Father
Professional
- Messages
- 2,602
- Reaction score
- 850
- Points
- 113
How passwords are hacked and stolen on the Internet
What tricks do the attackers use to steal passwords from the user to all kinds of network resources - pages in social networks, online games, payment systems. Online identity theft statistics are replete with alarming numbers. In order not to be among the victims who have lost their accounts, let's look at the main methods of stealing passwords used by hackers - social engineering, brute-force brute force attacks (brute force), keylogging and cookie interception. Having an understanding of these malicious "technologies", they can be effectively countered, while maintaining the proper level of security and confidentiality of personal data.
Painted Malure - a small bird from the family of passerines - protects its precious offspring from planted parasitic cuckoos, no less than a password. As soon as her chicks are born, she immediately teaches them to reproduce a unique trill. Naturally, the offspring of the impudent cuckoo parent do not know anything about this "song", since they hatch 2-3 days later.
The triumph of justice and vengeance occurs during the feeding period. Malury chicks, seeing their parents approaching the nest with sweets in their beaks, begin to ring the very trill that they were taught to sing in the first days of life. They receive food, only the performers of the "native motive" are the legal heirs, and the chicks of the cuckoo are left with nothing and soon die of hunger.
At first glance, a vital picture of nature, but how it resembles the vast expanses of the digital jungle of the Internet: there are passwords here too; and there are characters - good and evil - hackers and ordinary users.
So, dear reader, in order to save your cherished logins and passwords from vile people, of course you will not have to learn trills. But it will not be superfluous to get acquainted with the methods of stealing personal data ... Do you want peace? Prepare for War!
Social engineering
The main tools of the attacker in this method are naivety and excessive curiosity of the user. No sophisticated software methods, insidious viruses and other hacker technologies.
The villain, knowing only the login from the mailbox, enters it into the service login form. And then he tells the system that he forgot the password. A security question is displayed on the monitor - the cracker does not know the answer to it, but already knows its content. This is where the most "interesting" begins: on the basis of the subject of the question, he sends the victim a "cunning letter" in which he tries to find out the correct answer in a veiled form. An insidious message might look something like “Good afternoon! We, culinary site such and such, ..... etc. What's your favorite dish? " And this is just a separate example. There are a lot of gimmicks of this kind “walking on the net”. We wrote more about social engineering in this article. So keep an eye out as you read the letters!
Stealing cookies
Cookies - a file with session data that the website saves in the user's browser. In it, in a hashed form, the username, password, id and other information are stored, which are periodically accessed by the resource in the process of online work.
A hacker, knowing the vulnerabilities of a particular site (forum, mail service, social network), writes a special script that "pulls" cookies from the victim's browser and sends it to him. Without the participation of the account owner, this "dirty deed" is not complete, since it is he who must run the malicious script. Therefore, the code, before sending, turns into a special "decoy": a picture, an enticing letter, a request, etc. The main task is for the victim to follow the suggested link. And if this does happen, the hacker script sends cookies from the browser to a sniffer (network traffic interceptor) installed on a third-party hosting. And only then directs the user, where he was promised in the message - to a dating site, video hosting, photo gallery, etc. Naturally,
Using stolen cookies, a hacker can take over the user's session: insert them into his browser and log into the victim's account with owner rights. Well, if it doesn't work, it can also try to decrypt the password stored in the cookie. And if he (password) consists of 5-6 characters, he will probably succeed. Hackers are not stopped by the fact that the MD5 hashing algorithm is one-way, that is, it cannot be decoded. In this case, they use the selection method: on special online services, they look for matches in dictionaries with ready-made results (pairs). For example: MD5 "a865a7e0ddbf35fa6f6a232e0893bea4" is something other than "my_password".
Don't be lazy to create long, complex passwords! And this trouble will blow you by the side.
Keyloggers
Programs that log the keys pressed by the user to their log. They do this imperceptibly, without revealing their presence in the system in any way: neither in the tray, nor in system processes, nor in the registry. A cleverly written keylogger, and not every antivirus is capable of recognizing.
A user on an infected PC, comfortably sitting at the display, peacefully and measuredly enters a login from the keyboard and then a password - on one site, then on another, etc. At this time, the keylogger “works hard”: it captures the data, saves it, encrypts it, and then sends it to the“owner” to the attacker.
You can counteract this small but evil spy using a virtual keyboard and special utilities that fill out login forms to sites automatically.
Brute force
Brute force is a method of guessing a password by enumerating potentially possible options from a special dictionary. Brute force is very effective when the password is less than 5-6 characters long, or it is a simple sequence ("11111") or a dictionary word ("monkey"). We wrote in detail about brute-force in this article.
To leave a brute-force attacker with a nose, create complex passwords, use password generators.
What tricks do the attackers use to steal passwords from the user to all kinds of network resources - pages in social networks, online games, payment systems. Online identity theft statistics are replete with alarming numbers. In order not to be among the victims who have lost their accounts, let's look at the main methods of stealing passwords used by hackers - social engineering, brute-force brute force attacks (brute force), keylogging and cookie interception. Having an understanding of these malicious "technologies", they can be effectively countered, while maintaining the proper level of security and confidentiality of personal data.
Painted Malure - a small bird from the family of passerines - protects its precious offspring from planted parasitic cuckoos, no less than a password. As soon as her chicks are born, she immediately teaches them to reproduce a unique trill. Naturally, the offspring of the impudent cuckoo parent do not know anything about this "song", since they hatch 2-3 days later.
The triumph of justice and vengeance occurs during the feeding period. Malury chicks, seeing their parents approaching the nest with sweets in their beaks, begin to ring the very trill that they were taught to sing in the first days of life. They receive food, only the performers of the "native motive" are the legal heirs, and the chicks of the cuckoo are left with nothing and soon die of hunger.
At first glance, a vital picture of nature, but how it resembles the vast expanses of the digital jungle of the Internet: there are passwords here too; and there are characters - good and evil - hackers and ordinary users.
So, dear reader, in order to save your cherished logins and passwords from vile people, of course you will not have to learn trills. But it will not be superfluous to get acquainted with the methods of stealing personal data ... Do you want peace? Prepare for War!
Social engineering
The main tools of the attacker in this method are naivety and excessive curiosity of the user. No sophisticated software methods, insidious viruses and other hacker technologies.
The villain, knowing only the login from the mailbox, enters it into the service login form. And then he tells the system that he forgot the password. A security question is displayed on the monitor - the cracker does not know the answer to it, but already knows its content. This is where the most "interesting" begins: on the basis of the subject of the question, he sends the victim a "cunning letter" in which he tries to find out the correct answer in a veiled form. An insidious message might look something like “Good afternoon! We, culinary site such and such, ..... etc. What's your favorite dish? " And this is just a separate example. There are a lot of gimmicks of this kind “walking on the net”. We wrote more about social engineering in this article. So keep an eye out as you read the letters!
Stealing cookies
Cookies - a file with session data that the website saves in the user's browser. In it, in a hashed form, the username, password, id and other information are stored, which are periodically accessed by the resource in the process of online work.
A hacker, knowing the vulnerabilities of a particular site (forum, mail service, social network), writes a special script that "pulls" cookies from the victim's browser and sends it to him. Without the participation of the account owner, this "dirty deed" is not complete, since it is he who must run the malicious script. Therefore, the code, before sending, turns into a special "decoy": a picture, an enticing letter, a request, etc. The main task is for the victim to follow the suggested link. And if this does happen, the hacker script sends cookies from the browser to a sniffer (network traffic interceptor) installed on a third-party hosting. And only then directs the user, where he was promised in the message - to a dating site, video hosting, photo gallery, etc. Naturally,
Using stolen cookies, a hacker can take over the user's session: insert them into his browser and log into the victim's account with owner rights. Well, if it doesn't work, it can also try to decrypt the password stored in the cookie. And if he (password) consists of 5-6 characters, he will probably succeed. Hackers are not stopped by the fact that the MD5 hashing algorithm is one-way, that is, it cannot be decoded. In this case, they use the selection method: on special online services, they look for matches in dictionaries with ready-made results (pairs). For example: MD5 "a865a7e0ddbf35fa6f6a232e0893bea4" is something other than "my_password".
Don't be lazy to create long, complex passwords! And this trouble will blow you by the side.
Keyloggers
Programs that log the keys pressed by the user to their log. They do this imperceptibly, without revealing their presence in the system in any way: neither in the tray, nor in system processes, nor in the registry. A cleverly written keylogger, and not every antivirus is capable of recognizing.
A user on an infected PC, comfortably sitting at the display, peacefully and measuredly enters a login from the keyboard and then a password - on one site, then on another, etc. At this time, the keylogger “works hard”: it captures the data, saves it, encrypts it, and then sends it to the
You can counteract this small but evil spy using a virtual keyboard and special utilities that fill out login forms to sites automatically.
Brute force
Brute force is a method of guessing a password by enumerating potentially possible options from a special dictionary. Brute force is very effective when the password is less than 5-6 characters long, or it is a simple sequence ("11111") or a dictionary word ("monkey"). We wrote in detail about brute-force in this article.
To leave a brute-force attacker with a nose, create complex passwords, use password generators.
