5 signs you’re in hackers’ sights

“It won’t happen to me” is often uttered by citizens and businesses who are adamant that they won’t become a victim of cybercrime. But this confidence is often misplaced, with even the most basic security errors exploited by hackers. We Live Security looks at 5 signs you’re making yourself a target to the bad guys.

1. Trusting social media links

Social media lures were huge in 2013 and despite clicks dropping significantly in 2014, according to Verizon’s DBIR report, the temptation to click on a link sent on Twitter or Facebook remains too much for some.

Although the vast majority of these links are benign, there are those that are not, especially in the aftermath of a natural disaster.

These links, once clicked, redirected users to either legitimate sites that have been compromised or malicious websites, with the same intention of stealing credentials (via a bank log-in page, for example) or ‘drive-by-download’ attack to launch malware on the user’s machine.

Users should think carefully about how much they trust the source of the information, and consider tools – such as checkshorturl.com– for properly investigating Bitly and other shortened links.

2. Re-using the same passwords

Passwords remain a problem for almost everyone; they need to be complex, they’re hard to remember and you’re constantly told to use unique multi-character passwords for each of your online accounts.

Some people have taken to using passwords managers like 1Password or Lastpass to provision and manage passwords (with just one master password required) but others continue to write them down on paper or on the PC. A huge number of people use the same password across multiple accounts.

The danger here is if a hacker compromises one account – and that’s not difficult with phishing emails and brute force attacks – they can go on to to compromise others using the same credentials.

It’s also worth noting the passwords you might forget about, such as the ones used to secure your router, webcam or even internet-of-things (IoT) devices. Many of these come out-of-the-box with default passwords which, if left unchanged, could be taken advantage of.

3. Not updating software

Aside falling for phishing scams and social engineering, people are also frequently being exposed to potential data loss, financial fraud and more simply by failing to patch – or fix – the software running on their computers.

Security patches are designed to fix vulnerabilities in the software they use. Last year’s Heartbleed flaw in SSL encryption meant millions of web users traffic was exposed, and though this had more to do with IT administrators serving web servers, the point is there that patching is important. On that occasion, hackers had unfettered access to passwords, credit cards details and more.

For end users, Microsoft Office, Adobe Flash Player and Java updates are the most commonly ignored or forgotten, while hackers also look to exploit flaws on WordPress. The end goal is the same – to get in via the backdoor and steal information or money. They do this by “reverse engineering” to discover how to compromise systems not fully-patched.

The good news is that patches are regularly scheduled – Microsoft does Windows updates once a month on Patch Tuesday, as just one example, – while increasingly all major operation systems have options for automatic updates. The latter is certainly recommended if you know you’re not good in this area.

4. Downloading from third-party app stores

The more tech-savvy users of iPhones and Android smartphones sometimes jailbreak or root these devices to work around the strict controls imposed by Apple and Google, in order to get more apps and functionality.

However, with this come security risks. Jailbreaking makes apps behave in unpredictable ways, while the third-party app stores – admittedly less prevalent than a year ago – have been found to offer up malicious apps, or legitimate apps cracked and recoded by cybercriminals.

5. Sending sensitive data over open Wi-Fi

If you’re browsing the internet from your home, you’re in relatively safety – your ISP router will likely be protected by a strong password (and perhaps firewall too), so the chance of an outside attack is relatively low.

However, it is a different thing entirely when people use the Wi-Fi in the outside world, especially in hotels and coffees shops where the wireless connection is open and unsecured.

As the Wi-Fi is open, hackers could potentially place themselves in between you and the server in a so-called Man-in-the-Middle (MiTM) attack, in order to steal data or serve up malware. Some ingenious hackers have even managed to hack the connection point itself, causing a pop-up window to appear during the connection process offering an upgrade to a piece of popular software. Just clicking this window installs the malware.

Others, meanwhile, have used readily accessible tools online to act as the Wi-Fi point itself (so beware of those general ‘Coffee Shop Wi-Fi’ identifiers).

Instead, it’s best to avoid sending sensitive information or – if you have to – download and use a VPN.

Author , ESET

  • Coyote

    Probably obvious to most but this is more like a list of very bad mistakes that increase your risk of attack (or make an attack easier!). I’ll just come out and say it: never ever make the mistake in believing you aren’t an interest to an attacker. Never ever make the mistake in believing that it can’t (or won’t) happen to you. Never believe you have nothing to hide (any claims to the contrary is dangerous propaganda), either, an example being: “You have nothing to fear if you have nothing to hide” (another one is “you’re either with us or against us”). If you feel you don’t have anything worth hiding, ask yourself THIS IMMEDIATELY: would you send your banking credentials to an enemy or even a friend? What about Facebook? (the latter is a relevant example; while I don’t have a source to cite off hand, I am fairly sure Mark Z. has stated the one about nothing to fear versus nothing to hide). While you’re at it, always try to keep in mind that something you post on social media (or for that matter, other places like… here ?) can bite you later on (even if you don’t mean harm words are unfortunately very easy to twist and change the meanings entirely). Everyone is at risk to this (in the real world too).

    As for the post: the password reuse is one of the most significant ones, and perhaps because it is so easy to get in such a habit (“I’ll just sniff this line and that’s it…” versus “It’s okay… this is a one-off instance and next time I’ll make a new password” versus “This is only a temporary account anyway so where’s the harm?”), and equally because all attackers would try the same password on multiple accounts.

    The others are rather obvious (to those aware, anyway) too (and otherwise 4 of many more examples), and as such I’ll just add one (which is something of an extension to #1, that of being too trusting of links). Make that two but both being related in the sense of references (links/etc.).

    1. Be aware of clickjacking and the like. While NoScript is a bit overkill (or too much of a hassle for some) for many, it does offer many safety mechanisms (and once you have built a whitelist it is less problematic) and unsurprisingly this includes blocking scripts (which includes dangerous scripts). But it protects more than script abuse/misuse. Note that it can break comment forms/etc. if you’re not careful (you have to get used to it or build a whitelist). More to the point, while you might think you’re clicking on one thing, it might be a trick and you’re clicking on something else – that is hidden – and THAT hidden link is dangerous. In other words, it isn’t just links that are visible (either as text or images). Maybe better stated: be on guard and be aware that this is possible; just like the real world, not everything is exactly as it seems, and not everything should be trusted (and similarly, not everything is safe).

    2. Don’t bother responding to spammers or trying to remove yourself from their list. Ignore their stupid disclaimers (I’ve yet to see a disclaimer referring to laws about spam that are actually legit in the first place although that isn’t to say all spammers will have it – many don’t! – or no others will have it [never seen others have it, though]) which could trick you in to clicking on the remove me from this list (etc.). Main point: IF they respected your privacy (they don’t) they wouldn’t be mailing you in the first place (but they are)!

Follow us

Copyright © 2018 ESET, All Rights Reserved.