Hackers are smart and lazy. Who would want to sit at a computer all day typing away guessing passwords? Not me. They say that lazy people are often the innovators of our society, thinking of ways to do things that require minimal time and effort. Over the decades' hackers have been sharing and developing their methods and refining their tools to take over user accounts. Nowadays it is extremely easy to do just that, all they need to do is press the start button on an app and just sit back and relax. I know what you're thinking, who cares if the hacker gets into my Woolworths account. Something as harmless as your online shopping account details is very useful information. We will dive into how attackers can use information like this against you and explore some real-world situations where this has happened.
- Guessing your password
- Social Engineering
- Brute Force
- Company data leaks/ breaches
- Cross site login
- Known Vulnerabilities
- What they do with your information?
How do they get into my account in the first place?
There are many tools and techniques to compromise an account. With technology advancing and the need to update systems you’d suspect that this would reduce vulnerabilities, however, this is not necessarily the case. If you know anything about the Cyberworld nothing is ever 100% safe. A system update that patches an old vulnerability can be the result of a new one opening. As the saying goes “as one door closes another door opens.”
Here are some of the most common ways we are seeing hackers compromise accounts today:
1. Guessing your password
It isn't hard to google a target and look at their social media to then conduct an educated guess of their password. Even some of the smartest people use weak passwords, such as Jeremy Hammond, a US hacker who was caught and spent 10 years in prison after US authorities gained access to his computer by guessing his password "Chewy123". Guessing can take a long time if they don’t get it straight away, and like I said hackers are lazy they don’t want to do that! Some websites also limit the number of passwords attempts before locking the account, so if that’s the case they don’t want to waste their attempt on a guess. It should still be considered though that if you can forget and guess your password or if another family member can it probably isn’t very secure.
2. Social Engineering
You might have spoken to a hacker over the phone or in person without even realizing it. Whether it was a scam phone call, someone you had a conversation with on the street or even a waitress at a café. These encounters seem harmless and meaningless, which is what they want. These trained social engineers manipulating you to give up specific details. Simple things you say in a casual conversation that seem harmless are super useful. In the movie ‘Now You See Me’ there’s a scene on the plane where they are talking to the antagonist Arthur Tressler. In this scene, Arthur exposes his dog's name and mother’s maiden name. Such details seemed unimportant at the time. Later in the movie they use these credentials to bypass Arthurs banks' security questions. This is exactly how social engineering works in real life! An experiment conducted by Jessica Clarke, a social engineering hacker, shows how easy it is to social engineer people over the phone, adding herself to a stranger’s phone plan and locking him out in only a few minutes. This is how hackers hack you using simple social engineering
3. Brute Force
Brute-forcing is the same as guessing a password over and over again doing trial and error. Instead of a person sitting down and manually typing in the possible combinations, they have tools that will do it for them. All it takes is to load up a dataset, probably from the internet such as a list of the most common passwords, and that’s it. The tool will try every password in the dataset against the targeted account. As mentioned, some websites have protection where if you enter your password incorrectly a certain number of times the account gets locked. But many platforms still don’t have this type of prevention, and there are sometimes vulnerabilities that allow them to get around it anyway. If an attacker can reduce their dataset of possible credentials they can get in quicker, so knowing information about the target is helpful as they know to try combinations using your name, birthday, etc.
4. Company data leaks/ breaches
Adversaries may have your passwords without even targeting you. By compromising companies and infiltrating their systems adversaries can steal user information such as your login details. Your details could be listed on the black market right now with a list of hundreds of other user credentials. The rockyou2021 was one of the largest data leaks containing approximately 8.4billion user passwords. And here is another list of Security Breaches worth reading about.
Phishing is a scam where targets are sent fraudulent messages. These messages often include malicious links/files. Common phishing scams include an email pretending to be your boss, a link to a fake Microsoft login, an email saying payment is due, an executable document that will run malware when opened, and much more. Social engineering is useful in phishing scams, learning about the best way to twist their message to be believable.
6. Cross site login
Having cross-site login setup is the worst thing you can do. Cross-site login is where you can create a new account using your Google, social media, etc. This feature is usually built using the OAuth framework. When you choose to login this way the website sends a request to access some information from your Facebook for example. Many configuration issues arise with the setup of Oauth because of the settings being optional. This causes configuration vulnerabilities allowing hackers to steal account details. If you have set up multiple accounts using this feature, then adversaries are now able to traverse through to your other linked accounts.
7. Known Vulnerabilities
Just by doing a google search, looking at the news, or at Microsoft common vulnerabilities and exposure list (CVE) a hacker can identify useful vulnerabilities in applications. Using this freely available information they can penetrate useful areas of weakness, create backdoors, and leak user information.
Ok so they have gotten into my account… now what do they do?
Most accounts will have standard user information such as your full name, date of birth, email address, phone number, postal address, and probably more. Let’s walk through what they can do with this information. In this example, a hacker has used one of the above methods to log into your Woolworths online shopping account.
Hi, I'm a hacker and I have just logged into your Woolworths online shopping account. I sent you an email pretending I was from Woolworths updating you on your order. you have clicked the fake link I made and have logged in. I now have your username and password.
I am looking through your account and I have found your phone number, email, and address under your account details. I am now looking through your previous orders and can see you order Caramello koalas weekly, these must be your favourite snack.
I am going to send you a text with a “free caramello koalas deal". When you click on this link you will see that when you spend above $20 you get 2 x free packets of carromello koalas! What a deal. You have autosaved your credit card details to your Woolworths account, but you need to enter your pin every time for security reasons. I don’t have this pin, but since you are ordering through the link with the “Free caramello koalas” I can get your pin when you checkout.
As of now, the hacker has been able to compromise the following details:
Phone number, home address, email, eating habits and preferences, credit card details.
Using your order habits, they can then infer details such as if you live alone, have kids, have a dog as your buying dog food, etc. It is also easy to see what your favourite food is as this hacker has done. This is not an unlikely event. Woolworths rewards do the same thing, they filter your shopping history, see buying patterns, and offer an extra reward for buying certain items. These rewards are handpicked to tempt you into buying more. It doesn’t end here, there is still so much more that could be done!
You’ve put your order in for Friday. I am going to email you a link so we can track your phone. This is so we can make sure we deliver your food when you are home! Thanks for allowing us to track your location.
Now your work address, common places you go, travel habits, and current location have all been given to the hacker as you've permitted them to track your location. How crazy is that, just from the hacker getting a hold of a few details they were able to do so much. This scenario is quite intense however still realistic.
Now you understand the basics of compromising accounts and how you can be manipulated into giving them away without even realizing it. To better protect yourself and your account the first step is to secure your passwords. You can find an article here which dives into a guide to better protecting yourself online.