How to reduce criminals spying on you
October 3, 2018 — April 9, 2020
Being aware of how people try to get your confidential data and how to avoid it.
Base level.
0.1 Passwords
Do you recycle passwords? You are a danger to yourself, your loved ones, and your colleagues. someone probably has your password, can impersonate you, and can use that to trick your friends. You are willfully spreading crime, mayhem, and confusion. Fix this problem using a password manager, which is easy, simple, and, unless you have specialized needs, free.
1 General hardening of your computers
Minimizing exposure to viruses, malware, and foolishness is a starting point. See various guides to that. macOS by drduh, various UK NCSC guides, e.g. ubuntu.
2 Phishing
How do people get your info? The easiest way for them is to ask you, in a clever way. This is phishing and being aware of how it works is essential because our systems are broken and this nonsense is much easier for the baddies than it should be.
What kind of idiot gets phished?
Phia wonders what kind of person falls for phishing attacks. Is it only insanely gullible luddites, or can smart, tech-savvy people get phished, too? To find out, she conducts an experiment on her poor, unsuspecting coworkers.
Spoiler: Everyone is vulnerable to this nonsense.
Level up: Look at how this is done by the pros:
Gophish is a phishing framework that makes the simulation of real-world phishing attacks dead-simple. The idea behind gophish is simple — make industry-grade phishing training available to everyone.
Evilginx is an attack framework for setting up phishing pages. Instead of serving templates of sign-in page lookalikes, Evilginx becomes a relay between the real website and the phished user. The phished user interacts with the real website, while Evilginx captures all the data being transmitted between the two parties.
Evilginx, being the man-in-the-middle, captures not only usernames and passwords, but also captures authentication tokens sent as cookies.[…]
Even if the phished user has 2FA enabled, the attacker, outfitted with just a domain and a VPS server, is able to remotely take over his/her account. It doesn’t matter if 2FA is using SMS codes, a mobile authenticator app, or recovery keys.