"My Email account is hacked" or " Some hacker has hacked my email account", did these quotes sound familiar to you Guys, if not then soon gonna be if you are not aware of latest techniques used by hackers to hack into your email accounts. After reading such comments there are two things that always come to my mind, either hacking email account is to easy for hackers or protecting email account for getting hacked is too difficult. And after thinking about both above points, i starts laughing because both are true for Hackers and both are false for unaware users.
Note: If a Hacker wants to hack you Email or system, he will hack it. The only thing you can do is, just make it harder for him to do the same.
Friends, after spending my precious 5 years in field of Hacking and Cyber security, i reached a very simple conclusion. Email accounts can only be hacked by means of
Social Engineering technique, and whoever says that he can hack email account using some other technique then friends he is a liar.
Now what all topics are covered in Social Engineering Technique:
1. Phishing or fake page login technique.
2. Spreading Keyloggers in form of cracks, keygens, or hack tools(RAT's , keyloggers, etc).
3. Shouldering passwords.
4. Guessing Weak Passwords.
5. Compromising Accounts with Friends or team mates
6. Using Accounts from Cyber cafe's or other insecure places like friends PC or college PC's.
So friends let's start from one by one, how you all can protect yourself from hackers.
1. Phishing or Fake Pages Login Technique
In this technique, what hacker does is that, he makes a local(fake) copy of original website which looks absolutely similar to original one and attaches his PHP action scripts to record the passwords and then uploads that local copy to some free web hosting server. After uploading, he shares the links with friends or victims by three different ways:
a. By Sending Emails : Emails can be spoofed and looks like they are coming from genuine sources like Gmail Support or Yahoo Support etc or Simply from your most trusted friends.
Now which type of emails you should not open:
- Emails asking for account verification: These emails ask for you email account username or passwords to verify your details.
- Emails showing Prize Money or lotteries: Nowadays, we all receive a lot of email messages like "You have Won Prize Money or Lottery of so and so amount. These emails usually ask your name, age occupation, mobile number, sometimes credit card details. And when you provide all these information they ask you to verify your Mobile number. They usually say you will receive one unique verification code on your mobile and ask you to enter that verification code in some unknown website. Note: This is mobile phone verification loophole of all Email services. They all sent verification in below format: " Your Google Verification Code is 123456 or Your Yahoo verification code is 123456 or Your Hotmail verification code is 123456". Means these services doesn't mention that "your Gmail or Yahoo or Hotmail password reset code is 123456" so user is easily get fooled by such offers and become the prey to hackers.
- Emails from unsolicited or unknown sources: Never open the emails which comes from unknown sources.
- Never access any social networking website link from your email as it can be a Phish Page link.
Some useful and handy guidelines to identify Phish Pages:
1. Always check the URL in the address bar ( both source and destination). Never login in the URL which has website URL other than the original one.
2. Most important: Always use web security toolbar(avg,avira or crawler etc), most of them are available for free. They will detect the fake pages and warn you from opening them.
b. Using Chat services
Never open the links that are being posted in chat rooms, there are lots of Ajax and java scripts available in market that can retrieve all your stored passwords from your web browser.
c. Sharing Content on some website and that website is asking for registration with is followed by email verification. Hackers share their links on famous forums or torrents, when user open these link either of the above two things happen or a key logger or RAT is attached with them that will record you email address and password and send the information to hackers email account or FTP mail.
2. Spreading Keyloggers in form of cracks, keygens, or hack tools(RAT's , keyloggers, etc).
This is the most used hacking technique used by almost every hacker to hack the users email accounts. In this technique, hackers attach their keylogger or RAT servers with the crack or keygen or patch or hack tools and whenever user executes that it got installed automatically.
In this case hackers use the below loophole: Whenever you open a keygen or patch or crack or hack tool, your antivirus shows you are warning message but users always ignore these as hackers or cracks provider has already instructed the users that turn off the antivirus before running patch or keygen.
So friends 4 things to note here:
a. Never use cracked or patched software's as they already contains Trojan's which are controlled on basis of timestamp.
Solution: Look for any freeware providing the same features. If you request i will give you the list for freeware alternatives for all paid software's.
b. Never turn off your antiviruses or anti-spywares or web security toolbar.
c. Regularly update your antivirus and anti spyware programs.
d. If you wanna try any hacking software or hack tool, then always use sandbox browser or use Deep Freeze.
3. Shouldering passwords
Seeing or watching the user, while he/she is typing his password is called shouldering. Most of time we types our passwords in front of our friends or colleagues. Nowadays what usually friends or classmates do is that, they stand in back of you and keep a eye on you while you are typing passwords. This technique is also used at ATM machines, thieves or malicious people watch people while they were entering the ATM pin and then misuse that online.
Solution: Always take care that nobody is watching you while you are typing passwords. If not possible to do so try to avoid logging into your accounts when your friends are near you.
Note: Never store passwords in your web browsers. Otherwise, friends like me ask you to bring water for me and when you go out, i will see you all saved passwords :P..
4. Guessing Weak Passwords
Its not a new thing, i have told people more than hundreds of time not to use weak or very common passwords but they will never learn. Few basic passwords that unaware or novice IT people use:
a. 6 to 8 consecutive character on the keyboard or alphabets like qwerty, 1234567, abcdefgh etc.
b. Atleast 30% of people keep their current or previous mobile numbers as their passwords.
c. More than 10% keep their girlfriend name or her mobile number as password.
d. But nowadays password policy are quite good, so novice people also became smart as most of websites ask atleast one Capital letter, one number and one special character in password. Now friends, guess what will be their passwords:
1. Suppose its december then their password will be like: Dec@2011 or Dec123! or Dec2011@.
2. How can they forget keyboards consequite keys like qwert123!, qwerty123$, abc123! etc.
3. Offcourse, none can forget his girlfriend name : girlfrindfirstname123! or more smart people GFNAME1!.
Hahaha.... thats really foolish.
Some tips for strong passwords:
1. Always keep your password atleast 8 chars long.
2. Use special characters and number and small n upper case combination in your password.
3. Verify your mobile numbers if available.
4. Keep changing your passwords at-least once a month.
5. Compromising Accounts with Friends or team mates
Its one of the most common problem with team mates and friends. "Today i am not coming to office or college, please use my login ID and password and forward the details or some files" or "Your friend went to your home and suppose you are away from your house, now what you will do, hey use my username and password and take your files or documents". What the hell is this? You call yourself professional, and every time you yourself violating the password and account policy norms.
Never share your account information with anyone. People like me are very dangerous, if you share your pass with me then you are done :P..
Solution: Never tell your account information to anyone. If its urgent, you can share it but you need to change your details as soon as possible.
6. Using Accounts from Cyber cafe's or other insecure places like friends PC or college PC's.
Most of cyber cafe's or college computers have keyloggers or rats installed on them. Whenever you login into your account through cybercafe, none can give you assurance that your account is safe or hacked. So always play it safe. If you login into your account through cyber cafe's, always change them as soon as possible.
Now friends, if you follow all the above steps told by me, then your account can never be hacked and for sure you will never get a chance to say "My EMail account is hacked" or "Someone has hacked my email".