It was Easter 2018. I was still in high school, and like many teenagers, I was a bit reckless. I signed up for a website that promised safety, unaw...
For further actions, you may consider blocking this person and/or reporting abuse
Happens all the time.
Very nice share. Although, I would not recommend the "teasing strategy" to everyone, especially beginners.
Sometimes, there's no need for it. You'll be attacked by some random kiddies or more advanced fuckers (sorry for my language, but I've no consideration for these guys).
Don't feed the troll, as you don't know who you're dealing with and whether the cybercriminal takes it as a game or not.
In my experience, defense in layers works with such adversaries, but it's not bulletproof. Nothing is. In any case, have a good security hygiene and do everything you can to protect what is valuable to you (threat model) while keeping things simple and a normal life.
Thank you for the contribution to the article I agree with your perspective. From the point of view of a researcher; it's just in my nature to bait so I can learn, but for most people, you're absolutely right that it's a step too far.
I understand your curiosity. However, even as a researcher, it's a dangerous field. Don't get me wrong. I love these topics too, but like the movie says "you see them, they see you" ^^
I've see many professionals using honeypots but with strict rules and compartmentalizing.
I try (often futilly) to control my languange, but these types tend to bring out the worst in me as well.
Creating fake accounts and all that is just too much freaking work.
Also, 99.9999% of hacks are due to a bot finding something stupid you did some time ago that you forgot about. You can patch it and move on, it's not a nightmare scenario.
A nightmare scenario is a hacker who stalks you, tracking any and all your info just to screw with you every chance they get.
You know how you end up there? By honeypotting them, teasing them, annoying them.
The average joe is better off just using 2-step auth, changing their passwords periodically and trying not to reuse the same passwords in multiple places.
Every time someone tempts hackers, they get hacked. That's the name of the game.
You can also subscribe to notification on this site (assuming that you own the email in question). This is the only way to get information about being in sensitive breaches.
Even better than using SMS (not that safe because of SIM-swap attacks, and phishable, but better than nothing), or OTP (better, but still phishable), is to use U2F hardware key like FIDO.
I just thought about it now, but wouldn't it be much safer to just remove your card information from site like amazon, that way you if your account gets compromised you won't have to go through the headache of getting refunded.`
I also find that updating passcodes 12-6 months of the year for sensitive accounts goes a long way.
Wonderful article with super great tips, thank you for sharing!
You seem to have a lot of email accounts. What solution do you use to store their passwords?
Browsers only store them in plaintext afaik so i'm looking for a solution.
Passbolt is good in a corporate environment where you can host it on prem but i'm looking for something more suited for a home network.
I've honestly never used a password manager before, I tend to save passwords in files on a USB
I use Passbolt to manage my private passwords along with my teammates. However, this is not a good fit for personal use. There are some options like LastPass, KeePass, Dashlane and Bitwarden. Google these password managers and find out your best choice. 😎
Thanks! I'll check out those suggestions.
I'm surprised that nobody mentioned to NOT give valid information for sites that insist on it, like Birth-date. No site (other than potentially a financial/banking site) needs to know your actual birth-date, especially social media sites! I give no accurate information to any site that doesn't actually need the information. This also give a weak oracle for a spear phishing attack as you would hopefully put unique information in each site; which gives a hint to you for which one was compromised.
That's a really good point that I missed in the article. You don't owe any company your information.
I got scared this year when someone accessed my old e-mail account and turned on two-factor for LinkedIn (with their phone number). So I was not able to log in anymore. I surely had not updated that e-mail password for a while and it's probably pwned. I had that e-mail also connected to my LinkedIn account.
Luckily LinkedIn had a very good recovery process involving sending government ID documents and everything resolved within minutes.
I don't think that's going to help--any reasonably sized attack is going to be automated. The work spent creating extra accounts and trying to make them look "enticing" will take longer than than the CPU cycles that add one more account to the list of accounts to try and phish.
The suggestion of using 2FA is an excellent one, however. I wish everyone did that.
Awesome share. Keep it up
I'm not clear from the article how exactly you got hacked?
I agree to most parts of this article, but i wouldn't recommend using SMS 2FA if other methods are supported because of SIM swap attacks