How not to get Hacked (or have your identity stolen)

I’ve had a few cases come across my desk recently about “hacked” / stolen Facebook accounts and even one case bordering on a full scale identity theft. In this post, I’m going to tell you how to defend against these, but first, it’s VITAL to understand the attack vectors a hacker can take. If you don’t understand HOW someone is attacking you, you cannot defend.

How you get “hacked”

1 – Social engineering (the most dangerous and the hardest to protect against.
China famously and brazenly used this to steal the blueprints for the F-35. They did so by having agents pose as employees of the company using an outside email to casually request classified files. Aloof employees complied and it was done. This can happen with people making a fake Facebook account of someone you know and requesting access, or spoofing email addresses. In all cases, you are complying with the criminal to give them what they want. So just be extra skeptical when someone is trying to coerce you into granting access. BTW – Facebook will ONLY contact you via Business Support Home for business issues. Never really by notifications or by emails. Scammers OFTEN pose as “Facebook Account Security” and will send direct messages to your Facebook PAGE and try to extort you etc.
The place to go is called Business Support: https://business.facebook.com/business-support-home/
The other place to go is: https://www.facebook.com/hacked

Solution:
  • ALWAYS check the from email in any emails you receive, especially ones posing as Facebook. Instead, navigate to your ad account manually, then check the support inbox from there to see if there’s an issue.
  • Don’t click on suspicious links.
2 – SIM cloning

This is where an attacked clones your SIM card in some way. This can be done without physical access to the device. That means that any 2FA code you get, will also be sent at the same time to anybody who has a copy of your SIM. BTW, SIM cloning is very illegal. Obviously.

Solution:
  • Do not open suspicious text messages. Often times, these will come in the form of a “your order is stalled” type SMS-notifications. Delete them and report spam.
3 – Session Duplication / Cookie Jacking

This is how Linus Tech Tips was hacked and had their channel deleted a little over a year ago. A rougue PDF was downloaded by an employee. Once the file was opened, it copied all of the current logins on the browser session allowing the hacker to login without even having any passwords. I’ve seen lots of emails for “Invoice #235856” whatever… From rando emails. DELETE THESE!!! đŸš©

Solution:
  • Only download PDF’s from emails you know / trust. Otherwise, delete message / send to spam.

4 – Stolen Credentials via avail. on Dark Web / Credit Card “Skimmers”

Any thief can go on the dark web and buy stolen credit card data and use it. They can even receive refunds if the data doesn’t work. It’s a vicious market. Often times, thieves will use data to make small purchases so that you won’t notice (especially like Uber Eats and stuff like that). So check your credit card statements. Credentials can be stolen with physical devices overlaid on checkout machines / gas pumps / etc.

Solution:
  • If you’re really paranoid, you can buy devices that will check for credit card skimmers.
  • Check your statements monthly and look for suspicious activity.
  • Call the number on the back of your card immediately if you notice suspicious activity.
  • Getting a re-issued card with a new number is generally sufficient to stop this, unless the card data is swiped again.
5 – You’re Secure, but someone else isn’t.

There was an issue a few months ago where someone I was working with did not have 2FA turned on. The “hacker” gained access to their Facebook account and that person lost the account. This person had access to an ad account I was working on, BUT, because I only granted this person limited permissions (view only) since all they dealt with was data entry, no further damage could POSSIBLY be done.

Solution:
  • Make sure everybody on your team at LEAST has 2FA turned on, especially for their Facebook and email accounts
  • Only give people working with you software-level permissions for what they actually need to access. This is why it’s crucial to understand user accounts instead of just sharing your login around.