What you need to know about “credential stuffing”

Credential stuffing is a cyberattack that exploits stolen login credentials. Online accounts with PayPal, NortonLifeLock, 23andMe, and Roku are just some of the companies that have reported recent attacks on customer accounts. Here’s how it works:

  1. Data Breaches: Attackers obtain large databases of usernames and passwords through data breaches on various websites or services.
  2. Automated Login Attempts: They use these stolen credentials in automated programs to attempt logging in to other unrelated websites or services.
  3. Preying on Reuse: The attackers rely on the fact that many people reuse the same login credentials (username and password) across multiple accounts.

Imagine a thief who finds a box of keys stolen from various houses. They try these keys on different houses in the neighborhood, hoping some will unlock doors – that’s similar to credential stuffing.

Why it works:

  • People reuse passwords: As mentioned, credential stuffing works because many people use the same login information on multiple sites.
  • Large-scale attacks: Attackers can attempt logins on thousands of accounts very quickly using automated tools.

How to protect yourself:

  • Unique passwords: Use strong and unique passwords for every single online account you have. Password managers can be helpful for creating and storing strong passwords.
  • Multi-factor authentication (MFA): Enable MFA whenever available. This adds an extra layer of security by requiring a second verification step beyond just your username and password.
  • Beware of phishing attacks: Phishing attacks can trick you into revealing your login credentials on fake websites. Be cautious of suspicious emails or messages.

FTC warning consumers about new tech support scams – Here’s what you need to know

In their “Anatomy of an Imposter Scam” blog series, the Federal Trade Commission (FTC) breaks down how to recognize, avoid, and report business and government imposter scams. Scammers are targeting people with pop-up warnings or calls claiming to have detected a virus on their computer. Here’s the rundown:

  • The Scam:
    • You receive a pop-up warning or a phone call claiming a virus has infected your computer, or a fraudulent charge on your account.
    • The scammer offers “tech support” to fix the non-existent problem.
    • They pressure you to give them remote access to your computer or phone.
    • Once in control, they might install malware, steal personal information, or pressure you to transfer large sums of money for fake repairs. They may even offer to transfer your call to the “FTC” or “FBI” so that they can “protect” your money.
  • What NOT to do:
    • Never call a number from a pop-up warning.
    • Don’t give remote access to your device to unknown callers.
    • Never transfer money or share personal information based on unsolicited calls.
  • What TO do:
    • If worried about a computer virus, contact your real bank or investment advisor directly using a phone number you know is correct.
    • Report the scam to the FTC at ReportFraud.ftc.gov.

Many scammers impersonate more than one organization in a single scam – for example, a fake Amazon employee might transfer you to a fake bank or even a fake FBI or FTC employee for fake help.

Key Takeaway: Be cautious of unsolicited tech support calls or pop-up warnings. Verifying information directly with trusted sources and avoiding remote access to strangers protects your device and your financial security.

In their latest blog post the FTC is warning consumers about a new twist on tech support scams. Source: New tech support scammers want your life savings

If you’ve been a victim of a scam and need your device(s) checked out so that you are confident that they are safe to use, contact Computer Techs.