For the majority of us, a password is simply the most common method of authentication for a plethora of online services. But it’s much more to cybercriminals — a way into someone else’s life, a vital work tool, and merchandise that can be sold. Crooks can not only gain access to your accounts, data, money, and even identity if they know your password; they can also use you as a weak link to Attack your online friends, family members, or even the company you work for, manage, or own. To avoid this, you must first understand how outsiders can obtain your password in the first place.
How did your password end up in the hands of a cybercriminal?
There’s a common misconception that in order to give your password to cybercriminals, you must make a mistake, such as downloading and running an unchecked file from the internet, opening a document from an unknown sender, or entering your credentials on a suspicious website. True, all of those behaviours can make attackers’ lives much easier, but there are other possibilities. Here are the most common ways for cybercriminals to gain access to your accounts.
This is one of the credential-harvesting methods that is heavily reliant on human error. Every day, hundreds of phishing sites appear, aided by thousands of mailouts leading to them. However, if you believe that you will never fall victim to phishing, you are mistaken. Because the method is nearly as old as the internet, cybercriminals have had plenty of time to develop a plethora of social engineering tricks and disguise tactics. Even professionals can’t always tell the difference between a phishing email and a legitimate one.
Malware is another common method of stealing your credentials. According to our data, a significant portion of active malware is made up of Trojan stealers, the primary purpose of which is to wait until a user logs on to some website. site or service before copying and sending their passwords back to their authors. If you don’t use anti-virus software, Trojans can remain undetected on your computer for years — you won’t notice anything is wrong because they don’t cause any visible harm and simply do their job silently.
And thief Trojans aren’t the only types of malware that look for passwords. Web skimmers are sometimes used by cybercriminals to steal anything that users enter into websites, including credentials, names, credit card information, and so on.
However, you do not have to repeat the same error. It is sufficient to be a user of an insecure internet service or a customer of a company that leaked a database containing information about its customers. Companies that take cybersecurity seriously, on the other hand, don’t store your passwords at all, or only in encrypted form. However, you can never be certain that adequate safeguards were in place. For example, this year’s SuperVPN leak included the personal information and login credentials of 21 million users.
Furthermore, some businesses are unable to avoid storing your passwords at all. Yes, I’m referring to the infamous LastPass password-management-tool hack. An unknown threat actor accessed cloud-based storage with some customer data, including backups of customers’ vaults, according to the most recent information. Yes, the vaults were properly encrypted, and LastPass never stored or even had access to the decryption keys.
But what if LastPass users locked their vaults with a password that had previously been leaked from another source? If they reused an insecure password, cybercriminals could now access all of their accounts at once.
Brokers of initial access
This brings us to another source of stolen passwords: the black market. Cybercriminals today prefer to specialise in specific areas. They may steal your passwords but may not use them because it is more profitable to sell them wholesale. Purchasing such password databases is especially appealing to cybercriminals because it provides them with an all-in-one solution: users frequently use the same passwords across multiple platforms and accounts, often tying them all to the same email address. With the victim’s password from one platform, cybercriminals can gain access to many other accounts, including gaming accounts, personal email, and private accounts on adult websites.
The same black market sells leaked corporate databases that may or may not contain credentials. The cost of such databases varies according to the amount of data and the industry in which the organisation operates: some password databases can be purchased for hundreds of dollars.
Certain darknet services collect leaked passwords and databases and then offer paid subscription-based or one-time access to their collections. The infamous ransomware group LockBit hacked a healthcare company in October 2022 and stole their user databases containing medical information. Not only did they sell subscriptions to this information on the darknet, but they also presumably purchased initial access on the same black market.
In some cases, cybercriminals do not even need a stolen database to learn your password and gain access to your account. They can use brute-force attacks, which involve trying thousands of common password variations until one of them works. Yes, it does not sound very trustworthy.
However, they do not have to iterate through all possible combinations — certain tools (Wordlist Generators) can generate a list of possible common passwords (so-called brute-force dictionaries) based on the victim’s personal information.
These programmes resemble a mini-questionnaire about the victim. They request your name, last name, date of birth, as well as personal information about your partners, children, and even pets.
To use such a method, cybercriminals must first conduct research, which is where those leaked databases may come in handy. Birth dates, addresses, or answers to “secret questions” may be included. Oversharing in social networks is another source of data. Something that looks absolutely insignificant, such as a photo from Nov 5 with the caption “today is my beloved doggie’s birthday”.
Possible ramifications of a leaked or brute-forced password
There are obvious consequences: cybercriminals can take over your account and hold it for ransom, use it to scam your contacts and online friends, or empty your account if they have the password to your banking site or app. However, their intentions are not always clear.
With more games introducing in-game currency and micro-transactions, for example, more users have payment methods linked to their accounts. As a result, hackers find gamers to be an appealing target. They can steal in-game valuables such as skins, rare items, or internal game currency by gaining access to the victim’s gaming account, or they can misuse the victim’s credit card data.
The leaked databases and information obtained while searching your accounts can be used for more than just financial gain; they can also be used for reputational harm and other types of social damage, such as doxing. If you’re a celebrity, you could be blackmailed and forced to choose between disclosing personal information (which could harm your reputation) and losing money.
Even if you are not a celebrity, you can become a victim of doxing, which is the act of revealing personally identifying information about someone online, such as their real name, home address, workplace, phone number, financial information, and other personal information.
Doxing attacks can range from relatively harmless to far more dangerous, such as various forms of cyberbullying, identity theft, or even in-person stalking.
Finally, if you use the same password for personal and work accounts, cybercriminals can gain access to your corporate e-mail and use it for business e-mail compromise schemes or targeted attacks.
How to Prevent Unwanted Access to Your Accounts
- First and foremost, remember password hygiene
- Use different passwords for different accounts
- Make your passwords long and complex
- keep them safely stored
- Change them as soon as you learn of a data breach at the service or website that this password is protecting.
All of these tasks can be handled by our password manager software. It is available as part of our SMB and home client security solutions.
In addition, the Kaspersky application continuously monitors the security of all your passwords. It even has a service for determining whether or not a leak occurred. It’s called Data Leak Checker and can be found under the Privacy tab. It allows you to see if your email address has been found in a stolen database somewhere. If that’s the case, you’ll get a list of leaky sites, the type of data made public (personal, banking, online activity history, and so on), and advice on what to do about it.
And here’s some more advice:
- Wherever possible, enable two-factor authentication. It adds an extra layer of security and prevents hackers from accessing your account — even if they obtain your login and password.
- Configure your social networks for greater privacy. This makes it more difficult to find information about you, complicating the use of a brute-force dictionary to attack your accounts.
- Stop sharing personal information, even if it is only visible to friends. Today’s friend could become tomorrow’s foe.
Read More :- 3 Major Cybersecurity Predictions in 2023