HOW TO KEEP YOUR ONLINE ACCOUNTS SAFE FROM HACKERS
Introduction
Before we get into today's topic, it is important to be VERY careful what you search for, click, download, receive in your email's inbox, etc. Letting your guard down for even a few moments can put your online accounts, and PC/mobile device at massive risk. In most cases, it can turn your real life upside down!
What Are Info Stealers?
Info stealers have become THE most common form of cyber attack today, with ransomware following closely behind. Info stealers come in a few forms, namely, phishing emails containing links to malicious websites asking for your email address and passwords, downloaded executable files, and even ordinary-looking files, like .svg, .html, .pdf, and .docx files (with malicious macros). So what does an info stealer do? An info stealer's purpose is to steal the victims' crypto wallets, online accounts, banking information, and more. A downloaded malicious file can easily hide from your anitvirus using clever tactics, such as being large in file size, hiding malicious code by only linking and executing off from a malicious website, hiding in a password-protected zip file, etc. Once the stolen data is harvested, the hacker (likely just a script kiddie) will sell it on the dark web for a quick buck. If another hacker purchases your stolen data and accounts, they can then use it for their own nefarious purposes, such as spreading crypto scams, sending your contacts phishing emails, identity theft, etc.
A Tip To Spot Malicious Files (Local Attacks, NOT Online Attacks):
Whether you're on Windows, MacOS, or Linux, you should always keep you file manager's file view in some form of "detailed list mode". The name of this feature will be different depending on your file manager you use. Switching your view from "large tiles" to "list mode" allows you to not only see the fake icon, but also the file's true extension name, and the file's size. Never trust a file name and an icon on its own. The file extension and size are the most important. If a file is abnormally large, or the icon doesn't match the extension type, you should start to grow very suspicious of that file. Delete it immediately. Do not even try to scan the file to see if it's "safe" for opening. False negatives are far too common. Also know that hackers like to hide their malicious executable in large tile mode by givng it a fake extension, that will hide the true extension, such as "totallynotavirus.pdf.exe" for example. The last extension is always the true extension the computer uses to open the file. The first extension (.pdf) in this example will make it APPEAR as an acutal PDF file in large tile mode.
Let's Talk About The Biggest Security Threat Of The Modern Day - Web Browsers
You are likely aware that data such as your browsing history exists. You maybe even heard of "cookies". Many websites will ask you to accept third party cookies, which is questionable in terms of privacy, but it's not a security threat. However, there is another type of cookie which almost nobody ever talks about, or even knows about, and that is a "session cookie". Have you ever logged into a website for the first time, only to then be automatically logged in the next time you visit that website? You can thank your session cookie for granting you access to your account on that website. And THIS, ladies and gentlemen, is what hackers are after. There are "session tokens as well", which have a similar purpose, but let's stick with the name "session cookie" for now for simplicity sake. Cookies are stored locally in your browser, and can be seen by pressing F12, and navigating through the developer settings within your browser, until you find your browser's local storage. It is recommended to clear your browser's history, cookies, etc. at least once per week. The reason why info stealers and hackers love to target victims' session cookies, is that these cookies accumulate over the months, or even years of the victim using their web browser. Many ordinary people never clear this data from their browsers, and thus, create a bigger potential "blast radius" for themselves if they DO ever get hacked by an info stealer. By regularly flushing out these locally stored cookies from your web browser, you dramatically decrease the blast radius of a potential attack, because the hacker will have little-to-no access to your online accounts. Be aware though, that if you're signed into Google, all your Google platforms (Drive, Gmail, YouTube, Photos, etc.) will be at risk of an attack. It is recommended to always sign out of Google (Gmail), or Microsoft (Outlook) when you don't need these accounts and their services. Any website you log into and use, should then be logged out of when you no longer need it. This will delete your session cookies/tokens, but just to be on the safe side (If you forget to log out of a website), clear your cookies as well, just for in case there are any residual cookies/tokens. Remember, that any convenience you are given in a web browser, comes at a security cost. Convenience IS a security threat, and there's unfortunately nothing we can do about it. You win some, you lose some. Being more secure means sacrificing convenience. This also means NOT using any ol' browser extension/plugin! These small programs are another popular thing for hackers to take advantage of. They'll fake the number of downloads, the reviews, etc. to appear "trustworthy". You can't even trust a "verified" badge, because Google, or Microsoft can always overlook threats, and accidentally verify them as "trustworthy" extensions/plugins. I bet you're probably thinking that this whole cybersecurity thing is a deep rabbithole. And it is. Let's move on with the next heading.
Types of Phishing Emails To Avoid:
- Emails disguised as critical security alerts (These emails scare you into changing your password,
which the hackers can then harvest to then take over your email address, or other online accounts).
Rather check the website itself for any security notifications. If you cannot access your online
account to verify the legitimacy of that email, then that email IS probably legit, and you might as
well click the link to reset your password and secure your account. This is a clever trick that will
spare you a lot of headache.
- Emails disguised as a "sign back in notice" (These emails tell you you're "signed out of Google").
Ignore these emails entirely!
- Emails from an unknown source asking you to download a file.
- Blackmail Bitcoin scams (These emails threaten to release sensitive footage of you doing...
"freaky" things on your phone or computer to all your contacts, unless you send the scammer an
arbitrary amount of Bitcoin to their crypto wallet address).
- Emails that claim you need to pay some "fee" for some package in transit. If you know you have not
ordered a product online, and you don't use the service that the scammer disguises themself as, then
AVOID this email.
Email Spoofing
Email spoofing is the art of faking an email address to look like it comes from the real source. Just because the email address is spelled the same as the legit email address, be very careful. Hackers just have to swap out a Latin "e" for a Cyrillic "e" to appear like the real deal. Can you tell the difference between the two characters? Not with a naked eye, no. That's all it takes for hackers to fool people into believing the email address is legit. There are websites out there that help you find out whether an email address is spoofed or not.
Other Ways To Keep Yourself Safe:
- It is never a good idea to keep all your eggs in one basket. Using the same email address for
everything is one of the worst things you can do. If a hacker manages to take over your email
address (And for some reason you can't recover your account), then everything is gone. Rather split
your online accounts into different email address categories (Such as a business email, a Google
products email, a Microsoft products email, a private email for other online accounts, a public
email for legal, employment or medical purposes, etc.)
- Never EVER save passwords, banking information, home addresses, etc. in your web browser when
asked. Hackers are well-aware of this convenience, and they'll attempt to steal this information,
along with your session cookies and tokens.
- Never EVER use the same password for multiple accounts. If one of your passwords are found,
hackers can do something devastating, called "credential stuffing", where they would test out all of
your online accounts, and possibly take them over. If you happen to be one of these victims, then
prepare for a long, stressful, bumpy ride of securing and recovering your accounts. Fun fact, I was
one of these people.
- Use Linux instead of Windows or MacOS (Most attacks are only designed to target Windows or MacOS
users). Keep in mind that Linux is not 100% safe either, however, it does a good job at dramatically
reducing your attack surface. Linux's desktop market share is still far too low to be attractive to
hackers. Hackers want to target the largest, least tech-savvy group of people, and Windows and MacOS
users fit that profile very well. Linux users tend to be more security and privacy-conscious than
the average person. Hackers find it a waste of time to hack these people in most cases. There are
still Linux threats targeting desktop users, but most Linux attacks take place in the server
space.
- Use free and open source software ("FOSS" for short). Do NOT attempt to pirate software. If you
can't afford a piece of software, rather be safe than sorry. Fun fact, this is why I got hacked
myself a while back. I used the same passwords for everything, and I thought I could pirate software
from a YouTube "tutorial". I used a popular operating system called "Windows 11" (Which allowed the
Windows-only malware to execute). I also never cleared my browser's session cookies, so that was a
MASSIVE concoction of mistakes on my end. I know better now, and this is the reason why I wrote this
blog. I want to protect people from getting hacked like I did many months ago.
- Use flatpaks as much as possible (Linux only). This is a sandboxed packaging format that is not
only more secure, but prevents dependency issues on Linux, increasing system stability.
- Encrypt
your hard drive (Don't do this with Windows, unless you know for a fact what your Bitlocker key is.
You can find this key buried somewhere deep within your Microsoft account's settings).
- Use a strong PC login password.
- Always generate long, and strong passwords using uppercase, lowercase, numbers, symbols, and
perhaps even extended ASCII symbols (Extended ASCII is not going to work on most websites). When it
comes to passphrases, never use words or phrases that make sense, because passphrases can be
vulnerable to something called "dictionary attacks", which allows hackers to crack passphrases. If
you REALLY NEED to use a passphrase, create something random, like "tyrestwosomebottlebirdcar".
Mixing in multiple languages in one passphrase can make it even harder to crack. Also replace some
letters with symbols and numbers, so it's essentially just as complex as a normal password.
- Use a privacy-respecting browser (Brave, Librewolf and Mullvad are good examples). Keep in mind
that some websites may not work properly, or even break, because your browser is blocking
fingerprinting, JavaScript, ads, etc.
- Use a privacy-respecting search engine (StartPage, DuckDuckGo, MetaGer, Mojeek, SearXNG,
Swisscows, Ecosia, etc. are good alternatives to Google and Bing). Keep in mind that image search,
Google SEO, sublinks, etc. will not work properly, or break on these search engines. You win some,
you lose some.
- ALWAYS use a password manager... but NOT the one built into your web browser! Use password
managers like Bitwarden (online), or KeepassXC (local/offine). For Android, you can use KeePassDX,
or Keepass2Android to read the exact same database file that KeePassXC (Desktop) can read (Beware of
fake apps). I recommend using a local password manager, because I'd rather trust in myself than some
random company with all my passwords. Local password managers save a database file to your computer
or mobile device, which is usually encryped using AES 256-bit (The gold standard form of
encryption). It is impossible to crack these database files without the master password and/or
keyfile. A keyfile is an optional MFA feature for your database file, which acts as a virtual key to
your database. This file is generated once, and doesn't need updating. So even if someone manages to
gain access to your password database file, they would need the master password AND physical access
to the keyfile to decrypt the database file. Even if a hacker has installed a keylogger onto your
computer (to record your master password), AND they have your database file on their computer, they
would STILL need that keyfile. This is an extreme form of password security, and honestly, I prefer
it to the online password managers. I might not be a celebrity, but I can never have enough security
over my passwords. Unlike online password managers, it is your responsibility to keep your database
updated across all your devices and storage drives. You CAN keep your database on cloud storage, but
keep your keyfile offline, stored across all your devices. Keep all devices updated with the latest
version of your database. Always keep a local backup of your database too. Choose a primary device
to make the latest changes, upload it, then have your other devices download the latest version of
the database. Or... you could just store it locally. It's up to you how to keep your database
updated and shared across devices.
Just before You Leave This Blog...
It is always a good idea to educate oneself on cybersecurity and privacy. Remember, security comes first, THEN you may worry about privacy. As with anonymity, unless you're some whistleblower, or a wanted criminal the government is after, you don't have to worry about anonymity. Always clear your cookies and other site data on all your browsers (PC and mobile), and be very suspicious of any unusual emails you receive, or files you want to download. NO VPN service will protect you from threats, contrary to popular belief. If a company says their VPN service will protect you from hackers, run FAR away, and don't give them your money and data (Yes, VPNs are just a way to transfer your real IP address from your ISP to some random company that logs your connections anyways). Free VPNs are to be ESPECIALLY avoided. Remember, if you don't pay for something, YOU ARE the product. Hackers in anyway don't even need your IP address to cause harm. It's actually one of the least reliable data points for a hacker. Nobody will ever be 100% safe, but reducing attack surface is always SOMETHING.