The 8 Ways You're Getting Hacked

Written By Vidar Frostbjorn

And how you can avoid them…

Let’s be honest: we’ve all clicked on something we shouldn’t have.

Maybe you received an “Is this you in the video?!” chat message from an already compromised friend.

Maybe you were stressed about not receiving the package with the gifts of your children and got a “We attempted to deliver your package, but no one was home” from a scammer.

The truth is that everyone is susceptible to scams and hackers. However, hackers are lazy people (at least I am) and re-use the same methodologies over and over again.

If you can recognize the pattern of these methodologies, the chance that you will get hacked will be significantly lowered.

And here is a secret for free: Hackers always go for the easiest targets. Run faster than your neighbor, and you’ll be safe!

As someone who’s spent over a decade legally breaking into companies (yes, I was shocked when I found out that’s a real job too), I’ve seen firsthand how regular folks like you and me become unwitting victims.

But fear not! I’m here to spill the beans on how hackers try to trick you, and more importantly, how you can dodge their traps.

1. Valid Accounts, the most likely way to get hacked

I want to make a point of NOT putting phishing as the first point. The point here is not necessarily that a site you care about get breached, and with it your account. It is more about a site that you made, and forgot, and account on 10 years ago suddenly got hacked, and you re-used the same or similar password on other accounts.

The technical term for this type of attack is called “credential stuffing” and is a very effective form of attack that has been very much on the rise the past few years.

This year, a compilation of 10 BILLION passwords were leaked. The chances that one or more of your passwords are floating around in these compilations are very high, and you can even check this yourself with services like Haveibeenpwned.

A quick search one of my own email addresses reveals its presence in 10(!) different data breaches, which means that hackers potentially have 10 of my passwords that they can test with my email address on any applications I am likely to use.

How to avoid this attack

  • Use a password manager: Using a password is the only real way to not either re-use passwords or use weak passwords. It can take some getting used to, but after using it for a while my logins are now quicker with the password manager than when I used passwords.

  • Always enable multi-factor authentication: MFA is a must. Always. Especially on your email and social media accounts, those are heavily targeted. And then anywhere else where you can perform payments. And to be real, anywhere you have logins at all. MFA is so easy to set up and use today that there is no reason not to enable it everywhere.

2. Phishing, the gift that keeps on giving

Phishing has been the method of choice to scam and hack regular people for a long time now, and it is still surprisingly effective.

Hackers find new ways to trick people with phishing all the time, and the techniques have become more advanced.

One interesting method used a couple of years ago was the “porn scam”, which combined attack method 1 and 2 in this article. They found one of your real passwords in a data breach, and then sent you a mail claiming they had video proof of you accessing porn sites. The password from the data breach was then used to make the scam seem more legitimate, as they could say “we used this password to hack you:” and it being a real password you had used in the past.

These scams will very often play with urgent messaging, with an immediate action that is required from you, or some negative consequence will impact you. This could be anything from a prize only being valid the next hour, or you will lose your package if you don’t pay a fee within 24 hours.

Hackers are the ultimate copycats. They mimic the various sources you trust. This could be your bank, favorite online store, or even your own family or friends.

How to avoid this attack
Recognize the common signs of phishing:

  • Urgent or emotionally appealing language

  • Requests to send personal and financial information

  • Untrusted shortened URLs

  • Incorrect email addresses or links, like amazan.com

In addition to this, make it a habit to always go directly to the official website of the company that is messaging you instead of clicking the link. Most companies that handle sensitive information, like banks, will never send you links, and instead tell you to go to your normal login page.

3. Weak Passwords

Using “password99” as your password is obviously like leaving your front door wide open with a welcome sign for hackers.

But your password can be way better than that, and still be weak.

Your Facebook password could be: EmilyFacebook94
Your work account could be: Starbuckssucks20

Any connection between you or the application it is for drastically elevates the risk of it being a bad password. Even with complexity rules, most people just put 1! at the end of their password.

Guessing password is its own science, and there are fantastic wordlists and guessing methodologies that makes it harder than you’d think to come up with an actual good password.

How to avoid this attack

  • Use passphrases: Complex, randomized passwords are great, but they are hard to remember. The absolute most important factor in a password is length, making “DucksHelpingSwordsmanMinefield” a better password than “P455w0rd1!”.

  • Use unique passwords: Use unique passwords for each account. This again makes your passwords hard to remember, so the most important steps are the next two.

  • Use a password manager: Password managers will generate great passwords for you, and also remember them for you. Most password managers let you sync your passwords to all your devices, and even have functionality to log in automatically.

  • Multi-Factor authentication: Always enable this, wherever you can. This adds an extra layer of security, meaning that even if a hacker manages to guess or get access to your password, they still can’t log into your accounts.

4. Public Wi-Fi, VPNs are not just for Youtubers

Yes, I’m fully aware that the value of VPNs is overplayed on a regular basis through a myriad of sponsorships on platforms like YouTube.

Even with this in mind though, malicious Wi-Fi networks are still a way you could get hacked without ever noticing it.

The way this works, is that you for example visit a Starbucks, and connect to a network called Starbucks_Free_WiFi. This, however, is not set up by Starbucks, but by a hacker trying to lure victims to connect to their network.

When this happens, this person can listen to all the traffic between you and the internet, and even control where some of your traffic should go.

This means, depending on a few security configurations, that when you visit your bank on this malicious network, you are really visiting a website fully controlled by the hacker.

How to avoid this attack

  • Save the online banking for home: Avoid accessing sensitive info on public networks.

  • Use a VPN: Think of it as a tunnel that between you and the internet, avoiding the hacker any access to listen or manipulate your data even if you connect to their malicious network.

  • Forget networks: After using public Wi-Fi, tell your device to forget the network.

  • When in doubt, ask: Check for signs with the name of the free Wi-Fi, or ask staff which is the correct one.

5. Outdated Software, vintage isn’t always good

This is probably far from the most likely way you’ll get hacked, but it is still worth mentioning.

In all computer software, there will be discovered vulnerabilities from time to time. Some of these make it possible to take over your browser, laptop, phone, or your children’s dolls (yes, you read that right).

If you don’t regularly update your devices and applications, this can make it easier for an attacker to successfully compromise you.

How to avoid this attack

  • Embrace updates: They might be annoying, but they will protect you from an attacker exploiting vulnerabilities to compromise you.

  • Automatic updates: Enable automatic updates wherever possible, they will then usually update when you are not using the device.

6. Social Engineering, people want to help people

It is natural for people to want to help people. Sadly, this is one of the traits that can easily be taken advantage of through social engineering techniques.

Hackers know how to push your buttons, both literally and figuratively.

One of the most well-known techniques are the typical “tech support” that claims that your computer is infected.

While phishing falls under this category, it has its own section. Instead, this focuses on actual social interactions where you get tricked.

Deepfakes could absolutely be a scarily effective way to perform scams like this, for example by calling you while impersonating the voice of your daughter.

How to avoid this attack

  • Be suspicious of situations where you get something for no reason: Unsolicited help is often too good to be true.

  • Trust, but verify: Hang up and call the company directly using official contacts, instead of blindly trusting someone who calls you.

  • Don’t give up sensitive information on your phone: No serious company will ever ask you for your passwords, banking information and so on through the phone.

  • Trust your gut: If something feels off, it probably is.

7. Malicious Apps, or viruses if you want

While security software and even browser have gotten much better at recognizing and blocking malicious software, downloading files and application from untrusted sources are still putting you at risk of getting compromised.

This is especially risky when you are searching for some niche application that might not be that available.

And even more true when you are trying to access content in illegitimate ways, like downloading movies, games, or the cracked version of Photoshop.

How to avoid this attack

  • Stick to trusted sources: Download apps from official stores like Google Play or the App Store.

  • Read the Reviews: Learn from others who’ve tried out what you are looking for before you.

  • Listen to warnings: If your browser or computer warns you that something is off, it is probably best to go somewhere else for your precious application.

8. Over-Sharing on Social Media

When I’m trying to find ways to hack specific people in an organization, postings on social media are usually a great way to find clues.

  • The names of their kids and cats for password guessing.

  • Hobbies and interests I can use in phishing emails

  • Pictures of keys and keycards I can copy

Sharing details of your life online gives hackers puzzle pieces to your identity.

How to avoid this attack

  • Protect your privacy: Adjust your settings so only friends can see your posts.

  • Less is More: Avoid sharing personal details like your address or phone number.

Conclusion: Don’t be an easy target

Hackers might seem like mysterious figures hunched over keyboards in dark rooms (thanks, Hollywood), but the reality is less dramatic and more boring. Hackers are exploiting simple mistakes and everyday habits.

The good news? A little awareness goes a long way.

By staying informed and taking some proactive steps, you can make yourself a much harder target, which will make hackers move on to someone else, or finding some other line of work altogether.

Your Cybersecurity Checklist:

  • Stay Skeptical

  • Use a password manager

  • Enable multi-factor authentication

  • Listen to security software or other warnings

Remember, in the game of cybersecurity, the human is the important part. Technology can only help you part of the way, but you need to do some of the work yourself.

Stay alert, stay safe, and maybe you can avoid becoming a part of the dark statistics of hacking victims.

Don’t be an easy target.

Vidar Frostbjorn
Previous

How to perform during the OSCP / OSCP+ exam in 2024
Next

On the Updated OSCP+ Certification