SEARCH

How-To Geek

Online Safety: Understanding Hackers, Phishers, and Cybercriminals

hackers

Have you ever been the victim of identity theft? Ever been hacked? Here’s the first in a series of critical information to help you arm yourself against the surprisingly frightening world of hackers, phishers, and cybercriminals.

Some of our geekier readers will already be familiar with a lot of this material—but maybe you have a grandfather or other relative that could benefit from having this passed on. And if you have your own methods for protecting yourself from hackers and phishers, feel free to share them with other readers in the comments. Otherwise, keep reading—and stay safe.

 

Why Would Anyone Want to Target Me?

158186745_b9e0f365a2_o

This is a common attitude; it just doesn’t occur to most people that a hacker or cybercriminal would think to target them. Because of this, most ordinary users don’t even think of security. It sounds strange and fanciful…like something in a movie! The reality is quite terrifying—most criminals want to target you because they can, and they can probably get away with it. You don’t have to have millions (or even thousands) of dollars to be a target. Some cybercriminals will target you because you’re vulnerable, and the ones that want your money don’t particularly need a lot of it (although some will take every cent if they can manage).

 

Who Are these Bad Guys?

5741410786_bb25945ca5_b

Before we take a look at specifics, it’s important to understand who it is that’s looking to take advantage of you. Some of the online threats can come from “script kiddies;” hackers with have no real skill, writing viruses using directions found from Google searches, or using downloadable hacker tools for rudimentary results. They’re more often than not teens or college kids, writing malicious code for kicks. While these people can take advantage of you, they’re not the biggest threat online. There are career criminals out there looking to rob you—and these are the ones you really have to be aware of.

the_sopranos_promo_08

It may sound like hyperbole, but you can quite accurately think of cybercriminals as an internet version of Mafia crime families. Many make their entire living preying on stealing information, credit card numbers, and money from unsuspecting victims. Many are experts, not only at stealing this information, but also from getting caught taking it. Some operations could be small—one or two guys and a few cheap machines for sending phishing emails or spreading keylogging software. Others can be surprisingly large businesses based around black market sales of illegally obtained credit card numbers.

What Is A Hacker?

hackers-original

If you were skeptical before, hopefully now you’re convinced that it’s worth your while to protect yourself from the myriad of people hoping to steal from you online. But that brings us to our next question—just what is a hacker? If you’ve seen any movie since the popularization of the internet… well, you might think you know, but, if you’re like most people, you’re more wrong than you know.

Rms_at_pitt

The original meaning of “hacker” applied to the clever computer users, and may have been first coined by MIT engineers like Richard Stallman. These hackers were known for their curiosity and programming skills, testing the limits of the systems of their day. “Hacker” has gradually developed a darker meaning, generally associated with the so-called “Black Hat” hackers known for cracking security for profit or stealing sensitive information. “White hat” hackers could crack the same systems, and steal the same data, although their aims are what make them different. These “white hats” can be thought of as security experts, searching for flaws in security software in order to attempt to improve it, or to simply point out the flaws.

As most people use the word today, “hackers” are thieves and criminals. It may not be worth your time to read up on the intricacies of cyberwarfare or the ins and outs of security cracking. Most hackers pose a threat to the everyman by stealing sensitive accounts like email, or those that contain information like credit card or bank account numbers. And almost all of that particular kind of account theft comes from cracking or guessing passwords.

 

Password Strength and Security Cracking: Why You Should Be Afraid

808187848_f1609b79e3_z

At some point, you should do a search for the most common account passwords (link contains NSFW language), or read the amazing security article “How I’d Hack Your Weak Passwords” by John Pozadzides. If you look at cracking passwords from the hacker perspective, the unwashed masses are basically a sea of vulnerability and ignorance, ripe for the thievery of information. Weak passwords account for the majority of problems ordinary computer users encounter, simply because hackers are going to look for the weakness and attack there—no sense wasting time cracking secure passwords when there are so many that use insecure passwords.

password_strength

Although there is considerable debate on best practices for passwords, pass phrases, etc, there are some general principals on how to keep yourself safe with secure passwords. Hackers use “brute force” programs to crack passwords. These programs simply try one potential password after another until they get the correct one—although there is a catch that makes them more likely to succeed. These programs try common passwords first, and also use dictionary words or names, which are much more common to be included in passwords than random strings of characters. And once any one password is cracked, the first thing hackers do is check and see if you used the same password on any other services.

sshot-474

If you want to stay safe, the current best practice is to use secure passwords, create unique passwords for all your accounts, and use  a password safe like KeePass or LastPass. Both are encrypted, password protected safes for complex passwords, and will generate random strings of alphanumeric text nearly impossible to crack by brute force methods.

What’s the bottom line here? Don’t use passwords like “password1234” or “letmein” or “screen” or “monkey.” Your passwords should look more like “stUWajex62ev” in order to keep hackers out of your accounts. Generate your own secure passwords using this website, or by downloading LastPass or KeePass.

Should I Be Afraid of Hackers In the News?

There’s been a lot of hullabaloo about hackers in the news this past year, and by and large, these groups are not interested in you or yours. While their accomplishments might seem sort of scary, many of the high profile hacking cases of 2011 were done to damage the reputation of large companies that the hackers were irritated with. These hackers make a lot of noise, and have done damage to companies and governments careless enough not to properly protect themselves—and it’s just because they’re so high-profile that you have little to fear from them. The quiet, clever criminal hackers are always the ones to keep an eye out for—while the world might closely watch LulzSec or Anonymous, lots of cybercriminals quietly make off with armloads of cash.

What is Phishing?

75612001_7175b1f41e_o

One of the most potent tools available to these worldwide cybercriminals, “Phishing” is a kind of social engineering, and can be thought of as a kind of con or grift. It doesn’t take elaborate software, viruses, or hacking to get information if users can easily be tricked in to giving it away. Many use a tool readily available to nearly everyone with an internet connection—email. It’s surprisingly easy to get a few hundred email accounts and trick people into giving away money or information.

Phishers usually pretend to be someone they’re not, and often prey on older people. Many pretend they’re a bank or website like Facebook or PayPal, and ask for you to input passwords or other info to solve a potential problem. Others may pretend to be people you know (sometimes through hijacked email addresses) or try and prey on your family using information about you publicly viewable on social networks, like LinkedIn, Facebook, or Google+.

sshot-475

There’s no software cure for phishing. You simply have to stay sharp, and carefully read emails before clicking links or giving out information. Here’s a few brief tips to keep yourself safe from phishers.

  • Don’t open emails from suspicious addresses or people you don’t know. Email isn’t really a safe place to meet new people!
  • You may have friends that have email addresses that are compromised, and you may get phishing emails from them. If they send you anything weird, or aren’t acting like themselves, you may want to ask them (in person) if they’ve been hacked.
  • Don’t click links in emails if you’re suspicious. Ever.
  • If you end up on a website, you can generally tell who it is by checking the certificate or looking at the URL. (Paypal, above, is genuine. The IRS, at the lead of this section, is fraudulent.)

75612001_7175b1f41e_o

  • Look at this URL. It seems unlikely that the IRS would be parking a website on an URL like this.

sshot-475

  • An authentic website may provide a security certificate, like PayPal.com does. The IRS does not, but US government websites almost always have a .GOV top level domain instead of .COM or .ORG. It’s very unlikely that phishers will be able to buy a .GOV domain.
  • If you think your bank or other secure service may need information from you, or you need to update your account, do not click the links in your emails. Instead, type in the URL and visit the site in question normally. This guarantees you wont be redirected to a dangerous, fraudulent website, and you can check to see if you have the same notice when you log in.
  • Never, ever give out personal information like credit card or debit card numbers, email addresses, phone numbers, names, addresses or social security numbers unless you’re absolutely sure you trust that person enough to share that information.

This is, of course, only the beginning. We’ll cover much more Online Safety, security, and tips to stay safe, in this series in the future. Leave us your thoughts in the comments, or talk about your experience in dealing with hackers or phishers, hijacked accounts, or stolen identities.

Image Credits: Broken Locks by Bc. Jan Kaláb, available under Creative Commons. Scary Norma by Norma Desmond, available under Creative Commons. Untitled by DavidR, available under Creative Commons. Phishing the IRS by Matt Haughey, available under Creative Commons. A Password Key? by Dev.Arka, available under Creative Commons. RMS at pitt by Victor Powell, available under Creative Commons. XKCD strip used without persmission, assumed fair use. Sopranos image copyright HBO, assumed fair use. “Hackers” image copyright United Artists, assumed fair use.

Eric Z Goodnight is an Illustrator and Graphics Geek who hopes to make Photoshop more accessible to How-To Geek readers. When he’s not headbanging to heavy metal or geeking out over manga, he’s often off screen printing T-Shirts.

  • Published 09/28/11

Comments (29)

  1. Jean-Francois Messier

    Having been exposed to security for years now, I think the info above is great, but I think this is only the beginning. Yes, most viruses and malwares can be defeated by basic safe computing practices and with the appropriate protection software. But the biggest threat is social engineering. Email scams, forged web pages and other misleading web content is the biggest threat to regular people today. And this is something that needs to be re-done again and again. Safe computing education is like healthy eating, and safe driving. This sis something that needs to be repeated. and I still have to see a GOOD article in popular newspapers about safe computing.

  2. KB Prez

    Great article! I agree it’s very important to use strong passwords and to have unique passwords for critical accounts. It’s also a good idea to change passwords periodically.

    My only reservation is with using an online vault like LastPass. LastPass was hacked earlier this year. I doubt I’ll ever rely on the cloud to keep my passwords safe. I use KeePass to store passwords and I back up all password data on a flash drive.

  3. HackToHell

    These cover only the basics , XSS , CSRF , and advanced phishing can easily confuse even an super aware internet user .. The biggest crap in all of it is Flash ! Millions of holes in it !

  4. Jason

    I’m with you Jean-Francois, there needs to be more education on web surfing. I try to teach as many people as I can the importance of using common sense when surfing the web. If something sounds too good to be true it probably is. Just like in real life you wouldn’t walk down a dark unfamiliar alley so why would you open an email from someone you don’t know and click on a link in that email.

    I also try to educate people on the importance of not posting every stupid little thing you say and do online as well. I tell people there is no universal undo button. Once it is on the web it can never be taken back. Don’t post pictures or comments you don’t want everyone to know or see. I think the most important thing is to have some form of protection on your system to help minimize the risk of being hacked.

  5. Stumpy

    I ALWAYS:

    1) Surf in a user account without Administrator Privileges.
    2) I always load-up Piriform’s Ccleaner and wipe my dime as I go.
    3) I also load up ATF-Cleaner and again wipe as I go.
    4) Remember to set Ccleaner to execute a ‘Secure File Deletion’ with a minimum of 3 overwrites, so whatever it is does NOT go into the recycle bin. (DoD standard).
    5) Periodically, while browsing, I run Glary Utilities while browsing.
    6) When exiting IE Ocho, in the ‘InPrivate’ mode with ‘InPrivate’ filtering turned on – I manually run Ccleaner and ATF, then manually delete both browsing history and CLEAR the secure socket layer.
    7) After every browsing session, and unplugging (I am on a Public network with Public network settings), I re-run Ccleaner, ATF, Glary and Defraggler. First I defrag the Free Space, then I defrag the drive.
    8) I re-boot and rerun all of the cleaners above one more time.
    9) If any Registry entries are flagged for deletion by either Ccleaner or Glary – I go on a Cockroach Hunt.
    10) Even after all of this fruitless effort, I occasionaly STILL get a virus or trojan. And this is with Avast antivirus, Windows Firewall, Windows Defender, a Safe-Search program running, Mr’ Softy’s MRT – Malicious Software Removal Tool and GKW else (Gawd knows what) running.
    11) It kinda all makes me think that Bill Gates has controlling interest in AVG, Norton, McAfee, etc. and has one of his minions sitting on the board of each of these companies that way he can make even MORE money off of you. He then pays one of his ‘minions’ to pay some Belo-Russian money to write this malicious code and provides them with the security holes to make MORE MONEY.

    BTW – South Korea, yup South Korea followed by Romania, by country has the fastest internet in the world. SK = 2,202 kbps, Romania = 1,909, Bulgaria = 1,611, Lithuania = 1,463, Latvia = 1,377, and the good ol’ US of A = 616 kbps. So, to borrow a line from ‘True Romance’: “Am I lying, or what?”.

    AND, our TAX Dollars created the freekin’ Internet to communicate between uuniversities and military organizations.
    Jus’ thimk about it: if we, US of A, citizens, got 1/1000 of a penny for every ‘click’ on the internet worldwide:

    NONE of us would have to work,

    ALL of us would ge given a home,

    ALL of us would have free healthcare.

    NONE of us would EVER pay taxes: income, Medicare, Medicaid, Social Security, Property Taxes, State income taxes, Sin Taxes (alcohol and tobacco), Sales taxes, Fuel taxes (where did that pesky .009 cent come from, anyway?), etc.

    ALL children would be entitled to a fully paid University education (as does Costa Rica, because they have no ‘Standing Army’ to pay for),

    and we would all drive Bugatti’s that run in excess of 300 mph off the production line.

    See this link: . http://mashable.com/2011/09/21/fastest-download-speeds-infographic/

    AND, WE G-A-V-E ALL AWAY.

    (Go waste many hours trying to figure out how the Internet is run: there is a body of 8 people at the top & last time I looked a Dutch guy headed up the board.)

  6. MSL

    Good article. It may not be politically correc to pinpoint some nations, but the vast majority of social engineering hacks are cooked up by criminal gangs in Nigeria and China.

    I have to confess that I sometimes fire back with, “if you want to scam me you’ll have to learn how to spell.” These replies usually involve more than a few profanities that would make a longshoreman blush. In particular, I’m fond of telling them in what orifice they shoud insert a broken bottle, and the sort of relationship they should have with their mother, who is likely a member of the world’s oldest profession.

    Baiting Nigerian 419 scammers is also lots of fun. My alter ego usually has names like ‘Yoora Doosh’ and ‘Eeta Turd.’ Taking up their time with these games simply makes it harder for the scammers to target more vulnerable people.

  7. Josh Pullen

    @Stumpy I doubt the internet would ever have been adopted if it was not free to use and I’m not sure there is enough money in the world for everyone in the USA to live as lavishly as you suggested. Plus the internet just like television is a British invention.

  8. Nads

    Please can you let people know about the hackers who use remote access to get into your PC after phoning and pretending to be a helpful soul from microsoft responding to all those error messages that get sent when a program doesn’t respond.
    Stupidly I was caught by this and they disabled all my anti virus, wiped restore points and installed 200 viruses (these were only the ones Spybot identified, Kaspersky got the rest). I am not kidding. It took two weeks solid to clean my computer. I am no geek and your website helped me a lot.
    I can not find much info on these type of people and they still call me all the time trying to get into my computer. I respond in various (impolite) ways over the phone but cannot stop the phone calls. I know of a few elderly folk who have been caught out by this too.

  9. Ronald R

    As the old story go’s For every dollar earned there are five or more people trying to get it from you !!
    It was a good article. With my free Email acount. I’m using a big sentance and change it every four
    to five months.
    Thanks for all the extra tips.

  10. Facemelt

    @KB Prez

    While I agree that storing passwords in the “cloud” seems like a bad idea, remember that nothing happened with the information that was stolen. Plus, lastpass did a pretty good job at informing people of the issue once they knew about it, not weeks later. I still think that this system trumps any other that is available today. It’s also nice to know that LastPass has been vetted by security gurus like Steve Gibson (please don’t flame me on this, for reasons I can’t exactly understand he is a polarizing figure on the web), so at least there is some info out there that isn’t all marketing.

  11. RABO

    lolz kapersky IS a virus

  12. MSL

    I /agree with RABO. Ever tried to uninstall Kaspersky?

  13. KB Prez

    Hi Facemelt,

    I’m a former LastPass user. I canceled my account after they were hacked. I know they claimed nothing happened with what was stolen, but do they even know what was stolen let alone if it’s being used? Storing passwords in the cloud is no longer acceptable to me. I’d rather take the responsibility for protecting them myself.

  14. Ushindi

    I think those worried about the security breach at LastPass haven’t actually investigated the occurrence. Try some of the knowledgeable online articles, such as this one from ComputerWorld:
    http://blogs.computerworld.com/18265/four_things_you_should_know_about_lastpass (May 11, if the link doesn’t work.)

    On a lighter note, I wonder how many people are now changing their passwords to “correct horse battery staple”…LOL

  15. KB Prez

    I can’t speak for others, but I spent some time looking into what happened with LastPass. I had not had my account very long and was reluctant to give up on it. I read the ComputerWorld article as well as many others. After all was said and done, I’ve chosen not to use online vaults and I’m very comfortable with my decision.

  16. Asterisk

    Applause for this first article about online safety, can’t wait for the next ones. Everything makes sense, except that drawing with the “correcthorsebatterystaple”. Don’t get me wrong, it’s a very funny drawing and it put a big smile on my face. Only that its positioning just in the middle of the “Password Strength and Security Cracking” maybe it’s not the best place for this drawing. As a suggestion, the end of article would be a much better place for it, like a “happy-ending” or so.

    Why do I make such a big deal from it? Because it is really confusing. It made me question if numbers, uppercase and special charcaters do even matter in the end?

    I always had a feeling that these are “non-friendly-hacker-characters” and reading John Pozadzides’s article confirmed my beliefs, although I didn’t quite understand why “Adding JUST ONE CAPITAL LETTER AND ONE ASTERISK would change the processing time for an 8 character password from 2.4 days to 2.1 centuries.”

    I mean, wouldn’t be the same if you just add two more random letters, just as the drawing suggest? Maybe someone would be kind enough to enlight me: to be or not to be an “asterisk-password”? :-)

  17. Mastermind

    A picture of the Sopranos! That brings back memories!

    You made my day :D

  18. David

    Asterisk,

    It’s down to the number of combinations – an 8 character password using only lower case a-z gives 208 billion combinations [2.08x10^11], if you also use upper case A-Z, numbers 0-9 and the 33 (by my count, includes space) symbols on the standard English keyboard, the number of possibilities is now 6.63×10^15. So the hacker now has about 32,000 times the amount of possibilites to test, which means the 2.4 days now becomes 209 years.

    Of course this is that MAXIMUM time that a brute force attack will takes, so the reality will almost certainly be shorter for both cases. If I was a hacker, I could wait a couple of days to crack a password, but would probably give up (or die) long before 209 years had passed!!

  19. AJ

    Thanks for the info on phishers and hackers. I find this article to be helpful and informative and on target. The info on the remote access (desktop) incidence was an eye-opener.

  20. AJ

    Geek Friends:

    I have a second laptop that had been having problems and I was able to use it by using chkdsk /f to mend the disk. I erred by using the msconfig which changed my resolution settings so I could not see to undo the change. Finally, Windows started restarting over again and over again. I used my F8 to change to good configuration, safe mode, and safe mode with command prompts to no avail. I know that I can boot from a recovery disk to restore the XP Windows computer. Is there any other way to restore my system without the recovery console? Does not Windows have a file I can tap into. Unfortunately, I had the mind to copy the recovery disk but did not get around to it. Thanks for your help. I even tried Hiren’s boot CD and no luck.

  21. c c e

    thanks alot 4 dat lovely article.but i would also like to have more update on cybercrimes,phishers and hackers.thanks again.

  22. MP

    Excellent article because it is information that is needed. And judging by the reactions of some, it comes none toon soon. Before you berate LastPass people, understand the responsibility always rests with the end user. Steve Gibson of GRC (Gibson Research Company) is the inventor of SpinRite, but more importantly, he is pretty much the Guru of anything related to PC Security. And when I say PC, that’s all flavors, including, Apple, Linux, and Windows. For password safety, Steve offers all more than just a few good ideas. First off, look at this LastPass page that pretty much spells it out for people: http://blog.lastpass.com/2010/07/lastpass-gets-green-light-from-security.html … If you use last pass, all your passwords are incrypted on your computer before they get uploaded to LastPass and they can only de-crypted on you computer as well. Watch the Steve Gibson YouTube video embessed on the same page.

    Secondly, everyone should listen to this podcast by Steve Gibson and Leo Laporte from their “Security Now” TwitTV podcast program: http://media.grc.com/Padded-Passwords.mp3 (47Mb) and you can follow it up by visiting the GRC Webpage that illustrates the podcast at: https://www.grc.com/haystack.htm … And finally, to listen to other Security Now Podcasts, explore them here: https://www.grc.com/securitynow.htm.

    This has been an interesting week, as I just got through publishing an ezine article on spoofed emails and strong passwords that were easy to remember, but hard to break. I started getting emails from different friends on AOL, YAHOO, and GMAIL that had porn link keyloggers.in them. So, I had emailed these individuals and explained what happened and what they needed to do. Well a week went by and I got a couple more from friends I knew that had followed my suggestions for repairing their email accounts. At this point, I had to let my friends know their accounts were completely stolen and they needed to closes them, or just let them run out of room. Most times, it just takes resetting the password and then creating a good password for the account. If someone can spoof an account after that, it means that they have access to information to foil the password reset. I explained to my friends what was happening and a couple came back and asked ‘how?’ I explained that the spoof either came from the spoofer reading the personal account info online, or, they got it off their computer. Since the object of a spoof is to control as many computers as possible, the spoof has to look almost benign. It is not out of the realm of a rootkit. For those of you who feel scalded by anything Microsoft, look away now … In the area of free things security related, Microsoft has a Rootkit finder that is unique from others because you click on the executable and it installs to a CD\DVD\Floppy\or USB … Basically any media you can boot from so you can boot your system into a portable OS and runds the rootkit finder from outside of windows. You can get that jewel here: http://connect.microsoft.com/systemsweeper. I hope this is of value to any of my fellow How-to-Geek patrons.

  23. Al

    Two password generators that I use to create easy to remember but hard to crack are: First letter of each word in a phase “Either he’s dead or my watch has stopped” Groucho Marx ehdomwhs and then make a simple substitutions to make 3hd0mwh$. Or just take a couple of words and spell them backwards like Groucho Marx becomes xraMohcuorG, plus a number and symbol substitution xr@M0hcourG. I have also used words from the Navajo Code Talkers code book which you can look up on line.

    Another thing I do is never use any part of my real name in email addresses or user names. With online white pages and some demographics it is just too easy to narrow you down to just a few people. With a little research it is easy uncover a lot using Facebook, online white pages and other social media sites. Have one email address for registering with online sites and another for actually communicating with friends, family and associates. Obviously with different passwords.

    Use a simple username and password for sites that

  24. Dan

    My Anti-Virus Avast Network Shield pop-up and blocked (MALICIOUS URL BLOCKED) when I clicked on “How I’d Hack Your Weak Passwords” under Password Strength & Security Cracking: Why You Should Be Afraid. This isn’t the first time something like this has happen, from the HTG Squad. In from all what I read here on these Reply: I think what happpen to me now and before, maybe even other PC, is we are accepting e-mail, Downloading, Playing Games, watching videos, etc. etc… and here come attach to whatever we are doing, onto our PC. Plain and Simple. Or an endless # of ways seeing how these computer run on a binary system.

  25. Samson oguntayo

    Thanks a lot for this article, it’s the beginning of greater eye opener articles to come. It’s quite helpful.

  26. mofasa

    could you guys send me some simple code and what does i do.??? ^_^

  27. Ashok

    so people should not step outta their house to ensure they are not suspected or they are not the targets to become !!

  28. ji8y

    i didnt read dis cuz it wasnt short so i stopped after scrolling down

  29. ICYTAZ

    It’s funny that the only time I ever had a virus was when i was a skint student trying to down load free stuff. Now i don’t bother I’ve never had anything come up. I find I don’t get much spyware either and I use all the free security software and yes I scan regularly like the rest off us. I do annually re-install my operating systems and use excessive passwords with a key safe. I do regular scans and run Ccleaner before I switch off. But that’s about it really. The only time I get excessive is when i purchase stuff on the net but then i use an account with limited funds just for that purpose and the most important data I have is encrypted on a external drive that i only plug in when it is needed. I only open emails I recognize, but i do tend to filter carefully. I find I’m am more worried about my rubbish shredding and burning anything with details on. Always removing my name and address. I think a lot of it is down to safe practice and what you use the internet for? IT teachers in schools should pass on safe practices to all there students from there first lessons. Maybe I’m just lucky or my practices are holding there own.

Get Free Articles in Your Inbox!

Join 134,000 newsletter readers

Email:

Go check your email!