ESET warns about some of the most common tricks used to steal passwords and explains how to avoid them.

Since the password is often the only thing between a cybercriminal and personal and financial data, criminals aim to steal or decrypt these logins. The average person has 100 login credentials to remember, and this has increased in recent years. So it’s no wonder that the shortest paths are chosen and security suffers as a result. That’s why ESET, a leader in proactive threat detection, warns about the 5 most common ways cybercriminals steal passwords, so that they are well prepared to minimize the risks of becoming victims and thus protect their online accounts. .

Passwords are the virtual keys of the digital world as they provide access to online banking, email and social networks, accounts like Netflix or Uber, as well as all data hosted in cloud storage. By obtaining the logins, a cybercriminal can:

Stealing personally identifiable information and selling it to other criminals on forums.

Sell ​​access to your own account. Criminal dark web sites quickly trade these logins. Shoppers can use access to get everything from free taxi rides and video streaming to discounted travel from compromised airline miles bills.

Use passwords to unlock other accounts where you use the same password.

ESET warns about the 5 techniques that cybercriminals use most to steal passwords:

1.Phishing and social engineering: Social engineering is a psychological trick designed to convince someone to do something they shouldn’t, and phishing is the most well-known form of social engineering. Through this type of attack, cybercriminals present themselves as legitimate entities, friends, family, public organizations and well-known companies, etc. The email or text you receive will appear authentic, but will include a malicious link or attachment that, if clicked, will download malware or take you to a page that will ask you to enter personal data. Fortunately, there are many ways to detect the warning signs of a phishing attack.

Scammers even use phone calls to directly obtain logins and other personal information from their victims, often pretending to be technical support engineers. This is known as vishing (voice-based phishing).

2.Malware: another popular way to get passwords is through malware. Phishing emails are the main vector of this type of attack, although you can also fall victim to malware by clicking on a malicious ad (malvertising) or even visiting a previously compromised website (drive-by-download). As ESET researcher Lukas Stefanko has shown many times, malware can even be hidden in a legitimate-looking mobile app, which is often found in third-party app stores.

There are many varieties of malware that steal information, but some of the most common are designed to record keystrokes or take screenshots of a device and send them to attackers. Among them, keyloggers.

3.Brute force attacks: the average number of passwords a person needs to manage has increased by about 25% in 2020. As a result, most people tend to use passwords that are easy to remember (and guess) and make the mistake of using the same passwords to access multiple websites and services. However, what is often overlooked is that weak passwords can open the door to so-called brute force techniques to crack passwords.

One of the most common types of brute force is credential stuffing. In this case, attackers dump large volumes of previously compromised username/password combinations into automated software. The tool then tests the credentials on a large number of websites in hopes of finding a match. In this way, cybercriminals can unlock multiple accounts with a single password.

Last year, there were about 193 trillion such attempts worldwide, according to an Akamai estimate. Recently, the Canadian government fell victim to this attack.

Another brute force technique is password spraying. In this case, criminals use automated software to test a list of commonly used passwords on an account.

4.By deduction: while cybercriminals have automated tools to perform brute-force attacks and crack passwords, sometimes they don’t even need them – even simple guesswork, as opposed to the more systematic approach used in brute-force attacks, can get the job done. The most common password for 2021 was “123456”, followed by “123456789”. And if the same password is recycled or a close derivative is used to access multiple accounts, the attackers’ task is made easier, adding an additional risk of identity theft and fraud.

5.Shoulder surfing: It is worth remembering that some of the spying techniques also pose a risk. This is not the only reason why prying eyes over the shoulder of users is still a risk. A high-tech version, known as a “man-in-the-middle” attack, involves Wi-Fi spying and could allow cybercriminals on public Wi-Fi connections to spy on passwords on the same network.

There are many ways to block these techniques, whether it’s adding a second form of authentication, managing passwords more efficiently, or taking steps to prevent theft in the first place. ESET suggests the following tips to protect your login credentials:

Enable two-factor authentication (2FA) on all accounts;

Use only strong and unique passwords for all online accounts, especially bank, email and social media accounts;

Avoid reusing your login credentials across multiple accounts and making another of the common password mistakes;

Use a password manager, which stores strong and unique passwords for each site and account, making logins simple and secure;

Change the password immediately if a provider warns that data may have been compromised;

Only use HTTPS sites to login;

Do not click on links or open attachments in unsolicited emails;

Only download apps from official app stores;

Invest in security software from a reputable vendor for all devices;

Make sure all operating systems and applications are updated to the latest version;

Beware of prying eyes over your shoulder in public spaces;

Never log into an account if you are connected to a public Wi-Fi network. If this network is used, it is recommended to use a VPN.

“Password extinction has been predicted for over a decade. However, alternatives often have a hard time replacing the password itself, meaning users will have to take matters into their own hands. Staying vigilant and protecting the security of your login credentials is the first step in protecting personal information,” says Camilo Gutierrez Amaya, head of the ESET Latin America Research Lab.

