Account Hijacking: How It Happens and What Can You Do to Prevent It

Account Hijacking

Account hijacking is a serious problem. In effect, it's a form of identity theft, and the consequences could be devastating. If your social media profile is compromised, for example, crooks can get in touch with your friends and send them malicious links or files. The same goes for your email, although with it, they can also change the passwords for the rest of your accounts and leave you locked out. If they break into your bank account or an account that has your social security number, the consequences could be even more serious.

How do cybercrooks manage to get access to your accounts?

There are several options and we'll now list the most common ones.

Password guessing. If you've locked your account with an easy-to-guess password, you've unwittingly laid the red carpet for the criminals. Resourceful crooks that have set their sights on ruining your online life can learn quite a lot about you if they're determined enough. They can check out your Facebook profile, for example, and see that you have a dog called "Fido." If you've used this as a password (or as an answer to your security question), they can get in easily.

Guessing a password is a lot of manual labor, and hackers don't like manual labor. That's why they've developed automatic tools that can try common (and not so common) passwords at rates of millions of guesses per second. These tools have evolved quite a bit over the last few years, and they now "know" that you tend to capitalize the first letter of your password. They also know that when a website tells you to add a special character to your password, you just put an exclamation mark at the end.

Insecure password storage. When you sign up for an account, the service provider must store your password in order to make authentication possible. It can't (or, more precisely, shouldn't) just put your password in an Excel spreadsheet, though.

Vendors should hash your password. Hashing is a one-way cryptographic function that turns your password into an unintelligible string of characters. Before hashing it, however, the service provider should ideally salt it. Salting means adding a unique string to the end of your password which ensures that identical passwords don't produce the same hash value. Finally, the service provider needs to store your salted and hashed password in a database that is not easily accessible.

Unfortunately, not all vendors take the necessary measures, and sometimes, it's trivially easy for crooks to get their hands on a vast number of passwords.

Password reuse. When they have your login credentials for a specific website, hackers can often log in to the account at the said website without any problems. They'll try the same username and password combination on other websites as well, though, and if you've reused your password, they'll be able to successfully hijack the rest of your accounts. In fact, the attack is called "credential stuffing," and its popularity is growing. To avoid raising suspicion because of the many login attempts from a single IP, the crooks have even created botnets (networks of infected computers spread all around the world) with the purpose of carrying out credential stuffing attacks on a large scale.

Password theft. The first of Microsoft's Immutable Laws of Security says that "If a bad guy can persuade you to run his program on your computer, it's not your computer anymore." A few sentences later, they say that "when a computer program runs, it will do what it's programmed to do, even if it's programmed to be harmful." Unfortunately, some malicious programs are programmed to steal passwords from your computer. Some of them will scrape the login credentials you've saved in your browser. Others will log your keystrokes. Others still can steal the Excel spreadsheet you use to save the username and password combinations for the different websites.

Phishing. It's one of the simplest cyberattacks out there, and many people think that they're too smart to fall for the lure. In reality, however, cybercriminals have upped their social engineering game so much, that even well-educated and tech-savvy users fall victims to phishing attacks sometimes. Nowadays, phishing pages are extremely well-crafted, and some even come with SSL certificates which make them look legitimate. Meanwhile, the emails that link to them usually call for urgent action (for example, "Suspicious activity detected on your account. Click here to log in and see if anything's missing."), which means that users are more likely to be too distracted to see that they're led to a suspicious website.

Now that we know some of the tricks of the cybercrooks' trade, it's time to take a look at what we can do to stop account hijacking attacks.

Prevention is the mother of all cures

Cleaning up the mess after your personal information has already been compromised is a nuisance. First, you have to change your password (or passwords if you've reused the same credentials on numerous websites). This, in and of itself, can be a bit of a nightmare, and as if that wasn't enough, you need to check all the rest of your accounts, just to make sure that they're not touched in any way. It's best not to let your accounts get compromised in the first place, and while there is no magic bullet, there are several steps you can take to minimize the risk.

Be careful. The Internet is a big place, and threats lurk around every corner. Be careful with the emails you receive and the links you click, even when they look like they're coming from a legitimate source. If your bank (or someone impersonating your bank) tells you that you need to do something with your account, for example, don't click the link in the email (sending login links via email is not the best security practice anyway). Instead, open a new tab in your browser, navigate to your bank's website, make sure that the URL is correct, and log in from there. If you're not sure about something, contact your bank and ask if the email you've just received is real. In some cases, this is all that's necessary to stop you from visiting phishing pages and handing over your login credentials to crooks.

Keep your software updated. Up-to-date software can't guarantee 100% security, but it's much more likely to be able to deal with the tons of new malware threats that appear every day. Browsers, PDF readers, AV products and all the rest of the programs should have their automatic updates turned on. It's risk mitigation 101.

Enable two-factor authentication. As we mentioned already, you never know when a lazy website administrator is going to put your plain text password in a database that is accessible from anywhere in the world. When crooks find it, there will be nothing to stop them from hijacking your account. Unless, of course, you have two-factor authentication enabled.

Two-factor authentication means that when you're logging in, you'll need to provide something you know (your password) and something you have (usually, a temporary code that is emailed/texted to you or generated by an app on your smartphone). If two-factor authentication is on, your login credentials will be as good as useless for the criminals because they won't have the temporary code.

The login process does take a fraction longer, but two-factor authentication adds another layer of security that could be enough to keep your information safe. Unfortunately, it's not as widely adopted as it should be. Most major platforms offer it, but some websites still don't. Do take the time to check if it's available, and if it is, make sure it's on.

Use a password manager. A password management application is the easiest solution to the password problem. Human beings are just too predictable when it comes to creating strong passwords, and when they do get it right, they're not terribly good at remembering them.

A dedicated password management application like Cyclonis Password Manager will let you create strong, unique passwords for all your accounts, and it will remember them for you. The information is accessible through a single master password, and it can be synced across all your devices thanks to the cloud storage option. At the same time, the additional features provided by the browser extension will transform the way you perform regular tasks online. It's a convenient way of sticking to the best password practices. It's also free.

By Duran
April 17, 2018
Tips
English
April 17, 2018
Tips

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Tips

I Forgot My Cyclonis Password Manager Master Password. What Do I Do?

You might be wondering, 'Why would I want to store my passwords with Cyclonis Password Manager when Google Chrome can do the same thing for me?' There are a couple of good reasons for choosing a dedicated app like... Read more

March 28, 2018
Tips

Saving Time With Cyclonis Password Manager

When you're lost in a foreign country, you open your mobile phone and let the navigation app guide you to your destination. When you're arguing with a friend about who the 1996 Super Bowl winner was, you Google your... Read more

April 10, 2018
Tips

Do I Need to Change My Passwords Every Few Months?

Your password is too old, and you must change it. If you've been on the Internet for long enough, you've probably heard this advice. But does it still hold water? It's an important question that, unfortunately,... Read more

March 14, 2018
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.