Email Security Practices.

Emails continue to be one of the most exploitable attack vectors criminals use to target companies. A single employee opening a malicious link in an email is enough to enable a hacker to bypass all cyber defenses, which is why preventing email-based threats should be a top priority.

Use Strong Email Passwords

The easier the password is to guess, the more likely it is that someone will breach the email account.

Even if you do not rely on a password like “123456” or “password123” (which, unfortunately, too many people do), hackers have access to top-tier brute force attack tools that can crack even moderately complex passwords. For example, a password like “Pa$$word2211991” may look secure, but a high-end tool could crack that password in under a minute.

Each staff member in your company should have a solid and unique password for their email account to prevent brute force attacks (or someone simply guessing the password). A reliable password should:

  • Have at least 12 characters.
  • Rely on a mix of upper and lowercase letters, numbers, and special symbols.
  • Be random and unique.
  • Not include common phrases.
  • Not contain any personal info (names of family members or pets, companies, places of birth, birthdays, or any other info a hacker can discover by googling your name or spying on social media).

Prepare for Phishing Emails

A phishing email attempts to trick one of the employees into either providing helpful info or clicking on a malicious link. An attacker typically uses phishing to scam the target into:

  • Downloading malware.
  • Providing sensitive data (typically login details).

Phishing tactics are among the most common social engineering methods criminals use to exploit emails. Some of the standard strategies include:

  • Pretending to be a service provider and asking the target to “log in” via a link that leads to a fake website.
  • Imposing a superior and asking for sensitive data.
  • Pretending to be a part of the security team and asking the victim to “update” one of their passwords.
  • Sending an email with a malicious file that has a hidden program.

Unfortunately, there is no way to stop phishing emails. Your employees are bound to receive one from time to time, which is why educating the workforce is the primary way to protect your company.

The golden rule of preventing phishing is to not respond to, click links, or open attachments in emails that look suspicious. Employees should use common sense before interacting with an email and must be able to:

  • Recognize suspicious files and links.
  • Assess the reasoning behind the request within the message.
  • Inspect the sender’s address.
  • Assess the general state of an email (grammar, business context, the tone of voice, the lack of an email signature, etc.).

Use 2FA to Verify Email Logins

Two-factor authentication (2FA) requires an employee to provide an additional credential besides typing in a username and password. Another verification factor adds an extra layer of defense and is a vital counter to brute-force attacks and password cracking.

Besides providing a username and password, 2FA requires the employee to provide one (or more) of the following:

  • A unique item (token, card, etc.).
  • A PIN received via SMS, email, voice call, or a time-based one-time password (TOTP) app.
  • Biometric data (eye, fingerprint, face, or voice scans).
  • A barcode generated on a mobile device.
  • A prompt on a mobile phone that confirms the user is currently trying to log in.

Even if an attacker steals the email credentials of one of your employees, the use of 2FA will prevent the intruder from logging in to the email account.

Luckily, deploying 2FA is not as technical as it sounds. Most email platforms offer two-factor authentication by default, so there is no reason not to use 2FA to protect your company’s inboxes.

Train Employees on How to Handle Email Attachments

Attackers typically use email attachments to hide executable files or programs that inject malware into the system. Before opening an attachment, educate your employees to ask themselves the following questions:

  • Is the sender someone within my organization or someone I can trust?
  • Is the format right for this type of attachment (look out for .exe (executable program), .jar (Java application program) and .msi (Windows Installer))?
  • Does the email itself mention anything about an attachment?
  • Am I expecting this email attachment?
  • Is the sender’s address legit?
  • Is the person behind the attachment sending your emails regularly?

If there is even the slightest doubt, the employee should not open the attachment. Instead, they should first confirm the content with the sender to make sure that the email is real.

Ensure Employees Never Access Emails from Public Wi-Fi

If you allow employees to take office devices home or open work emails from personal devices, you must ensure workers do not access emails on public Wi-Fi.

A cybercriminal only needs basic skills to discover data passing through publicly accessible Wi-Fi, so both sensitive data and login credentials are at risk.

Employees should only access their email when they are confident in network security. A much safer option (although not as secure as opening emails only when using office Wi-Fi) is to use mobile internet or internet dongles for out-of-office use.

Have Periodic Password Changes

One of the simplest (and most effective) email security best practices is to ensure employees change their passwords regularly. You should:

  • Ensure each worker has a new email password every 2 to 4 months.
  • Use devices to force password changes instead of leaving it up to employees to update credentials.
  • Prevent employees from adding one or two characters to the current password to create a new one.
  • Prevent workers from using passwords they already had in the past.

Of course, each new password should follow the standard rules for strong passphrases (mix of lower and upper cases, numbers, symbols, etc.).

Never Give Away Personal Info in an Email

If an email asks you for any personal info (birthday, social security number, credit card number, password), the chances are that the message is a scam.

If an email asks for private info, you should call the company in question by finding their contact info online and not by following the instructions in the email. In all likelihood, you will discover that the company knows nothing about the email, and they will caution you not to send private data over email.

Never Reply to Scammers and Spammers

Some employees like to respond to phishing emails and spam messages, but you should ensure workers do not reply to scammers.

Sending a response to a scammer or spammer verifies that your email address is valid. While there is no immediate danger, letting a scammer know that you use that address opens the door to more attacks in the future.

Train Employees to Check Email URLs

Another simple but effective email security best practice is to train employees to inspect URLs when they get a link within an email (especially when the message comes from an unfamiliar source).

Before clicking on a URL, the employee should hover the mouse over the link. If the address does not contain the HTTPS extension, the chances are that the URL does not lead to a safe website. Scammers often try to lure a victim into clicking on a link that leads to a download page for malware. These unsafe websites typically have the HTTP extension.

Also, the URL may look like a familiar link, but is it? For example, a scammer can replace one domain letter to fool the employee into thinking the URL is legitimate (such as goggle.com instead of google.com).

Use a Spam Filter

Most email services providers have a built-in spam filter. A filter helps:

  • Separate legit emails from malicious messages.
  • Lower the likelihood of phishing and spamming.
  • Keep the inbox tidy and more manageable.

As an added benefit, a spam filter makes the number of emails less overwhelming. Employees will be more focused when navigating their inboxes and alert to suspicious messages.

While most associate spam with onslaughts of ads, a spam message can also contain malware or, even worse, ransomware. If a spam filter stops a ransomware email from entering an employee’s inbox, turning the feature on was worth the effort.

Prevent Employees from Using Business Emails for Private Purposes (or Vice Versa)

Workers should use business emails only for company-related issues and updates. There is no reason for an employee to:

  • Use the email for private purposes (such as subscribing to newsletters, making gaming accounts, etc.).
  • Send work-related stuff to a private email address.
  • Shop online with a professional email.
  • Use the address to exchange personal messages.
  • Post the address anywhere online (social media, forums, chat rooms, etc.).

Whenever an employee shares their email, they increase the chance of the address falling into the wrong hands. Hackers scan public websites to collect info they sell or target later, so every exposure of the address adds risk.

Another reason for stopping an employee from sending work-related stuff to a private email is that anyone who hacks the personal address (which is likely not as protected as a company email) will have access to whatever the employee sent from the business address.

Educate Employees About the Value of Email Security

Educating employees instead of just enforcing email security best practices is vital. Without awareness building, an employee might perceive demands for complex passwords and strict rules as pointless and unjust.

You should organize mandatory email security awareness sessions that explain:

  • All relevant email security best practices.
  • The latest trends in email-based attacks.
  • How to recognize signs of phishing.
  • The importance of using work emails only for job-related purposes.
  • How to inspect email addresses.
  • The traits of legitimate and illegitimate email requests.
  • How to create strong passwords.
  • Where employees can find the company’s email and password-related policies.
  • How employees should react to suspicious emails.

Ensure Employees Log Out of Email Accounts at the End of the Day

Another effective yet simple email security best practice is to ensure employees log out of their email platforms at the end of the workday. You can encourage workers to log out on their own, or you can use the email platform to log everyone out at a particular time automatically. This practice is beneficial when an employee uses an unfamiliar device or a network to check their email.

Use Email Encryption

Every email is at risk of being intercepted by an attacker or going to the wrong address. You can use data encryption to counter both threats.

Encryption scrambles the original email content and turns the message into an unreadable mess. The recipient can reveal the text with a unique decryption key, so any in-transit interception or a wrong recipient cannot lead to a data leak.

Common Email Security Risks

Unfortunately, there is no shortage of email-based threats. Some of the most common email security risks you can encounter are:

  • Social engineering emails: Social engineering tactics attempt to earn the target’s trust to steal info. Phishing is by far the most common email-based social strategy.
  • Malware-armed emails: These emails try to inject malware into your system. The attacker typically “arms” the malware in an attachment or on a fake website the victim is supposed to open. If the malware makes it into your system, the attacker can take control of devices, steal data, or set up spyware.
  • Spam: Spam involves various unwanted messages that can overwhelm an inbox with ads and trojan-infected messages. As around 60% of the world’s email traffic volume is spam, you should not overlook this threat.
  • Ransomware: If a malicious email contains a ransomware program, a single employee opening the wrong email can enable an attacker to encrypt your data or devices.
  • Botnet messages: An infected email can turn your company’s devices into a part of the botnet used to target other victims with DDoS attacks.
  • Business Email Compromise (BEC): A BEC is a type of spear phishing in which a hacker pretends to be one of the company’s high-level executives.

Unfortunately, cyberattacks (email-based and otherwise) are constantly evolving, so staying ahead is challenging. Hackers can be very clever and creative, so protecting your company’s inboxes requires keeping up with the latest threats.

How to protect your phone from hackers.

1: Updates

Make sure that your iOS is up to date. This is your primary line of defense against vulnerabilities. I know, I know, there are a lot of them, but that’s the world we live in these days.

It’s also a good idea to keep your apps updated too, but that’s secondary to keeping iOS updated.

2: Strong passcode

If you’re still rolling with 000000 or 123456 or something dumb like that, change it.

Do it now.

While web-based attacks do happen, the most likely way that your data is going to leak from your iPhone is by someone picking it up and unlocking it.

3: Reboot weekly

Most iPhone vulnerabilities rely on jailbreaking the iPhone.

The good news is that a jailbreak can’t survive a reboot, so adding a weekly reboot to your schedule is no bad thing.

How to Know If Someone is Hacking Your Phone

One or more of these could be a red flag that some has breached your phone:

  1. Your phone loses charge quickly. Malware and fraudulent apps sometimes use malicious code that tends to drain a lot of power.
  2. Your phone runs abnormally slowly. A breached phone might be giving all its processing power over to the hacker’s shady applications. This can cause your phone to slow to a crawl. Unexpected freezing, crashes, and unexpected restarts can sometimes be symptoms.
  3. You notice strange activity on your other online accounts. When a hacker gets into your phone, they will try to steal access to your valuable accounts. Check your social media and email for password reset prompts, unusual login locations or new account signup verifications.
  4. You notice unfamiliar calls or texts in your logs. Hackers may be tapping your phone with an SMS trojan. Alternatively, they could be impersonating you to steal personal info from your loved ones. Keep an eye out, since either method leaves breadcrumbs like outgoing messages.

What to Do If You’re Smartphone Has Been Hacked

You’ve learned how to identify if someone is hacking your phone. Now, you’re ready to fight back. Here’s how you cut those cybercriminals out of your personal tech.

First, you’ve got to eliminate any malware that’s infiltrated your device. Once you’ve rooted out the data breach, you can start protecting your accounts and keeping hackers out of your phone.

How to Remove the Hacker from Your Phone

These might include:

  • Online banking
  • Email (work and personal)
  • Apple ID or Google account
  • Phone passcode
  • All social media

Also follow up with any financial or online shopping services that have saved your credit cards or banking details (such as Amazon, eBay, etc.) This will help you to pinpoint any fraudulent transactions and be sure to report and dispute these charges with your bank.

How to Protect Your Phone from Being Hacked

Don’t download sketchy or unreputable apps. Look at reviews and research before installing if you are unsure. If you’re not confident in safety of app, do not install it.

Don’t jailbreak your phone. While it allows you to download from unofficial app stores, jailbreaking ups your risk of unknowingly getting hacked. Aside from malware or spyware, this means you’ll miss security patches in the latest OS updates. Jailbreakers skip updates to keep the jailbreak functional. This makes your risks of being hacked even higher than normal.

Keep your phone with you at all times. Physical access is the easiest way for a hacker to corrupt your phone. Theft and a single day of effort could result in your phone being breached. If you can keep your phone with you, a hacker will have to work much harder to get into it.

Always use a passcode lock and use complex passwords. Do not use easily guessable PINs, like birthdays, graduation dates, or basic defaults like “0000” or “1234.” Use an extended passcode if available, like those with 6 characters. Don’t ever reuse a password in more than one place.

Don’t store passwords on your device. Remembering unique passwords for every account can be difficult. So use a secure password manager instead, like Kaspersky Password Manager. These services allow you to store all your secure credentials in a digital vault — giving you easy access and the security you need.

Frequently clear your internet history. It can be simple to profile trends about your life from all the breadcrumbs of your browser history. So, clear everything, including cookies and cache.

Enable a lost device tracking service. If you lose track of your device out in public, you can use a lost device finder to trace its current location. Some phones have a native application for this, while others may need a third-party app to add this feature.

Keep all apps up to date. Even trusted apps can have programming bugs that hackers exploit. App updates come with bug fixes to protect you from known risks. The same applies to your OS, so update your phone itself when you can.

Always enable two-factor authentication (2FA). This is a second verification method that follows an attempt to use your password. 2FA uses another private account or something you physically have. Apple ID and Google accounts offer 2FA in case your device is used by unsavory actors, so always activate it for more security. Biometrics like fingerprints and face ID are becoming popular options. Physical USB keys are also a great choice when available.

Be cautious about using text or email for your 2FA. Text message and email 2FA are better than no protection but might be intercepted through hacks like SIM swapping.

Don’t use public Wi-Fi without a virtual private network (VPN).

How do hackers make money from your stolen data?

How hackers steal your data

There are many methods hackers can use to steal your data. The following is not an exhaustive list, but it does include some of the most common techniques:

1. Malware

There are many types of malware that can be used to steal your personal information, including keyloggers, info stealers, banking malware and more.

Most strains typically focus on login credentials, credit card information, browser autofill data and cryptocurrency wallets. Certain breeds, such as the infamous Vega Stealer, sniff out specific file types such as PDF, Word, Excel and text files and exfiltrate (transfer the data without authorization) them to a remote command and control server.

Malware typically spreads via malicious email attachments, malvertising, drive-by downloads and pirated software.

2. Phishing

Phishing is a form of low-tech social engineering in which cybercriminals attempt to extract sensitive information such as login credentials, credit card information and personally identifiable information (PII).

In a typical phishing scam, attackers pose as a reputable company such as Microsoft, Amazon or Netflix and claim there’s an issue with your account. The message encourages you to click on a link where you can supposedly resolve the issue by confirming your password or entering your credit card information. This data is sent directly to the hackers, who can then gain access to your real account and the information stored within.

Phishing attacks are typically delivered via email, but they can also be implemented through social media, text messages and phone calls.

3. Weak passwords

Hackers can also steal your data by cracking the passwords of your online accounts. There are a few ways this can be accomplished:

  • Password leaks: When major service providers are hacked, it often results in millions of passwords being leaked, which may be sold or dumped on the web for all to see. Because so many people use the same password for multiple services, attackers can simply use the leaked login credentials to try to gain access to the users’ other accounts. You can check if one of your accounts has been involved in a leak by entering your email address at Have I Been Pwned.
  • Brute force attacks: Hackers use purpose-made tools to input every possible combination of characters until the correct password is guessed. The shorter and weaker the password, the quicker it will be cracked by a brute force attack.
  • Keyloggers: Attackers use data-stealing malware such as keyloggers to track keyboard input data and steal your passwords.
  • Phishing: Hackers use social engineering to get you to willingly divulge your username and password. Phishing attacks can appear very convincing and may be sent from a legitimate account that has been compromised.
  • Post-exploitation tools: Some tools are made to harvest passwords and other valuable information stored on systems that have already been compromised. If your system has been compromised (e.g. by malware), an attacker can deploy post-exploitation tools like the infamous Mimikatz to view and steal login credentials that are stored deep within your system.

4. Unsecured connections

Attackers can also steal your data by preying on unsecured connections such as public Wi-Fi networks. Public Wi-Fi is often unsecured and unencrypted, leaving users vulnerable to a variety of attacks, including:

  • Man-in-the-middle attacks: Hackers intercept your data by positioning themselves in the middle of your connection to the public Wi-Fi. Attackers can access any information that passes between you and the websites you visit while connected to the Wi-Fi network, including your passwords and financial data.
  • Rogue hotspot: Attackers set up a Wi-Fi access point that resembles a legitimate hotspot, enabling them to eavesdrop on network traffic. Attacks may also be able to use the rogue hotspot to distribute malware or direct you to malicious websites.

How hackers monetize stolen data

Once a hacker has successfully stolen your data, the first step is to inventory it. They comb through your data for valuable information such as your login credentials, financial information, names, phone numbers, addresses and social security number, and organize it in a database. After the data has been collated, hackers have a variety of ways to monetize it.

Use the data themselves

In some cases, hackers may monetize your stolen data by using it themselves to make purchases or commit fraud. This is relatively rare as committing fraud is much more likely to attract the attention of authorities than anonymously selling large batches of data online. Nevertheless, it does happen.

Attackers can use your stolen data to:

  • Purchase items online
  • Extract money from your bank account
  • Apply for bank loans
  • Apply for credit cards
  • Make fraudulent health insurance claims
  • Pay off debt
  • Request money from your contacts using your email and social media accounts

Sell your login credentials

Usernames and passwords are often sold in bulk on the dark web. Buyers may use your login credentials to transfer money from your bank account, make online purchases and access various paid services.

Here’s how much your account credentials typically sell for, according to a Symantec report on the underground economy:

  • Gaming platform accounts: $0.50-$12
  • Video and music streaming accounts: $0.10-$2
  • Cloud service accounts: $5-$10
  • Online banking accounts: 0.5%-10% of the account’s value

Sell PII to buyers on the black market

Hackers commonly sell PII on underground marketplaces that are accessible on the dark web. Typically, PII will be sold in bulk batches. The more recently the data has been stolen, the more valuable it is.

Here’s how much your data is worth:

  • Name, social security number and date of birth: $0.10-$1.50
  • Medical notes and prescriptions: $15-$20
  • ID/passport scans or templates: $1-$35
  • Mobile phone online account: $15-$25
  • Full ID packages (name, address, phone, SSN, email, bank account): $30-$100.
  • It might not sound like a lot of money, but it’s important to remember that data is often sold in enormous batches. Attackers who are able to successfully breach a major company can sometimes walk away with the data of millions of users, which can collectively be sold for big bucks. In 2019, the hacker behind the Canva data breach put up for sale on the dark web the data of 932 million users, which he stole from 44 companies.

Sell your credit card information

Attackers will usually sell your credit card information in large bundles of hundreds or even thousands of stolen credit cards. This data is often purchased by “carders”, who try to avoid fraud detection by purchasing gift cards and using them to buy physical items, which may then be sold on the dark web as well as through legitimate channels such as eBay or Craigslist.

How much do hackers sell your credit card information for?

  • Single credit card: $0.50-$20
  • Single credit with full details: $1-$45

Hold your data to ransom

Some types of ransomware have data exfiltration functionality, which enables hackers to not only encrypt your data but also steal it via a range of channels, including FTP, HTTP, HTTPS, SSL/TLS and more.

Attackers can use your stolen data as extra leverage to encourage you to pay the ransom (the average is a whopping $84,000) and sell your PII on the black market for extra pocket money.

Sell valuable intellectual property

It’s not uncommon for hackers to launch attacks on large corporations and sell the stolen data to companies in developing nations. These are typically highly sophisticated, nation-sponsored attacks and can be incredibly lucrative for both the hackers and the country funding the attack. Chinese intellectual property theft is estimated to cost the U.S. economy $50 billion a year.

How data theft can impact victims

Being the victim of data theft can have significant repercussions. In the short-term, you’ll have to go through the time-consuming process of securing your compromised accounts, reversing fraudulent purchases and replacing stolen credit cards.

These are annoying but not life-changing effects. However, there can also be longer-lasting consequences.

For example, if your social security number is stolen and used for fraudulent activity, it could potentially impact your credit history and credit score. Undoing the damage can be very difficult, and may prevent you from making loan applications, purchasing a home or renting property. In addition, if your work-related accounts are used to deliver malware or phishing attacks, you may damage your professional reputation, cause business loss or have to face disciplinary action from superiors.

Conclusion

Data theft is usually financially driven. There are many ways for cybercriminals to get their hands on your personal data, including malware, phishing, password cracking and man-in-the-middle attacks. Once they have obtained your data, they may use it themselves to commit fraud, or they may sell it in bulk on the dark web.

What Do Hackers Do With Stolen Information?

What Hackers Do With Stolen Information

Hackers have been known to commit a variety of crimes using stolen information. These crimes include:

  • Using your credit or debit card information for fraudulent purchases
  • Applying for credit cards or loans in your name
  • Accessing your bank accounts, retirement accounts and other financial accounts
  • Filing fraudulent tax returns to get an income tax refund in your name
  • Using your health insurance to access medical care
  • Changing your billing address so you don’t notice the fraud until it’s too late
  • Filing for government benefits, such as unemployment, under your name
  • Renting an apartment or applying for a job in your name
  • Commiting crimes and giving your name to the police when they’re arrested
  • Applying for fraudulent identification such as driver’s licenses or passports
  • Selling your information to other criminals on the dark web

Hackers may also use your Social Security number (SSN) to create a synthetic ID—a false identity that merges your data with theirs. And identity theft can be particularly damaging for children. Hackers may steal a child’s personal information long before the child is old enough to have bank accounts or credit cards and receive bills. Often, the theft isn’t discovered until the child is old enough to apply for a credit card or student loan and is denied.

How to Protect Yourself From Hackers

To safeguard your personal data from hackers, make these preventive steps part of your routine.

  • Use strong, unique passwords. Choose a different password for every account. If you use the same password over and over, a hacker who breaches one account could access all of them. Consider trying a password manager app, which generates strong passwords and remembers them for you.
  • Use two-factor authentication. Protect critical data such as your banking, retirement accounts or health care data with two-factor authentication. After entering your password, you’ll receive a code to enter each time you log on.
  • Destroy old documents and data. Shred documentscontaining personal information before disposing of them. Wipe personal data before selling, discarding or donating computers or mobile devices.
  • Protect your hardware. Install antivirus software on computers and mobile devices and keep it updated. Enable automatic operating system updates for computers and mobile devices.
  • Monitor account statements. Review all bills, statements, letters and other communications from banks, credit card companies, insurance companies, government agencies and health care providers. A withdrawal, charge or service you don’t recognize might be the first sign of identity theft.
  • Protect your cards. Carry only the payment and identification cards you need. Shield the keypad from prying eyes when typing your PIN into an ATM or point-of-sale device.
  • Don’t let mail sit in your mailbox. Install a mail slot in your home or garage door to ensure mail is delivered securely.
  • Protect your SSN. Keep your Social Security card at home and commit your number to memory.
  • Be Wi-Fi wise. Don’t input passwords, share sensitive data or perform financial transactions when you’re using public Wi-Fi; it can be easily hacked. Keep your home Wi-Fi network password-protected.
  • Be wary of emails or texts from unknown sources. Never click on a link in a text or email unless you trust the source. Emails used in phishing scams often contain clues such as misspellings, low-resolution graphics, and email addresses that might differ from the supposed sender’s actual address.
  • Don’t share information by phone. Criminals “spoof” phone numbers to appear as though a legitimate organization—such as the IRS or your bank—is calling. Be leery of anyone who asks you to share or verify account numbers, SSN, driver’s license number, credit card number or other personal information over the phone. If you’re worried it really is your bank calling, hang up and call the number on the bank’s website instead.
  • Slow down. When you’re stressed or panicked, you’ll likely rush past red flags. Criminals count on this. If a call, email or text insists you must act now to avoid some kind of repercussion (such as jail time), be suspicious.
  • Limit social media sharing. Social media games and polls that ask for your pet’s name, birthplace or favorite band may seem innocent, but these clues can help criminals decipher your passwords.
  • Use credit freezes and credit locks. Worried your data has already been stolen? Put a credit freeze or credit lock on your credit reports. These prevent credit checks, so if a criminal tries to apply for a loan or credit card, they won’t be able to get it approved. You can lift the credit freeze or credit lock if you’re planning to apply for new credit.

The Bottom Line

One way to protect your personal data is to regularly review your credit report for suspicious activity. You can also sign up for free credit monitoring to get alerted when there are unexpected changes in your credit report, which can help you quickly respond to some types of fraud.

Wondering if your information has been sold to criminals? Experian’s free, one-time dark web scan checks for your Social Security number, email or phone number. Signing up for Experian’s identity theft protection plans can also provide even more peace of mind.

Monitor your Experian Credit Report

5 ways hackers steal passwords.

Passwords are the virtual keys to your digital world – providing access to your online banking, email and social media services, our Netflix and Uber accounts, and all the data hosted in our cloud storage. With working logins, a hacker could:

  • Steal your personal identity information and sell it to fellow criminals.
  • Sell access to the account itself. Dark web criminal sites do a brisk trade in these logins. Unscrupulous buyers could use access to get everything from free taxi rides and video streaming to discounted travel from hijacked Air Miles accounts.
  • Use passwords to unlock other accounts where you use the same password.

How do hackers steal passwords?

Familiarize yourself with these typical cybercrime techniques and you’ll be far better placed to manage the threat:

1. Phishing and social engineering

Human beings are fallible and suggestible creatures. We’re also prone to make the wrong decisions when rushed. Cybercriminals exploit these weaknesses through social engineering, a psychological con trick designed to make us do something we shouldn’t. Phishing is perhaps the most famous example. Here, hackers masquerade as legitimate entities: like friends, family, and companies you’ve done business with etc. The email or text you get will look authentic, but includes a malicious link or attachment which, if clicked on, will download malware or take you to a page to fill in your personal details.

Fortunately, there are plenty of ways to spot the warning signs of a phishing attack, as we explain here. Scammers are even using phone calls to directly elicit logins and other personal information from their victims, often pretending to be tech support engineers. This is described as “vishing” (voice-based phishing).

2. Malware

Another popular way to get hold of your passwords is via malware. Phishing emails are a prime vector for this kind of attack, although you might fall victim by clicking on a malicious advert online (malvertising), or even by visiting a compromised website (drive-by-download). As demonstrated many times by ESET researcher Lukas Stefanko, malware could even be hidden in a legitimate-looking mobile app, often found on third-party app stores.

There are various varieties of information-stealing malware out there but some of the most common are designed to log your keystrokes or take screenshots of your device and send it back to the attackers.

3. Brute forcing

The average number of passwords the average person has to manage increased by an estimated 25% year-on-year in 2020. Many of us use easy-to-remember (and guess) passwords as a consequence, and reuse them across multiple sites. However, this can open the door to so-called brute-force techniques.

4. Guesswork

Although hackers have automated tooling at their disposal for brute-forcing your password, sometimes these are not even needed: even simple guesswork – as opposed to the more systematic approach used in brute-force attacks – can do the job. The most common password of 2020 was “123456”, followed by “123456789”. Coming in at number four was the one and only “password”.

And if you’re like most people and recycle the same password, or use a close derivate of it, across multiple accounts, then you’re making things even easier for attackers and put yourself at additional risk of identity theft and fraud.

5. Shoulder surfing

All of the paths to password compromise we’ve explored so far have been virtual. However, as lockdowns ease and many workers start heading back to the office, it’s worth remembering that some tried-and-tested eavesdropping techniques also pose a risk. This is not the only reason why shoulder surfing is still a risk, and ESET’s Jake Moore recently ran an experiment to find out how easy it is to hack someone’s Snapchat using this simple technique.

A more hi-tech version, known as a “man-in-the-middle” attack involving Wi-Fi eavesdropping, can enable hackers sitting on public Wi-Fi connections to snoop on your password as you enter it in while connected to the same hub. Both techniques have been around for years, but that doesn’t mean they’re not still a threat.

How to protect your login credentials

There’s plenty you can do to block these techniques – by adding a second form of authentication to the mix, managing your passwords more effectively, or taking steps to stop the theft in the first place. Consider the following:

  • Use only strong and unique passwords or passphrases on all your online accounts, especially your banking, email and social media accounts
  • Avoid reusing your login credentials across multiple accounts and making other common password mistakes
  • Switch on two-factor authentication (2FA) on all your accounts
  • Use a password manager, which will store strong, unique passwords for every site and account, making logins simple and secure
  • Change your password immediately if a provider tells you your data may have been breached
  • Only use HTTPS sites for logging in
  • Don’t click on links or open attachments in unsolicited emails
  • Only download apps from official app stores
  • Invest in security software from a reputable provider for all your devices
  • Ensure all operating systems and applications are on the latest version
  • Beware shoulder surfers in public spaces
  • Never log on to an account if you’re on public Wi-Fi; if you do have to use such a network, use a VPN

The demise of the password has been predicted for over a decade. But password alternatives still often struggle to replace the password itself, meaning users must take matters into their own hands. Stay alert and keep your login data safe.

Simple Ways Hackers Steal Your Data.

The main goal for a hacker is to gain access to private information, and to use that against a person or organization for ransom. Depending on the type of information, this can be detrimental to the success of a business.

While it is important to know how to keep your data safe and secure, it is also good to know the most common ways hackers try to attack your data.

The Guessing Game

The first step that hackers will take is simple. They target accounts with common PINS and passwords. Hackers do this by exploiting phone carriers’ websites with multiple attempts with simple-to-guess PINS, such as “1234.” Many of these password variations will be tested based on public information. As discussed in last month’s article, anything that is publicly visible should not be considered for a PIN or password. For example, using an old childhood address “4551” as a PIN isn’t recommended.

Gaining Your Trust

Gaining trust is the next step for hackers. To gain trust, hackers will mask behind a friend, company, or institution associated with your information. Typically, they will find a trusted number and spoof it. The term “spoofing” means changing the number that displays on the victim’s caller ID.

Spoofing is major business for hackers and spammers. The scary part is that anyone with the correct technology can spoof a number. Caller identifications are determined during the second ring of the call. In this short period, the hacker will use Frequency Key Shifting, which alters the binary format of the number. Changing the binary format can be completed through automated programs.

Human Weakness

Hackers that want to gain access to private information commonly resort to social engineering techniques. Social engineering is used by hackers because it is much easier to exploit a human for data than a website or network.

This technique allows skilled hackers to obtain details such as a phone number or email from institutions like cell phone carriers. With these bits of information, they can procure even more access to important accounts and backtrack to gather extended details.

How to tell if you are getting hacked

Individuals asking for your vital information should not be trusted. It is important to not release personal information over the phone. Several institutions, agencies, and companies have noted the following:

  • Financial institutions will never ask for your online password. They won’t use email or text to request personal information.
  • Federal and State Government agencies will never request personal information via phone, text, or email. This includes the FBI and IRS. Personal information is always acquired in person or through mail.
  • Technology support to remove malicious software or viruses won’t be detected remotely. Companies including Microsoft and Apple will never call to provide such support.
  • Debt consolidation, loans, and charities sometimes discuss personal information via phone; however, this information should only be released to a trusted entity that you called directly.

If you happen to get caught by a hacker, the first step to combat spoofing is to call the company, agency, or person back. The Federal Communications Commission (FCC) says to report any suspicious callers that asked for personal information. If you’re located in Canada, the suspicious calls can be filed under the Canadian Radio-television and Telecommunications Commission (CRTC).

Wi-Fi Isn’t Your Friend

Wireless connections aren’t as secure as many perceive. Wi-Fi networks to avoid include public or free wireless networks. Generally, these networks aren’t monitored or encrypted so it is important to never use personal information on an un-trusted wireless network. Hackers can collect valuable data effortlessly through these networks by generating a bot to collect vital information.

Hotels, airports, and coffee shops are the typical targets for hackers. When in these locations, using 3G, 4G, or LTE phone data can be much safer and harder to hack than Wi-Fi networks. It’s also recommended to use Hyper Text Transfer Protocol Secure (HTTPS) while browsing personal information. Encrypting yourself even further can be setup with a Virtual Private Network (VPN).

It Can Happen to Anyone

Whether you are a Fortune 500 company, famous celebrity, or an ordinary person, hackers can tap into your accounts and steal valuable information if it isn’t properly protected. Here are a few tips to follow to ensure you don’t become susceptible to your data being stolen:

  • Use unique and complex PINS and Passwords
  • When available use fingerprint identification and two-step authentication
  • Don’t trust the caller ID
  • Never click un-trusted links within emails or text messages
  • Avoid using publically used Wi-Fi networks
  • Use HTTPS addresses, when available
  • Encrypt online activity with a VPN.

Beware of New Android Banking Malware that Completely Controls Your Device.

Octo, a new Android banking malware that employs remote access capabilities to enable attackers to commit on-device fraud, has been identified in the wild and is designed to prey on vulnerable Android devices.

The Octo malware that strikes Android is a variation of ExoCompact, an Exo trojan-based malware that was used by cybercriminals before it quit the space in 2018 and generated a significant leak of its source code.

Several users were identified as looking to purchase this variant on darknet forums by ThreatFabric researchers, who observed several users buying it there.

It has been proven that ExobotCompact is directly associated with the malware strain recently discovered by experts. The threat is referred to as ExobotCompact.B on ThreatFabric’s MTI Portal, while it was first identified as a worm.

In November 2021, following a few iterations of updates in the ExobotCompact system, the ExobotCompact.D variant was introduced, and it’s the latest loop of the ExobotCompact.

Capabilities of Octo Malware

In comparison to ExoCompact, Octo comes with a lot of advanced features. By controlling the compromised Android device remotely, the threat actors can execute on-device fraud (ODF) using the remote access module of Octo.

Here below we have mentioned all the capabilities of Octo:-

  • Manipulating other apps.
  • Compromise password management apps.
  • Compromise crypto wallet apps.
  • Compromise banking apps.
  • Compromise 2FA apps.
  • Compromise game logins.

As part of its attacks, Octo conceals the victim’s remote operations behind a black screen overlay, and during this session, the attacker performs the following two key things:-

  • Activates the no interruption mode.
  • Lowers the screen brightness to zero

Malware can perform various tasks without the victim being aware of them by making the device appear to be turned off, and here we have mentioned the tasks:-

  • Screen taps
  • Gestures
  • Text writing
  • Clipboard modification
  • Data pasting
  • Scrolling up
  • Scrolling down

Supported Commands

A large range of commands are supported by Octo, and here they are mentioned below:-

  • From specified apps, it blocks push notifications.
  • Enable SMS interception.
  • Disable sound.
  • Disable temporarily to lock the device’s screen.
  • Launch a specified app.
  • Start remote access session.
  • Stop remote access session.
  • Update list of C2s.
  • Open appointed URLs.
  • Send SMS with appointed text to a select number.

Campaigns & Actors

An alias ‘Architect’ or ‘good luck’ is used by a threat actor to sell Octo on popular forums, such as the Russian-language XSS hacking forum. There has been a distinct difference between the posts between Octo and potential subscribers that are written in English. When compared with XSS, where most posts are written in Russian.

While it’s believed that the ‘Architect’ of Octo is either the same author who has maintained the ExoCompact source code or it has been acquired by a new owner.

As the cybersecurity analysts at ThreatFabric have claimed that there are several similarities between Octo and ExoCompact like:-

  • Google Play publication success
  • Google Protect disabling function
  • The reverse engineering protection system

The ExoCompact also includes a remote access module, although a simpler one, and provides options for executing commands at a delayed time and provides similar administrative options as Octo does.

Recently, an app named “Fast Cleaner” infected devices with Octo on Google Play. The app had 50,000 installs before it was discovered and removed in February 2022.

Infected Apps

Here we have mentioned the list of known Android apps containing the Octo malware:-

  • Pocket Screencaster (com.moh.screen)
  • Fast Cleaner 2021 (vizeeva.fast.cleaner)
  • Play Store (com.restthe71)
  • Postbank Security (com.carbuildz)
  • Pocket Screencaster (com.cutthousandjs)
  • BAWAG PSK Security (com.frontwonder2), and
  • Play Store app install (com.theseeye5)

All information viewed on a device’s screen becomes accessible to malware variants once it has been infected, which means that no information is safe, and any protective measures are ineffective.

In such a case, it is extremely important that users remain aware and make sure to keep a limited number of apps on their smartphones by enabling the Play Protect.

SharkBot Trojan Spreading via Fake Antivirus Apps on Google Play.

Security analysts at Check Point Research (CPR) team have recently revealed that there have been a number of malicious Android apps masquerading as antivirus solutions that have been used to spread the SharkBot banking Trojan from the Google Play Store.

This banking trojan was distributed using six malicious Android apps masquerading as antivirus solutions in the Google Play Store. 

While all these malicious applications came from the following developers’ accounts:-

  • Zbynek Adamcik
  • Adelmio Pagnotto
  • Bingo Like Inc

The threat actors use Sharkbot to steal and manipulate bank details and login credentials since it’s an information stealer. The malware uses evasion techniques and geofencing features in order to avoid infecting devices from any of these countries:-

  • China
  • India
  • Romania
  • Russia
  • Ukraine
  • Belarus

Capabilities of SharkBot

In October 2021, Cleafy was the first company to notice the malware, and it’s one of the most powerful features, the ability to transfer money via ATS (Automatic Transfer Systems).

Here the threat actors exploit the compromised devices to execute this task by simulating the following things:-

  • Touches
  • Clicks
  • Button presses

Here below we have mentioned the primary functions of SharkBot:-

  • Injections
  • ATS
  • Overlay attack
  • Keylogging
  • SMS intercept
  • Remote control

It is believed that more than 15000 copies of the rogue apps were installed before their removal, with the majority of victims either living in:- 

  • Italy 
  • The United Kingdom

However, after the reporting, all the malicious applications were removed from the Play store by Google permanently. 

Apart from this, the security analysts have observed 27 versions of Sharkbot, and in SharkBot the threat actors use another stealthy and sophisticated technique that is rarely used in Android malware:-

Domain Generation Algorithm (DGA)

Affected apps

Several applications on Google Play have been masked as Sharkbot droppers, and here they are mentioned below:-

  • com.abbondioendrizzi.tools[.]supercleaner
  • com.abbondioendrizzi.antivirus[.]supercleaner
  • com.pagnotto28.sellsourcecode[.]alpha
  • com.pagnotto28.sellsourcecode[.]supercleaner
  • com.antivirus.centersecurity[.]freeforall
  • com.centersecurity.android[.]cleaner

Commands Used

Here below we have mentioned all the commands used by SharkBot:-

  • smsSend
  • updateLib
  • updateSQL
  • updateConfig
  • uninstallApp
  • collectContacts
  • changeSmsAdmin
  • getDoze
  • sendInject
  • iWantA11
  • updateTimeKnock
  • sendPush
  • APP_STOP_VIEW
  • Swipe
  • autoReply
  • removeApp
  • serviceSMS
  • getNotify
  • localATS
  • sendSMS
  • downloadFile
  • stopAll

SharkBot can present you with fake overlay windows of fake banking apps using Android’s Accessibility Services permissions that allow it to bypass certain security measures.

10 Tips for a Safer Online Shopping Experience.

How to Shop Safely Online

1. Always place orders from a secure connection 

If your computer isn’t protected from potentially malicious software, your financial information and passwords are at risk from being stolen (and everything else you store on your computer or do online). This concept is so basic, yet only a fraction of the U.S. population adequately protects their computers. Use a secure connection – make sure your computer’s firewall is on. 
 
If you’re shopping online while using a wireless network, it needs to be encrypted so someone who is lurking outside the house can’t collect your information. Avoid making any financial transactions when using a public network, as you may not know if it’s compromised.

2. Know the merchant and their reputation

If you already know the store, shopping their online store is very safe. You can always walk into the local store for help if there’s a problem, and if you know others who have had consistently positive experiences with the online store, you can be reassured of the site’s quality.
 
If you don’t know the store, it may still be the best bet; you just need to take a few more precautions. Conduct your own background check by looking at sites dedicated to reviewing e-stores. If the store isn’t reviewed or does not have favorable reviews, don’t order from their website.

3. Avoid offers that seem “too good to be true” 

Any e-store that promises too much at too low a price is suspicious. If the price is too low, consider whether the merchant came by the items legally, if you will ever receive the items you paid for, whether the items are actually the brand shown or a cheap substitute, if the item will work, if you will be able to return damaged goods – or if the merchant is earning extra income by selling your financial information. Disreputable online stores – like their brick and mortar counterparts, may run an absurdly low price offer and then claim the item is out of stock, to try to sell you something else in a classic “bait and switch” scam.

4. If you are buying a Gift Card, read the Terms and Conditions

If the gift card is for someone else, be sure the store is legitimate, that the person uses the store, and that there are no hoops they will have to jump through.

5. Don’t use an e-store that requires more information than necessary to make the sale. 

Expect to provide some method of payment, shipping address, telephone number, and email address, but if the merchant requests other information, walk away. You never want to give them your bank account information, social security information, or driver’s license number. Some companies ask questions about your interests, but these should always be optional and you should be cautious about providing the information. Does the merchant resell, rent, or share your information? Check the site’s privacy policy to understand how exposed your information may become. Many stores clearly state that they do not share, sell or rent consumer’s information – others say they own your info and can use it (or abuse it) however they choose. Stick to the companies that respect your privacy.

6. Need to create a password for the site? – make it unique.

You will often be asked to create an account with a password when you make a purchase. Usually, you can choose not to do this, and unless you will use the e-store frequently, don’t create an account. If you do want an account, make sure to use a unique and strong password.

7. Is the site secure? 

Before entering any personal or credit card info onto a shopping site look to see if the web address on the page begins with “https:”, not “http:” That little ’s’ tells you the website is secure and encrypted to protect your information.

8. Use a Credit Card or PayPal 

Do not use a debit card or check as these do not have the same security protections in place for you should a problem arise.
 
Credit card purchases limit your liability to no more than $50 of unauthorized charges if your financial information is stolen, and the money in your bank account is untouched. Most debit cards do not offer this protection – and even when they do, you’re the one out of funds in the meantime.
 
Consider designating one credit card that is only for online shopping and transactions. This way, if the card gets compromised, you can quickly shut it down without impacting any other type of transactions.

9. Always check the company’s shipping terms. 

Some merchant’s charge exorbitant shipping fees that can turn a shopping bargain into an expensive mistake. Look to see if they provide tracking and insurance. Understand what carriers they use, and be particularly cautious if the item won’t be shipped within 10 days.

10. Use a reliable internet security program.

The best way to stay safe online is still by using an effective internet security product. Shopping is no exception. Rather, with the increasing volume of goods and data being exchanged online, security features like real-time anti-phishing and identity theft protection are more important than ever.

Let the online shopping begin…

What Is Cybersecurity.

Every square IS a rectangle because a square is a quadrilateral with all four angles being right angles. Similarly, cybersecurity IS a part of the IT security umbrella, along with its counterparts, physical security and information security.

But not every rectangle is a square, since the criteria to qualify as a square means all sides must be the same length. The point is, not all IT security measures qualify as cybersecurity, as cybersecurity has its own distinct assets to protect.

CompTIA’s Chief Technology Evangelist, James Stanger says it best when he defines cybersecurity as “focusing on protecting electronic assets – including internet, WAN and LAN resources – used to store and transmit that information.”

Of course, the threat to these electronic assets are hackers who have malicious intent to steal proprietary data and information via data breaches. Thus, it would seem the fully realized definition should include an evolving set of cybersecurity tools designed to protect confidential data from unauthorized access. To do so, it’s necessary to consider how people, processes and technology all play equally important roles in keeping information safe.

One of the many advantages to living in a world where every device is connected is convenience. It’s incredibly easy to conduct work, manage your social calendar, shop and make appointments from your smartphone or device. That’s why it’s become second nature to many of us.

But, of course, the convenience of connected data also means threats from bad actors can do a lot of damage. Cybersecurity initiatives are essential to protecting our data and thus, our way of life.

Types of Cybersecurity

Cybersecurity can be categorized into five distinct types:

  • Critical infrastructure security
  • Application security
  • Network security
  • Cloud security
  • Internet of Things (IoT) security

To cover all of its bases, an organization should develop a comprehensive plan that includes not only these five types of cybersecurity, but also the three components that play active roles in a cybersecurity posture: people, processes and technology.

People

Let’s face it, no matter what precautions you put into place, if people don’t follow the rules, you’re still at risk. The saying “you’re only as strong as your weakest link” comes to mind. In most cases, human error is just that – a mistake.

Most people aren’t intentionally bypassing security protocol – they either aren’t trained to do so, or they aren’t educated about the significance of their actions. Conducting security awareness training and reinforcing the most basic cybersecurity principles with employees outside of the IT department can make a big difference in your company’s security posture.

Here are five ways the human factor can increase your cybersecurity risk:

  1. Suspicious URLs and Emails: Explain to employees that if something looks strange – it probably is! Encourage staff to pay attention to URLSdelete emails that don’t have content or look like they are coming from a spoofed address, and stress the importance of guarding personal information. As the IT professional, it’s your responsibility to raise awareness of potential cybersecurity threats.
  2. Password Idleness: We know that holding on to the same password for ages isn’t a great idea. But, Bob in finance may not understand that. Educate employees about the importance of frequently changing passwords and using strong combinations. We all carry a plethora of passwords and since it’s a best practice not to duplicate your passwords, it’s understandable that some of us need to write them down somewhere. Provide suggestions on where to store passwords.
  3. Personally Identifiable Information: Most employees should understand the need to keep personal browsing, like shopping and banking tasks, to their own devices. But everybody does a bit of browsing for work, right? Emphasize the importance of keeping an eye on what websites may lead to others. And, that includes social media. Karen in customer service may not realize that sharing too much on Facebook, Twitter, Instagram, etc. (like personally identifiable information) is just one way hackers can gather intel.
  4. Backups and Updates: It’s fairly easy for an unsavvy tech consumer to go about their daily business without backing up their data regularly and updating their system’s anti-virus. This is a job for the IT department. The biggest challenge here is getting employees to understand when they need your help with these items.
  5. Physical Security for Devices: Think about how many people in your office leave their desk for meetings, gatherings and lunch breaks. Are they locking their devices? Highlight the need to protect information each and every time a device is left unattended. You can use the airport analogy. Airport staff are constantly telling us to keep track of our bags and never leave them unattended. Why? Well, because you just don’t know who is walking by. Encourage employees to protect their devices with as much care as they protect their baggage.

Processes

When employees outside of the IT department are trained, IT pros can focus on process. The processes by which cybersecurity professionals go about protecting confidential data are multi-faceted. In short, these IT pros are tasked with detecting and identifying threats, protecting information and responding to incidents as well as recovering from them.

Putting processes into place not only ensures each of these buckets are being continuously monitored, but if cybersecurity attacks happen, referencing a well-documented process can save your company time, money and the trust of your most valuable asset – your customers.

The National Institute of Standards and Technology (NIST) under the U.S. Commerce Department has developed the Cybersecurity Framework for private-sector companies to use as a guide in creating their own best practices. The standards were compiled by NIST after former U.S. President Barack Obama signed an executive order in 2014. It’s a great resource to use as you work to combat your cybersecurity risk.

Technology

Once you have frameworks and processes in place, it’s time to think about the tools you have at your disposal to start implementation.

Technology has a dual meaning when it comes to your toolbox:

  • The technology you’ll use to prevent and combat cybersecurity attacks, like DNS filtering, malware protection, antivirus software, firewalls and email security solutions.
  • The technology your data lives on that needs your protection, like computers, smart devices, routers, networks and the cloud.

Back in the day, cybersecurity initiatives focused on defensive measures inside the boundaries of traditional tech. But today, policies like Bring Your Own Device (BYOD) have blurred those lines and handed hackers a much broader realm to penetrate. Remembering cybersecurity basics like locking all of your doors, windows, elevators and skylights will keep you from joining the cyber-crime statistics.

Types of Cybersecurity Threats

Staying ahead of cybersecurity threats isn’t an easy job. There’s a long list of threats that IT pros pay attention to, but the problem is that the list keeps growing. Today, cyberattacks happen on the regular. While some attacks are small and easily contained, others quickly spiral out of control and wreak havoc. All cyberattacks require immediate attention and resolution.

Cybersecurity Threats

Here are a few common cybersecurity threats that fall into both categories.

Malware
Malware is software that has been created to intentionally cause damage. Commonly known as a virus (among other things), malware can cause harm simply by opening the wrong attachment or clicking on the wrong link.

Ransomware
Ransomware is actually a type of malware. The difference here is that ransomware infects a network or steals confidential data and then demands a ransom (typically currency of some sort) in exchange for access to your systems.

Phishing Attacks
Phishing is just like it sounds. Hackers throw a line out there hoping that you’ll bite, and when you do, they steal sensitive information like passwords, credit card numbers and more. Phishing attacks usually come in the form of emails that look legitimate and encourage you to reply.

Social Engineering
Social engineering involves malicious human interaction. This is a case of people outright lying and manipulating others to divulge personal information. Often, these people obtain information from social media profiles and posts.