it is important to never use personal information on an un-trusted wireless network. Hackers can collect valuable data effortlessly through these networks by generating a bot to collect vital information.

Hotels, airports, and coffee shops are the typical targets for hackers. When in these locations, using 3G, 4G, or LTE phone data can be much safer and harder to hack than Wi-Fi networks. It’s also recommended to use Hyper Text Transfer Protocol Secure (HTTPS) while browsing personal information. Encrypting yourself even further can be setup with a Virtual Private Network (VPN).

It Can Happen to Anyone

Whether you are a Fortune 500 company, famous celebrity, or an ordinary person, hackers can tap into your accounts and steal valuable information if it isn’t properly protected. Here are a few tips to follow to ensure you don’t become susceptible to your data being stolen:

  • Use unique and complex PINS and Passwords
  • When available use fingerprint identification and two-step authentication
  • Don’t trust the caller ID
  • Never click un-trusted links within emails or text messages
  • Avoid using publically used Wi-Fi networks
  • Use HTTPS addresses, when available
  • Encrypt online activity with a VPN.

ATM Safety & Security Tips.

Criminals select their victims and targets, focusing on the unaware or unprepared. Criminals are also drawn to environmental conditions that enhance the opportunity to successfully complete their crime. The attitude and demeanor you convey can have a tremendous effect on potential assailants. There are a number of things you can do to increase your personal security and reduce your risk of becoming an ATM crime victim.

The following crime prevention tips can help make the use of ATM’s safer for everyone.

  • Walk purposefully with confidence. Give the appearance that you are totally aware of your surroundings
  • Be aware of your total environment and what is going on around you. Criminals tend to avoid people who have this type of demeanor
  • Perform mental exercises and think out what you would do in different crime or personal security situations
  • Follow your instincts. If you feel you are in danger, respond immediately. Remember that your personal safety is the first priority

ATM Selection Considerations

The law sets minimum standards for ATM lighting, procedures for evaluating the safety of ATM’s and requires notices to ATM users outlining basic safety precautions for using ATM’s. Although ATM environmental design issues are covered in the law, there are other considerations that an ATM customer needs to consider prior to selecting and using an ATM. For example:

  • Do not select an ATM at the corner of a building. Corners create a blind area in close proximity to the customer’s transaction. Select an ATM located near the center of a building. An ATM further from the corner reduces the element of surprise by an assailant and increases effective reaction time by the user.
  • Identify an ATM with maximum natural surveillance and visibility from the surrounding area. This will create a perceived notion of detection by a criminal and increases the potential for witnesses.
  • Select an ATM at a location void of barriers blocking the line of sight of the ATM. This includes shrubbery, landscaping, signs, decorative partitions or dividers. Barriers provide hiding areas for would-be assailants.
  • Select an ATM that is in a well-lighted location.
  • Whenever possible, select an ATM that is monitored or patrolled by a security officer.
  • Select an ATM with a wide-angle transaction camera and/or a continuous transaction surveillance camera. Consult the bank or location management for this information.
  • Solicit prior criminal activity statistics from law enforcement for the ATM site and surrounding neighborhood.
  • Avoid ATM locations with large perimeter parking lots and numerous ingress and egress points.
  • Maintain an awareness of your surroundings throughout the entire transaction. Do not become so involved with your transaction that you are not aware of changing conditions in the area.
  • Do not wear expensive jewelry or take other valuables to the ATM. This is an added incentive to an assailant.
  • If you get cash – put it away immediately. Do not stand at the ATM and count it.
  • Never accept offers of assistance with the ATM from strangers; ask the bank for help.
  • Never lend your ATM card to anyone; treat it as if it were cash or a credit card.
  • If you use a drive-up ATM, ascertain your vehicle doors and windows are locked.
  • During evening hours, consider taking a companion along, park close to the ATM in a well-lighted area and lock your car. If the lights around the ATM are not working properly, do not use it.
  • When leaving an ATM location, make sure you are not being followed. If you are being followed, drive immediately to a police, sheriff, fire station, crowded area, well-lighted location or open business. Flash your lights and sound your horn to bring attention to your situation.
  • If you are involved in a confrontation and the attacker is armed with a weapon and demands your money or valuables, GIVE IT TO THE SUSPECTDo not resist, property may be recovered later or replaced

iPhone Security: Essential Tips to Protect Your Phone from Hackers.

Can someone hack my iPhone? How do I know if my iPhone is hacked? These are questions our readers ask a lot. We tend to think of our iPhone getting hacked as a far-fetched scenario, however, iPhones can definitely get hacked, even with the ever-increasing layers of security Apple implements to protect our devices.

Protecting iPhone from Hackers: Basic Dos & Don’ts

While it’s not worth panicking over, it’s good to exercise caution to not unwittingly allow hackers access to our devices. You can do a lot to secure your iPhone and protect it from possible hackers, but let’s first cover the basics of how to secure your iPhone from hackers.

Don’t Let Your iPhone Get Hacked: Never Jailbreak

The number one piece of advice for keeping hackers away from your iPhone is this: never jailbreak your device. Jailbreaking allows iPhone owners to access apps and software not available in the Apple ecosystem, but it also exposes your phone to viruses and other malware. Also, once you’ve jailbroken your iPhone, you’ve also voided your warranty, so you won’t be able to get help from Apple if something goes wrong with your device.

Stop iPhone Security Flaws: Update iOS Regularly

A lot of iPhone users may be skeptical of this advice, but updating your iOS and iPadOS devices to the latest software is the absolute best way to make sure your devices are as protected from hackers as possible. That’s because with each update, Apple improves security features and fixes any previously overlooked weak points that might allow hackers access.

The first couple of weeks after an iOS release often reveal problems with the update itself. This is why I highly recommend you update iOS regularly on your phone, but not right away. A week or two is enough time for any major flaws or bugs to become apparent. When a new update comes out, wait two weeks, and then go for it. To update your device:

  1. Open the Settings app.


     
  2. Select General.


     
  3. Tap Software Update.


     
  4. If an iOS or iPadOS update is available, follow the prompts to download and install. 

Keep Your iCloud Account Safe: Change Your Apple ID Password Regularly

As noted above, but worth saying again and again: your Apple ID is incredibly important to your iPhone’s overall security. It’s the one password to rule them all. If your Apple ID is compromised, the hacker will have access to your iCloud, your iCloud keychain, your everything. Regularly changing your Apple ID password adds an additional level of security: it ensures that even if a hacker gets ahold of your password, it won’t be valid for long. I recommend creating a new Apple ID password every six months. If you have two-factor authentication enabled, you can change your Apple ID password right on your device. To do so:

  1. Open the Settings app.


     
  2. Tap your Apple ID at the top.


     
  3. Select Password & Security.


     
  4. Tap Change Password.


     
  5. You’ll be asked to enter your current iPhone Passcode.

Once you’ve verified your identity by entering the passcode, follow the prompts to finish resetting your iPhone passcode.

Stay Away from Phishing Scams & Pop-Ups: Be Cautious Online, in Messages & When Opening Emails

A common way hackers can get to your iPhone is through malware links and scammy emails. You click a link in an email and, unbeknownst to you, the link installs software that gives the hacker access to your iPhone. A good rule of thumb is to only open things (links, messages, emails) from sources you trust. This means:

  • If you’re browsing on the web, only open a link if you know where it’s going and know that the site it’s on is legitimate.
  • If you receive text messages from unknown numbers, look at the message preview to see if it’s someone you know. If the message is strange, asks for something, or contains a link or other suspicious text, simply delete it.
  • If an email contains a newsletter you haven’t signed up for, or if it has a link or attachment that you did not request, then delete it. Sometimes your friend’s email accounts can get hacked. Then the hacker sends emails to everyone they have addresses for. So I’m going to repeat this: never open an attachment or link from an email unless you specifically requested it, even if it is from someone you know.
  • When entering information into a website, pay attention to make sure the website is legitimate.

Also, be wary of hackers and scammers posing as companies like PayPal and Apple. I’ve gotten fake PayPal emails in the past telling me I’d been locked out of my account and that I need to click somewhere and sign in. It looked completely legit. I clicked on the link, started to enter my info, and happened to look at the URL and see that it was a subtle variation of PayPal and not PayPal itself. Luckily, I caught it in time. Even though I’ve been on the internet since it started, those hackers almost got me. Stay vigilant, my friends.

Don’t Let Your iPhone Get Hacked: Use Secure Wi-Fi & Avoid Logins in Public

Public Wi-Fi is one of the easiest ways to get hacked since public networks are inherently less secure. For paying bills, logging into accounts, and other private activities, it’s highly recommended you use a closed Wi-Fi network, like the one you may have set up at home. A lot of people need to use public Wi-Fi as they do the majority of their work in cafes or simply don’t have an internet connection at home. If that’s you, consider using a Virtual Private Network (VPN), which will create a private security net around your internet activity.

Keep Your Accounts Secure: Use iCloud Keychain to Generate Unique Passwords

The most serious vulnerability on your iPhone isn’t your iPhone itself, but the passwords used on your iPhone to access your data. If you use the same password on multiple websites or services, then you’re at risk. Hackers target websites and services that don’t seem like they would hold valuable information, like a forum that requires a login. When the hackers get in there, they harvest large lists of passwords. The hackers know that some of those same credentials will have been used in other, more important services, like iCloud. Next, they try all the usernames and passwords they got from the low-security service on iCloud and now and then, they get lucky. 

Hackers usually aren’t after you personally, so anonymity isn’t a good defense. They may not even know your name. If they manage to penetrate a website that has a password of yours, and you used that same password with your Apple ID, they may get onto your iCloud account. They might place files on your iPhone with iCloud, see your photo stream, send emails using your accounts, or mine your personal data from your iCloud backups. 

Keep Your Apple ID Safe from Hackers: Enable 2-Factor Authentication

You can enable two-factor authentication to use a trusted device to log in to a new device. For example, say you got a new iPad. When you go to sign in with your Apple ID for the first time, your other trusted devices like your iPhone will receive a notification asking for approval. If allowed, your iPhone will display a verification code. Once you enter the verification code on your iPad, the device is approved. This feature works so well because anytime someone tries to log in to your Apple ID account, you’ll get a notification and have the ability to approve or deny the attempt. To use this feature, you need to have iOS 9 software or later.

Keep Your iPhone Safe from Hackers: Switch to a 6-Digit or Longer Device Passcode

Apple has made six-digit passcodes the default for a while now, but many users prefer to continue using a four-digit code or no code at all. While it may seem like an inconvenience to add two extra digits to your passcode, it’s worth the added security. Your device passcode should be unique and hard to guess. Nothing like 1111 or 123456! There are one thousand possible combinations of four numbers and one million possible combinations of six. Pick something random. You’ll be entering it fairly often, so it should be easy to remember. If you’re really serious about keeping your ID safe from hackers, you could consider setting an even longer passcode with both numbers and letters. I strongly recommend changing your device passcode to a custom numeric code or an even more secure custom alphanumeric code. 

Keep Your iPhone Secure: How to Disable Siri on Your Lock Screen

I hesitated to include disabling Siri on your Lock screen. Partially because it’s a feature I use often and therefore wouldn’t turn off myself, partially because it’s more of a long shot that someone would hack your iPhone with Siri. However, over the years, there have been instances of someone being able to access private information by using Siri and finding a loophole in the iPhone’s security. Of course, every time one of these loopholes is discovered, Apple fixes it in the next update. But if you’re concerned with someone bypassing your iPhone’s Lock screen, it’s a good final measure to implement.

If you’re more concerned about remote hacking, this tip won’t matter as much to you. But if you’re worried about someone picking up your phone and finding their way in, turning off Siri on your Lock screen is the way to make sure they’ll need your passcode to get in. Here’s how to disable Siri on your lock screen:

  1. Open the Settings app.
  2. Select Siri & Search.


     
  3. Tap to disable the Allow Siri When Locked toggle


     
  4. To confirm, tap Turn Off Allow Siri When Locked

Keep the Data on Your iPhone Safe: Erase Data If Lost

This is a no-brainer. When you turn on Find My for your iPhone or iPad, you can see the location of your phone or tablet from any of your other devices or via iCloud.com. While it’s not recommended you personally track down an Apple device that’s fallen into the hands of a thief, the Find My app will allow you to find your iPhone or iPad if you lose it. However, that’s not why it’s recommended for protecting your device from hackers. The great thing about Find My is that if your device is stolen, you can remotely erase your device so that none of your personal information can be stolen too. If you haven’t already, first turn on Find My, then follow the steps below to learn how to erase an iPhone that has been stolen or lost: 

  1. Open the Find My app.


     
  2. Tap the Devices tab at the bottom of the screen.


     
  3. Tap the name of your iPhone in the list of devices.


     
  4. Scroll down to the bottom and tap Erase This Device

Follow any on-screen prompts to confirm the setup of this feature.

iPhone Security: Set Your Phone to Self-Destruct

Okay, so your phone can’t really self-destruct, but close enough. You can turn on a setting that will wipe your device clean after ten consecutive failed passcode attempts. I would only turn this setting on if you’re super concerned about some of the information you have on your phone, and you have automatic iCloud backups enabledPeople with children should be especially careful, since ten failed attempts will erase everything, and you’ll need to restore your phone from a backup. But, it is a fantastic security measure. Let’s cover how to turn on Erase Data:

  1. Open the Settings app.
  2. Select Face ID & Passcode (or Touch ID & Passcode for iPhones with a Home button).


     
  3. Enter your passcode.
  4. Scroll down and tap the Erase Data toggle.


     
  5. Tap Enable to confirm.

 Hacker Protection: Use an End-to-End Encryption Service

Did you know that it’s possible for hackers to spy on your messages and calls, track your location, and even intercept two-factor authentication codes if they know your telephone number? Signaling System Number 7 is part of the global network that connects our cellphones. This set of protocols enables cell phone service providers to send and receive information about calls and texts so they can properly bill their customers, but it comes with a price. Government entities and hackers can exploit SS7 to spy on literally anyone’s cell phone as long as they know their phone number, and the target won’t know it’s happening at all. 

Although it’s highly unlikely that anyone would use SS7 to hack your iPhone, it’s good to know it’s a possibility so you can protect your privacy. Download and use an end-to-end encryption app such as Signal to send and receive calls and messages to keep all your communications private, especially if you need to share something important. As an additional security safeguard, you can use a secure Wi-Fi network rather than your carrier to send and receive calls and messages. 

 Hacking Apps for iPhone: Keep Your Device Free from Tracking Apps

There’s a set of app developers constantly working to develop hacking apps to sell to the public. They’re usually disguised as an app with a different feature set; you download it for free, and it starts doing things behind the scenes that you wouldn’t want. iPhones don’t need to be jailbroken for these to work; although it’s much easier to install a spying app on a jailbroken phone, it’s possible to use one on a device with factory settings as well. Apple’s App Store is always on the lookout for these illicit apps, but they can sneak through the cracks. Try to use apps from reputable companies with lots of reviews, and only apps that have been updated recently. 

Beware of New Android Banking Malware that Completely Controls Your Device.

Octo, a new Android banking malware that employs remote access capabilities to enable attackers to commit on-device fraud, has been identified in the wild and is designed to prey on vulnerable Android devices.

The Octo malware that strikes Android is a variation of ExoCompact, an Exo trojan-based malware that was used by cybercriminals before it quit the space in 2018 and generated a significant leak of its source code.

Several users were identified as looking to purchase this variant on darknet forums by ThreatFabric researchers, who observed several users buying it there.

It has been proven that ExobotCompact is directly associated with the malware strain recently discovered by experts. The threat is referred to as ExobotCompact.B on ThreatFabric’s MTI Portal, while it was first identified as a worm.

In November 2021, following a few iterations of updates in the ExobotCompact system, the ExobotCompact.D variant was introduced, and it’s the latest loop of the ExobotCompact.

Capabilities of Octo Malware

In comparison to ExoCompact, Octo comes with a lot of advanced features. By controlling the compromised Android device remotely, the threat actors can execute on-device fraud (ODF) using the remote access module of Octo.

Here below we have mentioned all the capabilities of Octo:-

  • Manipulating other apps.
  • Compromise password management apps.
  • Compromise crypto wallet apps.
  • Compromise banking apps.
  • Compromise 2FA apps.
  • Compromise game logins.

As part of its attacks, Octo conceals the victim’s remote operations behind a black screen overlay, and during this session, the attacker performs the following two key things:-

  • Activates the no interruption mode.
  • Lowers the screen brightness to zero

Malware can perform various tasks without the victim being aware of them by making the device appear to be turned off, and here we have mentioned the tasks:-

  • Screen taps
  • Gestures
  • Text writing
  • Clipboard modification
  • Data pasting
  • Scrolling up
  • Scrolling down

Supported Commands

A large range of commands are supported by Octo, and here they are mentioned below:-

  • From specified apps, it blocks push notifications.
  • Enable SMS interception.
  • Disable sound.
  • Disable temporarily to lock the device’s screen.
  • Launch a specified app.
  • Start remote access session.
  • Stop remote access session.
  • Update list of C2s.
  • Open appointed URLs.
  • Send SMS with appointed text to a select number.

Campaigns & Actors

An alias ‘Architect’ or ‘good luck’ is used by a threat actor to sell Octo on popular forums, such as the Russian-language XSS hacking forum. There has been a distinct difference between the posts between Octo and potential subscribers that are written in English. When compared with XSS, where most posts are written in Russian.

While it’s believed that the ‘Architect’ of Octo is either the same author who has maintained the ExoCompact source code or it has been acquired by a new owner.

As the cybersecurity analysts at ThreatFabric have claimed that there are several similarities between Octo and ExoCompact like:-

  • Google Play publication success
  • Google Protect disabling function
  • The reverse engineering protection system

The ExoCompact also includes a remote access module, although a simpler one, and provides options for executing commands at a delayed time and provides similar administrative options as Octo does.

Recently, an app named “Fast Cleaner” infected devices with Octo on Google Play. The app had 50,000 installs before it was discovered and removed in February 2022.

Infected Apps

Here we have mentioned the list of known Android apps containing the Octo malware:-

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (vizeeva.fast.cleaner)
  • Play Store (com.restthe71)
  • Postbank Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Security (com.frontwonder2), and
  • Play Store app install (com.theseeye5)

All information viewed on a device’s screen becomes accessible to malware variants once it has been infected, which means that no information is safe, and any protective measures are ineffective.

In such a case, it is extremely important that users remain aware and make sure to keep a limited number of apps on their smartphones by enabling the Play Protect.