Some hacker bought something on my ebay account !! WHAT!
- Thread starter Combat squirrel
- Start date
Because the moment you think you are unassailable is usually the moment you fall. Never think that.
Certainly makes you wonder.
For the exact same reason people think that this is "hacking" or being "hacked".
Because human beings are not infallible and make mistakes. You're making one by assuming you'd never get caught out.
Whilst people certainly make mistakes, such mistakes as these certainly stand out as some of the most ridiculous.
Associate
- Joined
- 18 Oct 2002
- Posts
- 792
- Location
- Darwin, Australia
Why?
People must be still getting caught out by these phishing scams or the scammers wouldn't waste their time trying. Some of these are barely indistinguishable from the real deal.
Come home tired from a long day at work. Have a quick bite to eat and a beer to wash it down... all very easy to make an error in judgement and be caught off guard like this no matter how much of an IT professional you think you are
Associate
- Joined
- 7 May 2006
- Posts
- 1,965
*apologies if this has been said in advance haven't read all 5 pages*
have you complete boot time scan on any of your computers. I use Avast personally and when ever I have to fix someone's pcs I always get there I've scanned for virus etc and have nothing. Then for me to do a boottime scan removing tons of items from a machine that had no viruses according to the installed av software. As the scan runs before the OS kicks in its amazing how much can get hidden from view of AV.
If that's all cleared its most likely they guessed your password or it was found to be the same password used from an exploited site. There are a few websites that you can put your user name and email in to see if websites have been exploited at any point. Adobe was one that I was flagged on a while back but then again I never use the same combination on passwords for anything becomes hard to remember everything but keepass becomes helpful with 256bit passwords on things you don't go into that offend.
have you complete boot time scan on any of your computers. I use Avast personally and when ever I have to fix someone's pcs I always get there I've scanned for virus etc and have nothing. Then for me to do a boottime scan removing tons of items from a machine that had no viruses according to the installed av software. As the scan runs before the OS kicks in its amazing how much can get hidden from view of AV.
If that's all cleared its most likely they guessed your password or it was found to be the same password used from an exploited site. There are a few websites that you can put your user name and email in to see if websites have been exploited at any point. Adobe was one that I was flagged on a while back but then again I never use the same combination on passwords for anything becomes hard to remember everything but keepass becomes helpful with 256bit passwords on things you don't go into that offend.
Associate
- Joined
- 28 Aug 2003
- Posts
- 1,247
- Location
- N Ireland
do you have any kids who might having been looking to buy a playstation?
when my daughter was 5 she got as far online as asking for my credit card to buy flight tickets to hong kong.....
when my daughter was 5 she got as far online as asking for my credit card to buy flight tickets to hong kong.....
Ebay is the worst.FYI this is rubbish. There are exploits out there which can be triggered without any input required by the target user. It's possible, for example, to email someone with an attachment containing an exploit payload, that will execute upon arrival in the user's inbox without them having to click on anything:
https://googleprojectzero.blogspot.co.uk/2016/06/how-to-compromise-enterprise-endpoint.html
That's exactly what it is? Credential theft via social engineering is a time-honoured method for hacking, and it's used in the vast majority of attacks. Almost all breeches involve the use of stolen credentials at some point.
See this is the thing. Use web based email. Why would you have a thick mail client on your home PC these days? Work, maybe, but not personal.
Associate
- Joined
- 7 Feb 2008
- Posts
- 2,377
- Location
- Surrey
To my shame, I allowed my hotmail login to be compromised even though I am always super careful and use a Keepass DB for my passwords. Years ago I used the same email + pw for my hotmail account for my LinkedIn account (very stupid). At the time I barely used that account since I use GMail, so I wasn't concerned about it.
After LinkedIn got hacked in 2012 I changed my LinkedIn password, forgetting that the login they stole was still valid for my hotmail account. Fast forward to this year, and the hackers sold the logins and someone in Belarus tried to access my hotmail account which I am now using for OneDrive (all my important docs, photos etc) :O
Luckily Microsoft blocked them with a security challenge, but it was a proper brown trousers moment. Funnily enough, I actually woke up that morning due to having a nightmare about my phone being hacked and 10 minutes after waking up I got the email about my hotmail being accessed.
After LinkedIn got hacked in 2012 I changed my LinkedIn password, forgetting that the login they stole was still valid for my hotmail account. Fast forward to this year, and the hackers sold the logins and someone in Belarus tried to access my hotmail account which I am now using for OneDrive (all my important docs, photos etc) :O
Luckily Microsoft blocked them with a security challenge, but it was a proper brown trousers moment. Funnily enough, I actually woke up that morning due to having a nightmare about my phone being hacked and 10 minutes after waking up I got the email about my hotmail being accessed.
A lot of virus scanners these days also hook into webmail, so no that won't make any difference.
Besides that was just one example. There are tons of attacks out there that require zero user interaction for their systems to be compromised, many for example embedded in browser plugins or extensions. There was even a bug reported recently with the way Firefox handles certificates that would allow attackers to replace valid extensions with versions containing exploits, and it would all appear as a legitimate update to the extension.
Because, for example you have multiple email accounts and don't want to trust some random site with the logins for them all, or go to 3 or 4 different sites to log into individual webmail services?
Or you want an actual archive of your emails that isn't reliant of a service that can be shut down at little or no notice and gives no guarantee about them retaining your emails?
By using a home mail client you can keep a local copy of everything* and you are not either logging into multiple web clients (via potentially vulnerable browsers), or giving one web service the account details for all your accounts (in much the same way you don't reuse the same password on different sites)..
*I've still got pretty much all my non spam email from the last 10-15 years - it's handy at times being able to look back at certain information (I tend to back up my emails every couple of weeks).
Most people who have fell for phishing via email, phone etc or that their login details have been leaked from x site/forum probably aren't even aware it's happened and still think they are as vigilant as they need to be. More often than not the details aren't used immediately and are sold on in bulk at a later date.