Can You Guess What Game Hackers Love to Use to Hide Malware?

By | 10/09/2022

For many years, passwords were considered to be an adequate form of protecting privacy when information technology came to the digital world. All the same, as cryptography and biometrics started to become more widely available, the flaws in this simple method of authentication became more noticeable.

It’s worth taking into account the role of a leaked password in 1 of the biggest cyber security stories of the last ii years, the SolarWinds hack. It was revealed that ‘solarwinds123’, a password created and leaked by an intern, had been publicly accessible through a private GitHub repository since June 2018, enabling hackers to plan and carry out the massive supply chain attack.

Despite this, even if the password hadn’t been leaked, it wouldn’t have been hard for attackers to estimate information technology. In the words of The states politician Katie Porter, about parents utilise a stronger password to stop their children from “watching too much YouTube on their iPad”.

Passwords that are weak or piece of cake to judge are more mutual than you might expect: contempo findings from the NCSC establish that around one in vi people uses the names of their pets as their passwords, making them highly predictable. To brand matters worse, these passwords tend to exist reused across multiple sites, with one in three people (32%) having the aforementioned password to admission different accounts.

It should come every bit no surprise that passwords are the worst nightmare of a cyber security expert. To remedy this upshot, there are steps worth taking, like implementing robust multi-layer authentication. It is as well worthwhile mitigating risks to consider the steps cyber criminals must have to hack your account and “know your enemy”. Nosotros’ve put together the pinnacle 12 password-smashing techniques used by attackers to enable you and your business organization to exist meliorate prepared.

12 password-cracking techniques used by hackers:

i. Phishing

Padlock being lifted by a fishing hook on a blue background to symbolise phishing attacks

Shutterstock

Phishing is among the almost common password-stealing techniques currently in use today and is often used for other types of cyber attacks. Rooted in social engineering tactics, its success is predicated on beingness able to deceive a victim with seemingly legitimate information while acting on malicious intent.

Businesses are highly aware of the widespread phishing attempts on their employees and often acquit phishing training exercises on them, both with explicit find and on unwitting individuals. Usually carried out through email, success with phishing can too be accomplished with other communication forms such as over SMS text messaging, known as ‘smishing’.

Phishing typically involves sending an email to a recipient while including as many elements inside the email as possible to make it announced legitimate i.e. company signatures, correct spelling and grammer, and more sophisticated attacks recently adhere onto existing email threads with phishing coming later in the attack concatenation.

From there, attackers will try and encourage the user into downloading and opening a malicious document or another blazon of file – ordinarily malware – to achieve any the assailant wants. This could be stealing passwords, infecting them with ransomware, or even staying stealthily hidden in the victim’southward environs to act as a backstairs for future attacks performed remotely.

Related Resource

The best defense force confronting ransomware

How ransomware is evolving and how to defend against it

Blue padlock Free download

Computer literacy has increased over the years and many users are well trained in how to spot a phishing email. The telltale clues are at present widely known, and people know when and how to report a suspicious e-mail at work. Only the very all-time campaigns are genuinely convincing, like with the aforementioned electronic mail hijack campaigns.

The days of emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far betwixt these days, although you can still find the odd, wildly extravagant, merits hither and there.

Our recent favourite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs usa to deed as a man in the middle for a $3 million dollar transfer to the Russian Space Agency – which apparently does render flights.

2. Social applied science

Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things similar network access passwords in society to provide assistance. This tin can be just as constructive if done in person, using a fake compatible and credentials, although that’south far less common these days.

Successful social engineering attacks tin can exist incredibly convincing and highly lucrative, as was the instance when the CEO of a United kingdom of great britain and northern ireland-based energy company lost £201,000 to hackers later on they tricked him with an AI tool that mimicked his assistant’southward voice.

iii. Malware

Skull mixed within computer code

Keyloggers, screen scrapers, and a host of other malicious tools all fall nether the umbrella of malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software similar ransomware, which attempts to cake access to an entire organization, there are also highly specialised malware families that target passwords specifically.

Keyloggers, and their ilk, record a user’s action, whether that’due south through keystrokes or screenshots, which is all then shared with a hacker. Some malware will fifty-fifty proactively hunt through a user’due south system for countersign dictionaries or information associated with spider web browsers.

4. Animate being force set on

A sledgehammer smashing through a white wall

Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in social club to admission a system.

A simple example of a brute force attack would be a hacker but guessing a person’southward password based on relevant clues, all the same, they tin exist more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which volition have been exposed by previous data breaches. Reverse brute forcefulness attacks involve hackers taking some of the most usually used passwords and attempting to guess associated usernames.

Well-nigh brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.

five. Dictionary assail

Sticky notes on a monitor displaying assorted passwords

Shutterstock

The dictionary attack is a slightly more sophisticated instance of a animate being force attack.

This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries volition be made up of credentials gained from previous hacks, although they volition as well contain the most common passwords and give-and-take combinations.

This technique takes reward of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems volition urge the use of multiple grapheme types when creating a password.

6. Mask attack

Abstract image of glowing binary in red and blue

Where dictionary attacks employ lists of all possible phrase and word combinations, mask attacks are far more specific in their telescopic, often refining guesses based on characters or numbers – usually founded in existing knowledge.

For case, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to merely try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that tin be used to configure the mask.

The goal hither is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.

7. Rainbow table attack

Image of a rainbow arching across a blue sky

Whenever a password is stored on a system, it’southward typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to make up one’s mind the original password without the corresponding hash. In gild to featherbed this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to pause into a system (used in animate being forcefulness attacks).

Rainbow tables go one step further, every bit rather than simply providing a password and its hash, these shop a precompiled list of all possible plain text versions of encrypted passwords based on a hash algorithm. Hackers are and then able to compare these listings with any encrypted passwords they discover in a company’due south organisation.

Much of the ciphering is done earlier the attack takes place, making it far easier and quicker to launch an attack, compared to other methods. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, oftentimes hundreds of gigabytes in size.

viii. Network analysers

Abstract image of a network of interconnected points on a black background

Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the obviously text passwords contained within.

Such an set on requires the use of malware or physical access to a network switch, only it can show highly constructive. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicative to well-nigh internal networks. Information technology’s besides common to utilise network analysers as role of the first phase of an attack, followed upwardly with brute force attacks.

Of grade, businesses can apply these same tools to scan their own networks, which can be specially useful for running diagnostics or for troubleshooting. Using a network analyser, admins tin spot what information is beingness transmitted in plain text, and put policies in place to preclude this from happening.

The only way to forestall this attack is to secure the traffic past routing it through a VPN or something similar.

9. Spidering

Spidering refers to the procedure of hackers getting to know their targets intimately in order to learn credentials based on their activity. The procedure is very similar to techniques used in phishing and social engineering science attacks, merely involves a far greater amount of legwork on the part of the hacker – although it’due south generally more successful as a result.

Related Resource

Vulnerability and patch management

Go on known vulnerabilities out of your It infrastructure

Whitepaper cover with dark red smoke-like graphic on black backgroundCostless Download

How a hacker might use spidering will depend on the target. For example, if the target is a large visitor, hackers may attempt to source internal documentation, such equally handbooks for new starters, in order to become a sense of the sort of platforms and security the target uses. Information technology’s in these that you oftentimes find guides on how to admission certain services, or notes on office Wi-Fi usage.

It’s frequently the example that companies will use passwords that relate to their concern action or branding in some way – mainly considering it makes information technology easier for employees to recollect. Hackers are able to exploit this by studying the products that a business concern creates in society to build a hitlist of possible discussion combinations, which can be used to back up a animate being force attack.

As is the instance with many other techniques on this list, the process of spidering is unremarkably supported by automation.

10. Offline neat

Ethernet cable disconnected from the back of a router

It’s important to remember that not all hacking takes place over an net connection. In fact, most of the work takes place offline, particularly every bit most systems place limits on the number of guesses immune before an account is locked.

Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a contempo data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.

Of grade, this tin can simply be done in one case an initial set on has been successfully launched, whether that’s a hacker gaining elevated privileges and accessing a database, past using a SQL injection attack, or by stumbling upon an unprotected server.

11. Shoulder surfing

You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2020.

Brazen examples of this include hackers disguising themselves in lodge to proceeds access to company sites and, quite literally, look over the shoulders of employees to grab sensitive documents and passwords. Smaller businesses are mayhap virtually at adventure of this, given that they’re unable to police their sites as effectively as a larger organisation.

Security experts recently warned of a vulnerability in the hallmark process used by WhatsApp. Users trying to utilize WhatsApp on a new device must get-go enter a unique lawmaking that’south sent via a text message, which can be used to restore a user’s business relationship and chat history from a backup. It was constitute that if a hacker was able to obtain a user’s phone number, they are able to download the app to a clean device and issue a prompt for a new code, which, if they are in spying distance, they could copy equally it arrives on the user’southward own device.

12. Guess

Image of a man thinking in front of a board filled with abstract ideas

If all else fails, a hacker tin always endeavour and judge your password. While at that place are many password managers available that create strings that are impossible to guess, many users all the same rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is ofttimes independent in the very profile pages that the countersign is trying to protect.

The best way to remove this equally a potential avenue for criminals is to maintain password hygiene and make use of countersign managers, many of which are free.

Featured Resource

What is contextual analytics?

Creating more customer value in HR software applications

Free Download

Organisations are improving the way they consume data centre infrastructure

Dell Technologies delivers on every bit-a-Service with Noon data storage services

Costless Download

Can’t choose between public and private cloud? You don’t have to with IaaS

Relish a cloud-like experience with on-bounds infrastructure

Free Download

Evaluating modern enterprise storage

Dell EMC PowerStore is mod enterprise storage designed to address the needs of our new era

Free Download

Source: https://www.itpro.co.uk/security/34616/the-top-password-cracking-techniques-used-by-hackers