Shane Chambers No Comments

Credential Stuffing

Credential Stuffing is a common practice in cyber crime where a hacker or cyber criminal gains access to a user’s email addresses and password, and proceeds to try that password against other accounts/services belonging to that individual. This is performed based on the knowledge that users often reuse the same passwords between different accounts/services, albeit sometimes with slight variations.

This is a highly effective means of attack, as users may change passwords for services that they are aware have been breached, but may not think to change that password where it is in use on other accounts. Credential stuffing is also commonly used when attempting to commit identity theft against a user.

It is highly recommended that all users do not reuse passwords between services, and to use a password manager if required to help them remember distinct, secure passwords.

Shane Chambers 2 Comments

Social Engineering

Social Engineering is the art of manipulating, influencing, or deceiving you in order to gain control over your computer system. The hacker might use the phone, email, snail mail or direct contact to gain illegal access. Phishing, spear-phishing and CEO Fraud are all examples.

Hoes does it work? It is often as simple as an email asking you to view an invoice, check out suspicious logins on your account, or even update your password. Cyber criminals will make these emails look as legitimate as possible, and then use social engineering to convince you to carry out the action without second-guessing the action. In more advances attack, such as spear-phishing, the emails may even appear to come from within your organisation. All of this is to convince you to do something that would allow hackers to infect your PC with ransomware or other forms of malware. Often, criminals will attempt to convince you that their email is ‘urgent’, and that something bad will happen if you do not click the link, such as you being locked out of one of your accounts. This tone of urgency is a classic social engineering ploy, and is big factor to look out for when you suspect an email may not be legitimate.

Remember: Always Think Before You Click

Shane Chambers No Comments

Brute-Force Attack

A brute-force attack consists of an attack trying many passwords with the hope of eventually guessing correctly. The attack systematically checks all passwords until the correct one is found, carried out by some form of machine or program. The resources required to carry out a brute-force attack increase exponentially with the length of the password. Short passwords can often be brute-forced in a manner of minutes or hours. Longer, more secure passwords can be made prohibitively difficult to crack, as even a password with only lowercase letters but 15 containing 15 characters would take an estimated 1000 years to crack.

Shane Chambers 1 Comment

2-Factor Authentication

Two Factor Authentication, 2-Factor Authentication or 2FA is a method of accessing a computer or online account in which the user is granted access only after successfully providing two separate pieces of evidence to an authentication mechanism. This is usually done in the form of a factor that requires memorisation combined with a factor that typically requires physical possession by the user.

One of the most common examples of 2-Factor Authentication is withdrawing money from an ATM, as only the correct combination of a bank card (something you physically possess) and PIN (something only you know) will allow access to the account. Another common example is adding mobile authentication to an online account. For example, you set up 2FA on sites like Facebook that require you to sign in with your password in addition to a PIN that is sent to your mobile phone.

Combining multiple factors, especially those that require physical possession of something by the user, makes it much more difficult for hackers to gain access to an account.

Shane Chambers 2 Comments

CEO or CFO Fraud

CEO/CFO Fraud is a phishing scam that has gained popularity in recent years, where cyber criminals hack or spoof the email address of a senior staff member and request an urgent payment to an unknown account. These phishing emails are usually sent to staff involved in the finance or accounts of the company, and request payment in a manner which is often outside normal payment procedures. These emails appear to be genuine to convince staff members to comply with the request, believing they are indeed from their company’s CEO or CFO. Once the money has been transferred to the criminal’s account, it is usually withdrawn again straight away and hidden elsewhere.

You should be extra vigilant of:
– Any payment request which is outside of normal policy or procedure, especially by email
– Any urgent or confidential request for payment transfer, especially if not respecting the standard procedure
– Any unusual request such a transfer of high amounts to an unknown account or to a country where the company does no business

If you do receive an unusual financial request by email, we strongly advise you to get verbal confirmation from the sender before taking any action.

Concerned that your organisation may be vulnerable to such phishing attacks? We’re offering a free phishing risk assessment for companies who want to find out and learn how to mitigate these dangers.