Part 3: How did my password get hacked? It’s this easy…

By RJ Gazarek

This is the 3rd part in a 3 part series on how hackers are using simple methods to steal your passwords. In part 1 we talked about how hackers used passwords that were discovered in a previous breach in order to attempt a secondary breach. In part 2 we talked about the use of malicious scripts running on your computer, usually delivered from a malicious email.

In part 3 we’re going to talk about the final way that hackers usually obtain your password, and that’s simply by tricking you into giving it to them.

Click here, now you’ve been tricked by a website

What happens if you receive an email that appears to come from your bank, with a notice that you need to update your contact information and to click a link in order to do that. You see your Bank’s logo, and it looks like it’s coming from your Bank, so nothing concerns you and you click on that link www.mybamk.com.

Do you see it? The website address above? If that was your bank’s website would you have clicked on it? Do you notice what’s wrong with it? It’s spelled M Y B A M K … Bank with an “M” instead of an “N” – but you might not have realized it when you first saw it, and if everything else looks fine you might have clicked on it. Where you would have been brought to a website that looks just like your bank’s regular website. On that page would have been a place to enter your username and password, and in an instant, you’ve sent your credentials off to a hacker!

Ring ring, now you’ve been tricked by a phone call

Sometimes the simplest way to get your password is just to ask for it! Social Engineering has long been a practice where someone communicates with you in a way that establishes a level of trust. Either they send you an email that looks like it’s coming from another employee at the company, or they simply call you up pretending to be an employee in a dire emergency who needs immediate access to a system. In both cases, you’re faced with a split second decision…

Do I deny this request and possibly get in trouble if it’s a real request? Or do I give them my password and hope that it’s not a hacker on the call?

There are dangers all over when it comes to protecting your password and the access they provide, and that’s why I always say, “Take the human out of the equation”. Get started with Secret Server today, and use a centralized password management solution for your privileged accounts to ensure they’re always protected at all times.

Source:: Thycotic