We are all spied on, even if we think we are not. Our data is gold, our passwords are the keys to our lives. In short, not much has changed since our analogue existence: what we have is tempting to those who want to steal it from us. But we forget this: we use our technological objects too casually, often without putting security between us and others (how many of you have an antivirus on your smartphone?), leaving many open without worrying about them (another example: do you know how to protect your smart appliances?). And this happens not only in personal life, but also in working life.
And instead: in the era of digitalization, defending sensitive data and passwords is one of the biggest challenges for us and our companies. Hackers exploit increasingly sophisticated techniques and manage to obtain confidential information that can put identity, assets and digital security at risk. And the fight against them is a bit like the anti-doping fight against doping: always in pursuit. So much so that those who fight against cybercrime have often been one of those pirates before.
We therefore need a guide, and in this article we will explore the most common methods used by cybercriminals to steal data and passwords. Also giving an answer on how to defend yourself.
Phishing
Phishing is one of the most classic and used cyber attack techniques. It relies on deceiving the user to obtain sensitive data that begins with a communication (usually via email, but also via SMS or social media) that imitates a trusted source such as a bank, service provider, or even a technology company. Or perhaps, as often happens recently, with a message on the smartphone that begins like this: “Dear dad, I lost my cell phone and I’m calling you from another number…”. This is followed by “could you click here…?”, or on a link that opens a door to all sensitive data and contacts. Or to a seemingly legitimate web page, but actually managed by hackers.
This page – if the request apparently comes from your bank or from a service you have subscribed to – may ask the user to enter their login credentials, credit card details or other confidential information. Often, phishing messages contain elements of psychological pressure, such as a warning of suspicious account activity or an impending deadline.
How to protect yourself:
Always verify the sender of communications.
Do not click on suspicious links and, if possible, manually type the address of the website of interest.
Use a two-factor authentication system to add an extra layer of security.
Don’t give credence to ungrammatical messages.
Malware, spyware and ramsonware
Malware (malicious software) and spyware (spy software) are programs installed on the victim’s device without their consent. Malware can be distributed via infected email attachments, file downloads from unsafe sources (for example from apps, especially in the Android system) or compromised websites. Spyware, in particular, is designed to collect information about the victim’s device, including user activities, typed passwords, and browsing data.
Among the most dangerous malware are keyloggers, programs that can record everything that is typed on the keyboard and send it to hackers. This way, attackers gain access to passwords, credit card numbers, and other sensitive information. Ramsonware belongs to the same family: in this case they block devices that can only be reused after paying a ransom. Almost always in bitcoin (which are not traceable).
How to protect yourself:
Keep your antivirus software updated and activate a firewall, i.e. defense software.
Avoid downloading files from unknown sources and beware of unverified downloads.
Regularly scan your device for malware.
Brute Force attacks
They are systematic attempts to guess a password or encryption key by trying all possible combinations. Hackers use specialized software that can test millions of combinations per second, making it easier to access weak or easily guessable passwords.
Often, hackers manage to obtain a list of common passwords and try to combine them with the victim’s personal information, such as the name, date of birth or telephone number.
How to protect yourself:
Use long and complex passwords, avoiding common words or easily findable information.
Use the passwords that protection systems offer, such as Apple Password which generates a very difficult one and then saves it internally on the iPhone so that only the user can see it. There are also password managers to create and securely store strong combinations.
Enable two-factor authentication, which makes trying to log in useless even if the hacker guesses your password. In this case, in fact, to enter you need a second code which only appears on your smartphone or computer.
Man-in-the-Middle
Man-in-the-Middle attacks occur when a hacker intercepts communication between two parties, such as between a user and a website, without either knowing. This type of attack is especially dangerous in public, unsecured Wi-Fi networks, where hackers can spy on information transmitted between devices.
Through this attack, cybercriminals can obtain sensitive data such as login credentials and banking information. Some MitM techniques include DNS spoofing, which redirects the user to fake websites, and packet sniffing, which captures unencrypted data packets.
How to protect yourself:
Avoid accessing sensitive sites, such as banking sites, on public or unsecured Wi-Fi networks.
If necessary, use a VPN (Virtual Private Network) to encrypt traffic and prevent data interception.
Check that the sites you visit use HTTPS, a sign of a secure connection.
Social Engineering
Social engineering attacks exploit the psychological manipulation of victims to obtain information. Hackers can impersonate IT technicians, colleagues or trusted authorities and ask for confidential information via phone calls, emails or direct messages.
One of the best-known methods is pretexting, in which the hacker creates a false situation (e.g. a security issue) to convince the victim to provide sensitive data. Another technique is baiting, in which the hacker leaves infected devices (such as USB sticks) in public places hoping that someone will find them and connect them to their computer, thus activating the malware.
How to protect yourself:
Be wary of requests for sensitive information via telephone or email, especially if you are unsure of the identity of the requester.
Raise awareness among employees and collaborators of the risks of social engineering.
Always verify the identity of anyone requesting important data and use company security passwords.
SQL Injection
SQL Injection attacks are techniques used to manipulate vulnerable databases. Hackers insert malicious SQL code into the input fields of a web application (such as login or search forms), with the aim of gaining access to the database, extracting data, or even modifying it.
These attacks mainly occur on unprotected or poorly configured systems and allow huge amounts of sensitive data to be obtained in a short time, including usernames and passwords.
How to protect yourself:
Implement input controls on web application fields to prevent malicious code from executing.
Use up-to-date database management software and follow best security practices.
Monitor and audit SQL queries executed against the database to detect suspicious activity.
Credential Stuffing
This is a technique that takes advantage of login credentials obtained through previous data breaches. Hackers use software to automatically attempt to log in to various online services by entering credentials across multiple accounts and taking advantage of the fact that many users tend to reuse the same password across different sites.
This type of attack becomes particularly dangerous when information stolen from one platform is used to access other user accounts.
How to protect yourself:
Avoid using the same password across multiple sites or applications.
Enable two-factor authentication to limit access even if credentials are compromised.
Monitor accounts for suspicious activity and update passwords in case of breaches.
Having said the above, it is clear that it must be taken
our digital life seriously. And remember, after all, that it’s as if we were still walking around with a full wallet in our pocket or bag: every day someone could try to take it away from us. And sooner or later he succeeds.