When we consult with customers and prospects, we always start from the bottom up, looking at how attackers get access to your credentials, through their password-cracking techniques. We then look at the ways that the hackers and attackers can potentially look to access your business and its data, and how we can effectively mitigate and secure against those threat vectors. To do this, we need to think with the mind of an attacker, and look at the methods they use in order to get access to your systems and once they access, how they then operate.
Breaking into an account, whether that’s to your computer or to an online email service, can be like getting access to a bank vault: everything from your bank accounts to tax information to sensitive work data can be easily found and accessed. All it takes is the right password-cracking method to obtain your credentials to get an initial foothold into the business and once in, the attacker can take their time and see what’s available for access.
There are several, with limitless combinations, ways an attacker can look to get access, listed below are some of the top ways they attempt to get access to your business.
Password-cracking techniques hackers use to access business data
The most common and easiest password-cracking method available for attackers to gain access to your credentials.
Since technology is rapidly advancing and has very few weaknesses that attackers can target, the human becomes the weakest link of any security system. So, hackers often target them with an email that persuades them to give up their credentials.
We have seen customers recently receiving emails with attachments along the lines of ‘Click here to receive your money’ or ‘your password has expired’ or ‘open this invoice’. These are all examples of email phishing, and although most users and employees can more or less easily spot these types of emails, the odd one looking fantastic and ‘real’ can, unfortunately, fool the most seasoned of users on email.
We too have received phishing emails. The image below shows an email that I received recently. All looks official and for a split second I thought, I can’t believe we let it expire. However, a quick hover over that official looking 123 reg email shows that it goes off to another website, which looks like the official 123reg site, prompting me to sign in and basically hand over our credentials to all things Website. If this happened, we lose the keys to the kingdom. The attacker can log in, change our password initially for access, start the domain transfer process out (which is pretty much immediate for .co.uk domains these days), and once that’s lost, no more email, no more website. A complete disaster that is virtually impossible to recover from.
Very similar to phishing, this involves gathering as much information about their victim as possible. By reading through your social media accounts hackers can gather a lot of personal information such as the things you like a pet’s name or which school you went to. And all these are clues to what your password may be or even answers to the recovery questions.
There are even tools that basically do all the work for the criminal, for example, a search spider. They are very similar to the bots that crawl through the internet helping search engines to index various content.
Social engineering is all about using human psychology to evoke powerful emotions such as urgency, curiosity, fear, desire, or even sympathy.
The attacker will impersonate someone, usually an authoritative figure, that you will most likely believe and trust to hand over your credentials or reply to an email demanding that you pay an invoice immediately
Again, we see how a cybercriminal aims for the user rather than technology as it is the easiest and cheapest way to infiltrate into any system. Businesses tend to employ expensive solutions to protect their data, but it’s just as important to ensure that your employers are educated and safe online.
In fact, social engineering does not require the hacker to be a programming expert, anyone can successfully execute this attack, which is what makes it so dangerous and important to look out for.
You can see if your credentials or business is being talked about by signing up for a check on the business on the Dark Web here
There are different types of malware that enable password-cracking. One example is a backdoor Trojan which grants the hacker full access to your device. And once they have entered, they are able to grab all your personal data, passwords, bank details, and much more.
Another example is keystroke logging, which has been around for a long time but is still just as successful. What this malware does is record all your keystrokes, everything that you type including passwords. All this gathered information is then sent directly to the cybercriminal.
There is also malware that is able to scan through your device and find any passwords that have been saved into your browser.
Brute force attack
As the name suggests, the hacker ‘forces’ their way into your account by trying out thousands of password combinations until one is successful. It works really well if your password is simple.
There are tools, which are easily accessible to anyone online, that basically do all the work by going through all possible combinations. Now, all that the cybercriminal needs to do is sit back and patiently wait. Usually for a few minutes, depending on how good your password generating skills are.
There are many stolen credentials being sold or readily available on the dark web. And because users usually use similar or the same predictable passwords for many accounts, cybercriminals can use this list and try them out against multiple accounts until there’s a match.
A type of brute force attack, where an attacker will use a dictionary. This essentially will be a list of words, phrases or numbers that your password most likely contains. Alongside a list of most used passwords, which surprisingly works quite well as users still use common passwords.
In fact, a recent survey showed a shocking list of the 10 most popular passwords this year:
If you are using any of the passwords above, then you’re asking attackers to get access to your business data.
How Rainbow tables are used for password-cracking
To understand rainbow table attacks you need to know about hashing. To put it simply it’s a special algorithm that security systems use to safely store your passwords.
So a hacker may have obtained your passwords but unfortunately (for them) they are hashed or encrypted. Meaning that they are completely useless for the criminal as they look nothing like your original credentials. They are all coded up and difficult to read. And this is when a rainbow table is used, which has huge amounts of algorithm hash values that helps to decode the password.
Quite often an attacker will focus their efforts on gaining access to a core server, where the hashes are stored, then its a simple case of running them to compare against a massive list of hashes in a set of data in a Rainbow Table to crack the password
This method for password-cracking will be used once the cybercriminal has gained physical access to your device. Or even to your physical premises where they can connect to your wireless network and steal your data. That is if you haven’t secured your internet traffic through encryption such as a VPN.
A network analyser displays all passwords in a crystal-clear format. These powerful tools can gather thousands of passwords from your network in a matter of a couple of hours.
What’s worrying is that some of these programs are free to open sources, like Wireshark, available on the web for anyone.
This is a way, and it need not necessarily be an attacker, sometimes an opportunist seeing your password and then using it. However, it’s a password-cracking technique where someone can look over your shoulder at your screen and gather your sensitive information by reading what you are typing.
It’s common for employees to use their personal or work devices in public places. We all do it. But that’s when a criminal can look over your shoulder.
Recent research that was conducted at the University of Texas and the University of Oklahoma discovered that it’s possible to capture what you are typing through a video call with incredible accuracy. Even though this accuracy decreases once the same technique is carried out outside of the lab and in the real world, it can potentially be new technique attackers use to get access to your business data.