/>
X

Hacked: The six most common ways non-tech people fall victim

In the era of BYOD, the less technical among us are prime targets for cybercrime attacks against your company. Learn the six top ways non-tech people get hacked.

|
violet-blue.jpg
|
Topic: Security
01-6-clicks-hacks.jpg
1 of 7 ©iStock.com/Nyanza

Non-technical people are favorite targets for malicious hackers, from data dealing crime rings to targeted corporate espionage attacks.

As we've seen in far too many recent instances where difficult, large targets have been infiltrated and bled from within over a period of time, sometimes all it takes is one person clicking the wrong thing at the right time.

Oftentimes, these fateful entry points are created by people who have no idea what's going on; non-technical employees (or even executives) who serve as an unwitting vector for exploitation.

You can't make every employee tech-proficient, and that's troubling in an era where attacks are constant, and enterprise security endures some profound cloud, infosec hiring, and BYOD growing pains.

What you can do is learn the top ways malicious attackers exploit your weakest links, as described on each of the following pages.

Next: Banking and retail break-ins

See also:

02-6-clicks-hacks-jpmorgan.jpg
2 of 7 Violet Blue/ZDNet

Banking and retail break-ins

Target, JP Morgan Chase, Verizon, Home Depot... the list goes on. The Identity Theft Research Center's 2014 report summary of data breaches paints a disturbing picture of 2014 to date -- as of October, there have been 606 known and reported major breaches and 77,577,208 records stolen.

The Banking, Credit and Financial sector has seen 24 breaches so far, with 1,172,320 records compromised; Business is at a stunning 211 breaches with 64,407,359 records stolen; Medical/Healthcare has also been hit hard this year with 259 successful hacks and 7,151,542 records pilfered. 

As we remember from the RAND report on , these records get used in many ways. As well as identity theft, the records get compiled into databases used for spear-phishing and other targeted attacks... and the cycle begins again.

Next: Third party app compromise

See also:

03-6-clicks-hacks-snapsad.jpg
3 of 7 Violet Blue/ZDNet

Third party app compromise

If Chris Dixon's 'Decline of the mobile web' numbers are on the money, the lion's share of internet access is now mobile and in 2013, 80% of the time spent online on mobile devices was through apps.

Access to online content for mobile users is primarily through just two companies: Apple iTunes apps and Google's Chrome Store apps. For phone and tablet users, the internet as we once knew it is being gradually replaced by mobile apps.

Ask most Android users what malware is, and you'd likely get a blank stare -- despite the fact that 97% of mobile malware and trojans are on Android. F-Secure's Mobile Threat Report Q1 2014 was a bucket of cold water in terms of just how pervasive attacks on typical users are, and how they can spread through apps into businesses.

Add that to hacks like Snapchat's repeat performances and it's no surprise that app users are getting hacked like there's no tomorrow.

What's worse, mounting evidence shows that app makers haven't put user security first. Because even the most negligent apps -- repeat offenders like Snapchat -- aren't bring brought to heel, it's only a growing attack vector for the non-technical victim (who might otherwise take operational security precautions).

Next: Phishing, phishing and phishing

See also:

04-6-clicks-hacks-phishing.jpg
4 of 7 Violet Blue/ZDNet

Phishing, phishing and phishing

Phishing is an incredibly popular attack -- because it works. Today's typical phishing attack is an email or text message , fooling the unwitting to click on a link or download an attachment, or image.

The URLs within the message may look correct, or almost-correct, or may look right but go to a redirect page; either way the links lead to infected web pages. Sometimes the pages are hosted on the actual site's server, with the host having been compromised long ago.

One attack uses popular trends, emailing front-page news headlines as if from a friend or a newsletter. Another angle is an email that looks like it comes from a friend or a fellow employee, with a foul link, or a malicious attachment. 

The bottom line is, if you're not expecting it, be suspicious. If you get an official looking email from a bank, or any other business that handles your sensitive information, go directly to the website: Don't click links in emails -- or texts.

Next: Social engineering

See also:


 

05-6-clicks-hacks-jenlawrence.jpg
5 of 7 Arthur Mola/Invision/AP

Social engineering

It's been a known quantity among hackers that social engineering isn't rare in hack attacks, but the past few months have revealed to the wider public that social engineering attacks on regular people — and not only A-listers such as Jennifer Lawrence — are far more common than previously believed. 

Far too many non-technical people have personal information exposed or easily findable, and don't know it -- nor do they know how it gets pieced together by malicious hackers to compromise accounts and perform identity theft.

Many don't know that information like their home address, phone number and family names are available for purchase on so-called 'people finder' websites, which are a gold mine for digital social engineering. 

Next: Bad password practices

See also:

06-6-clicks-hacks-passwords.jpg
6 of 7 ©iStock.com/adrian825

Bad password practices

Password cracking is still one of the top ways malicious hackers do their smash and grab break-ins -- it doesn't help that the majority of people have been thrown into the consumer end of infosec without being told how to make a safe password.

In fact, most people:

  • Don't block "shoulder surfing"
  • Reuse the same password; use passwords that are easy to guess
  • Can get conned into telling anyone official-seeming (or a malicious log-in) their password
  • Don't set passwords on their phones, tablets or computers
  • Don't use a password manager

The recent release of Dropbox usernames and passwords -- -- was a sobering reminder that password databases get hacked all the time.

Next: Malvertisements

See also:

07-6-clicks-hacks-yahoo.jpg
7 of 7 Violet Blue/ZDNet

Malvertisements

2014 started with a bad ad bang when in January it was discovered that hundreds of thousands of visitors to Yahoo! were served malware-infected ads. 

Dutch security firm Fox IT said, "Clients visiting yahoo.com received advertisements served by ads.yahoo.com. Some of the advertisements are malicious." After analysis, Fox IT said that malicious payloads were delivered to about 300,000 visitors per hour.

"Given a typical infection rate of 9 percent, this would result in around 27,000 infections every hour. Upon visiting the malicious advertisements, users get redirected to a 'Magnitude' exploit kit via a HTTP redirect."

The attacks on unsuspecting users and web surfers via poisoned ads -- likely tailored to their surfing and clicking habits -- have only increased.

Facebook just , shining more light on the many ways people get hacked by malicious ads. One of the problems the social media/advertising giant fixed was an ad exploit that injected JavaScript "into an ads report email and then leveraging a CSRF bug to make a victim send a malicious email to a target on your behalf."

See also:

Related Galleries

First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

OnlyKey hardware security key
OnlyKey

Related Galleries

OnlyKey hardware security key

SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

iVerify: Added security for iPhone and iPad users
iVerify

Related Galleries

iVerify: Added security for iPhone and iPad users

iStorage datAshur BT hardware encrypted flash drive
iStorage datAshur BT

Related Galleries

iStorage datAshur BT hardware encrypted flash drive

Netgear BR200 small-business router
Netgear BR200

Related Galleries

Netgear BR200 small-business router