Financial fraud and identity theft often occur due to unauthorized access to accounts given to hackers by weak passwords. ‘Password1234’ might have worked 10 years ago, but today, that will never pass if you want to protect your banking information, personal data, and identity. Brute-force attacks, one of the most popular forms of cyberattacks, are extremely common and can be avoided with secure login credentials and a strong cybersecurity mindset.
Brute-Force Attacks
Trial and error is a hacker’s bread and butter when it comes to performing brute-force attacks. Repeatedly attempting commonly used passcodes to hack into a victim’s account, threat actors will use computers to evaluate wide ranges of combinations until they gain access, compromising passwords, encryption keys and login credentials. This commonly used practice has been modified throughout the years by hackers and is easily obtainable due to weak passwords.
Credential stuffing, a type of brute-force attack, focuses specifically on finding weak passwords and exfiltrating them in hopes that victims follow bad practices and use the same login credentials for multiple sites. Dictionary attacks focus on following a list, or dictionary, of words where threat actors will systematically enter one after the other in hopes of success. Hybrid and reverse brute-force attacks are similar in the sense of filtering through commonly used usernames and working backward to combine password-guessing and popular sayings or numbers.
Rainbow table attacks take it a step further and divulge into hashes to try and crack passcodes. Hackers will gain access to an application’s hashes and then utilize a table, nicknamed a rainbow table, to transfer the hashes into a passphrase before inserting them. Password spraying is another common method where hackers will use the same password but change the username until they run through an acquired list of usernames.
Credential Harvesting and Phishing
Otherwise known as password harvesting, credential harvesting is notable as the gateway to online fraud. Threat actors can achieve this by several different methods such as phishing, fake websites, malware, and other forms of social engineering. Smishing, SMS phishing, is a common tactic that has grown more popular recently as more people are noticing text messages with malicious links in their inboxes. Other forms of phishing are conducted through email, the original form, and vishing which takes place over the phone. Hackers will call victims in vishing attacks and try to exploit them by getting them to go to malicious links or hand over sensitive information by impersonating organizations such as banks or college administration offices.
Recent Attacks
Cisco has been warning users this month that software such as their VPNs and SSH services have been found compromised in an uprise of brute-force attacks and to follow up on their advisories to see the affected systems. In Ukraine, over one hundred million accounts were hijacked in a span of brute-force attacks. As of recently three men have been arrested after revealing that they were able to access the victim’s Instagram and email accounts due to easy-to-guess passwords.
WordPress, a web content management system, is currently dealing with a string of attacks that focus on injecting scripts that coerce victims’ browsers into brute-forcing passwords for other platforms. The scripts, in the form of a JSON file, contain all the guidelines for an attack which are being executed silently while the victim is working on their computer.
23andMe recently uncovered that they were victims of a credential harvesting attack beginning in early 2023. The threat actors targeted customers who were of Ashkenazi Jewish and Chinese heritages specifically, compromising 350,000 customers’ sensitive data subjecting them to discrimination and harassment as the conflict grows between Palestine and Israel.
Phishing attacks, on the other hand, have been continuously on the rise as the year progresses, with smishing and vishing gaining popularity. LastPass, a password management application, suffered a phishing attack by unknown threat actors earlier this past week using a CryptoChameleon phishing kit. The specified kit allows actors to create fake single-sign-on, SSO, pages to provide to the victims enabling them to gain access to their credentials, compromising information.
Password Recommendations
Long and complex is the standard when creating a password, 8-10 characters at the minimum with symbols and numbers included. Most recommend moving up to at least twelve characters, as the longer the password is the harder it is for hackers to crack. Your credentials should never contain any publicly presented information that could be easily guessable such as your kids’ names, dates of birth, or the day you got married. Instead, utilize sources such as google password creators or random combinations on your keyboard to produce a complex password. Never use the same password for more than one account because as mentioned above, this is the widespread practice hackers look for when performing credential stuffing attacks.
Multi-Factor Authentication (MFA) is another great tool that most sites require in today’s age, although it may be annoying, it can save you from thousands of dollars in consequences from attacks. By getting a second password or pin sent to a phone number or email address from a different device than the one you are trying to access, hackers will have a challenging time trying to infiltrate your account. Some MFAs use face ID, or a fingerprint to secure your credentials, improving your security score and allowing you to ensure your systems are protected. Changing your passwords every 60-90 days at the maximum is another recommended technique to ensure account security. Some authentication applications can give you an option to set up dates for you to change your passwords, and others require it. When it comes to recurring changes, it can seem overwhelming to have to come up with new passwords every couple of months, but it is important to make sure you do not reuse the same characters and duplicate them throughout the changes, or it won’t be as effective.