Phishing Attacks

Phishing attacks are methods that hackers and thieves try to obtain sensitive information. This includes usernames, passwords, and credit card details, all for malicious purposes.

Some phishing techniques include:

  • Email/Spam
  • Trojan Hosts
  • Link Manipulation
  • Key Loggers
  • Content Injection
  • Phone Phishing
  • Malware Phishing

In this article, I am going to be talking about two of the main types of phishing attacks that people encounter everyday. These attacks are done through email and over the phone.

Email and Spam are attacks when phishers send one email to many users, and they usually try to impersonate banks, your email provider, or other trusted institutions. For example, you may get an email from “Amazon” with a link to confirm your password in order to get a free promotional gift card or to confirm security details. If you click it, you will most likely be taken to a page that is identical to the Amazon login page. If you look at the address bar, it will be a dead giveaway that it is not the official page because there will not be HTTPS or a secure certificate. If you are not careful and you enter your username and password, it will be captured and saved in a database of stolen logins. The victim often will not know because after you enter your information, you will be redirected to the official Amazon.com page. Using this information, hackers can sell your account, or make expensive purchases using your credit card. To protect yourself, you should check what links you click and the sites you visit, as some sites may use cross-site scripting to trick you into entering your information. Always think twice before you submit your passwords to any site.

amazon-customers-tricked-with-ticket-verification-number-phishing-email-473445-2amazon-phish

Another common phishing attack is phone phishing. This is done by someone impersonating your bank or another company who tries to get you to tell them your personal information over the phone. They may try and convince you that your password needs to be updated and they will ask you for it over the phone. Keep in mind that no trusted company would have the need to ask you for such a sensitive piece of data. They already have access to your account because they need it to help fix any issues. The phishers will not have this and may still try to ask you for your password. This is a giveaway that they are not who they claim to be. If you are suspicious in any way, hangup and call the number of the bank or company directly and you can verify the authenticity of the call. Most likely, the call before was a scam and should be blocked or blacklisted.

social-engineering

Both of these attacks are very common and many people fall victim to it everyday. It can lead to stolen identities and large sums of money going missing. If phishers get one of your passwords and it is the same as the rest of the other ones you use, they you can put you in a very bad position. To learn more about creating secure passwords and managing them, please refer to my past article on this topic. Phishing scams can happen to anyone, and it requires you to always be alert on what you do online. Pay attention to what websites you visit and how you interact with them.

Passwords

Passwords are a large part of the online experience. They are required to check your email, buy something online, pay your bills, or post something on a forum. These days, we have so many accounts, we do not have the time to memorize all of the passwords and we resort to using one password over and over again. This is a big mistake. If someone with wrong intentions gets your password for any account, the rest of your accounts are automatically compromised. With this one password, they can reset the rest of them, which usually send you password reset emails. The hacker is now free to do online banking with something as simple as your Dominos Pizza app password.

To prevent this issue, you can use very long complicated alphanumeric passwords. They should have at least 12 characters, include numbers, symbols, capital, lowercase, and should not contain common dictionary words. Dictionary words can lead to your password being brute forced. You can also use the auto generate function inside any popular password manager. These will create unique passwords every time, and can be saved for you and autofilled online.

strongpasswordgenerator

There are many popular password managers, including 1Password and LastPass. Both have strong encryption and rely on one very strong password to protect the others. This means you should memorize is very well, or you will lose your others. Consider keeping a physical copy of it in a secure location, such as a safe. Keeping plain text passwords and other important numbers on your computer is very unsecure and if you get a virus, you could lose a lot of data. This is one way identity theft can occur. To combat this, password managers can also be used to store other sensitive data, such as your credit card information and Social Security Number.

Using a password manager with automatically generated passwords for each account is a very good practice, even if you need to check for the password every time you need to login to a service online. To fix this problem, password mangers usually have a corresponding browser extension. If you enter your password into it, it will autofill your randomly chose password, which can sometimes exceed 20 characters. Your passwords in these managers can also be synced between multiple devices, allowing for multi platform support. The apps on Android and iOS support fingerprint authentication, allowing you to sign in to websites by scanning you finger. This is very convenient, but the long alphanumeric passwords keep you safe as well.

If you still feel that you need security, a good setting to enable would be two-factor or two-step authentication. This is when you need to login with your regular password and a one time code sent to you phone. Using this feature will make it very tricky to login remotely, as they do not have physical access to the short code, which is usually 5 or 6 digits long. Enabling this feature, will be a little more cumbersome, but adds a new layer of security to your online accounts.

two-factor-authentication

Techradar.com has a good article on various password managers and which is right for you, as some are free, and some have more premium paid features. Picking the right one is crucial for you to keep all you passwords securely in one place, across all your devices.

While it might be crucial to have strong passwords now, we are already heading into a future of biometric authentication, and using our fingers and eyes as passwords to everything in our lives. These methods are becoming increasingly accurate, and they will eventually get rid of the complicated mess called passwords. Until then, your best option is to use very strong passwords, a manager to keep all of them safe, and two factor authentication.

Think before installing apps – Kali Linux and Android Exploitation

Android is a very popular operating system that has many features. One very big feature is the ability to install APKs (Android Package Files) from any sources. These APKs are also known as Android apps. However, not all apps are safe, as they can contain malware that can infect your device and steal your information.

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is used by many security professionals to analyze and protect networks and devices, but can also have nefarious purposes. Hackers use it to steal data and gain unauthorized access to networks and devices that have not been protected. To do these things, Kali Linux has many tools built in, such as aircrack-ng (WiFi hacking), burpsuite (password brute forcing), and more.

For Android Exploitation, there is a tool in Kali Linux called Metasploit, which is designed to create things called payloads and use them to run exploits on a remote target machine. Using Metasploit, it is possible to create a payload for Android and then distribute the exploit using a simple .apk file. It can have access to almost every service and component on your phone, including the microphone, camera, and storage.

screen-shot-2016-10-15-at-6-43-37-pm

The attacker sets up his machine to receive information from the target by creating a multi handler for his local IP address. He also specifies a port number for which the information is sent over. This is typically 8080 for HTTP traffic or 443 for HTTPS traffic. He then uses makes sure to setup a listener on this specific port. Once the app is open on the victim’s device, it is compromised and the attacker can do almost anything he wishes. Before this however, he needs to distribute it, which requires him to convince the user. He can do this by naming it something very inconspicuous, such as Game.apk. Once it is opened, it will be granted all the permissions require by the Android System.

help-1

As I shared above, you should be very careful about what apps you download from sources other than trusted marketplaces, such as Google Play or the Amazon App Store. Make sure to install a virus scanner to analyze what you are about to install and prevent your device from giving the app all your personal information.

Welcome to my blog!

My name is Vishal Vinjapuri, and I am a student at DVHS. I am very passionate about technology and security. Some of my other hobbies include coding Android apps and playing tennis. I am also currently a Boy Scout. This blog will be dedicated to cybersecurity and other things such as exploits and viruses. I will be posting once a week on a current threat or hack that I find interesting or valuable to share with others. My mission is to make people aware of cyberattacks and help them with tips to protect themselves. I want to help them specifically increase their  personal information security and fortifying their home networks. Both of which are very vulnerable to attack. I am starting a volunteer organization, KSRCS (Keep SanRamon Cyber Secure), designed to evaluate your home network and your internet living behavior and help you fix any holes in security you may have.