I regularly contribute to a subreddit named Cybersecurity_help and a few other subreddit groups on Reddit.com, where I help answer questions on a wide range of topics, including online safety, identity theft, scams, extortion, malware, and viruses. often encounter repeated questions in these forums, so I decided to consolidate all the frequently asked questions (FAQs) in one place. This way, cybercrime victims seeking help or advice can find answers and support for many of the frequently asked questions here. While this isn’t a comprehensive list, it covers many of the questions I’ve seen posted in these forums. This will be a living blog to which I will continually add as I find more of these repeated questions
FAQs
1. Someone on the internet says they know my IP address, I am scared.
There is a common misconception among many internet users that knowing their IP address somehow gives someone the power to “hack” them. This myth has been spread by non-technical users, social media, and news outlets, among others. The fact is, every website you visit knows your IP address because it needs this information to send content (text, images, etc.) to your browser so that it can be displayed on your screen. This is how everything on the internet works, not just websites. In addition to your IP address, your internet browser provides much more information to the websites you visit than you may realize. Visit this link (https://myip.selvansoft.com) to see some (not all) of the details your browser shares with websites you visit. An IP address is just a number; only your Internet Service Provider (ISP) knows that it was assigned to you, and they will not disclose your information unless they receive a request from law enforcement accompanied by a proper court order. Being afraid that someone knows your IP address is like worrying that people saw your car’s license plate number while you were driving around the city. Unless you’ve committed a crime and are fleeing from law enforcement, this isn’t a problem. Similarly, if you haven’t done anything unlawful online, you have nothing to worry about if someone claims they have your IP address. They can’t do anything with it.
2. I got an email mentioning Pegasus, is this real?The Pegasus email scam is one of the most popular scams in circulation, and yes, it is 100% a scam. While it is true that Pegasus is a sophisticated spyware developed by the Israeli cyber-arms company NSO Group, it is used for surveillance purposes, often by government agencies and law enforcement for espionage and counter-espionage activities. Ordinary citizens are not the target. The idea behind this scam email is to use scare tactics with bits and pieces of information like your address, name, email, phone number, a picture of your house from Google Maps etc. all of which are publicly available, to make you send them money. Whatever you do, never send money. Just delete and block this email as spam and move on with your life. No one is going to come after you.
3. Does VPN keep me safe online?
First, a VPN (Virtual Private Network) is a privacy tool that primarily focuses on your privacy by masking your IP address and encrypting your internet traffic. It is not a security tool. While privacy and security do overlap, they are distinct concepts. Privacy is about protecting your personal information and activities from being observed, while security involves protecting your data and device from unauthorized access and threats. That said, if you think running a VPN will protect you from all compromises, you are misinformed. You could run a VPN and still visit a malware site, install pirated software, or use a compromised network, and your device would be compromised just like anyone not using a VPN. Moreover, pretty much all data communication today is done in encrypted form. As long as you are using the HTTPS protocol, you are relatively safe, and you don’t necessarily need a VPN. See additional details at the blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html).
4. My name, address, phone are listed on a website, what do I do?
While this is a problem, the short answer is that there isn’t much you can do other than ask them to remove it, which is not an easy task. You can follow this blog (https://blog.selvansoft.com/2022/07/how-much-of-your-info-is-freely.html) for guidance or try a paid service like Incogni or Optery. The reality is that many data aggregator sites collect your publicly available data, such as your name, address, and phone number, and sell it legally to anyone online. This is a big business, and these data aggregator sites are popping up all over and are here to stay.
5. I sent intimate photos to someone online, and now they are threatening to share them with my contacts if I don’t send them money. I am scared. What should I do?
There is nothing you can do at this point but block and ignore them. Most importantly, never send any money; if you do, that will only make them ask for more, and it will never stop. Likely, the scammer will move on to the next victim. However, be prepared for the possibility that they might get angry and send your pictures to your contacts if they have access to them. While it’s very unlikely this would happen, as they could be scamming someone else instead of wasting time on you, there’s a chance they might persist if they believe you’re a high-value target with the potential for a significant payout. In that case, they would likely continue with the charade. I hope you learned your lesson.
6. I see a lot of attempted logins on my Microsoft account. How do I stop it?
Though it may sound strange, the short answer is, it is normal these days to see multiple attempts daily or even hourly. With so many data breaches in the last decade or so, pretty much everyone’s e-mail is leaked. You can check your e-mail in HIBP (https://haveibeenpwned.com/). Scammers use automated scripts to attempt to login using your email with an attack technique called credential stuffing (i.e. using leaked passwords) and it will not stop. Just ignore it as long as you have your account well protected with unique and strong password, MFA with an authenticator app or better (hardware keys) or passwordless login etc, you have nothing to worry about. There is a way you can minimize these attempts by eliminating the number of email aliases you have that has login ability. The more you have, obviously the number of attempts will multiply by the alias count. You can restrict which alias can log in and remove login ability to others would reduce the attempts and lower the risk. Follow the link (https://account.live.com/SignInPreferences) when you are logged into your Microsoft account and check if you have multiple aliases with login privilege. Finally, by creating a brand-new alias and allowing only that alias login access you can stop these attempts altogether… well, until your new alias is leaked down the road 😁.
7. Is using public Wi-Fi safe?
Public WiFi (airport, hotel, coffee shop, etc.), comes with inherent security risks. While complete safety is impossible to achieve, you can significantly improve your online security by following good cyber hygiene best practices. Avoid sensitive transactions like logging into bank accounts, credit card portals, or other financial platforms while connected. If the website you visit does not offer HTTPS transport, do not visit it. Make a habit of only visiting sites that offer HTTPS transport, even on private networks. Enable your firewall; most operating systems come equipped with a built-in firewall, so enable it and block all inbound connections. Keeping your firewall enabled is a simple yet effective way to bolster your security on any network, public or private. Optionally, you can run a VPN for an additional layer of protection. However, it’s not strictly necessary. Contrary to popular belief, a VPN doesn’t make you invincible. Here is a blog (https://blog.selvansoft.com/2024/06/vpn-myth-vs-reality.html) that outlines what a VPN is and is not, if you’re interested in reading it.
8. I opened a sketchy PDF file. Is my computer compromised?
While there are documented cases of malicious executable code being embedded in PDF files, malware cannot do anything on its own. It relies on exploiting vulnerabilities in your PDF reader software to run. Therefore, the security of your system depends on the PDF reader you use. If you keep your operating system and applications updated with the latest security patches, you should be fine. For example, if you opened the PDF with your browser, which is typically the case, as long as your browser is updated with all the recent updates, you should be fine even if the PDF is infected with malware. Finally, if you only downloaded the PDF and did not open it, it should not cause any damage whatsoever. Just delete the PDF and move on.
9. I was part of a data breach; how do I protect myself from identity theft?
First, you are not alone. Given the numerous major data breaches in recent years, many people’s SSNs are unfortunately exposed. For instance, the AT&T breach in 2022 reportedly compromised the SSNs of between 50-100 million customers. Additionally, the recent National Public Data leak included a vast number of individuals. To prevent identity theft, you should freeze your credit reports. This restricts access to your credit information, making it difficult for criminals to open new accounts in your name. You can easily freeze and unfreeze your credit as needed, such as when applying for a loan or credit card. Here’s a simple blog (https://blog.selvansoft.com/2023/05/howto-credit-freeze.html) outlining how to freeze your credit.
10. I changed my password and enabled MFA, but an attacker still accessed my account. How?
It is likely that you have info-stealing malware on your device, which exfiltrated your authenticated session token. Alternatively, you may have visited a malware-laced site that ran a malicious script to read your authenticated session token. Either way, a remote attacker has your authenticated session token. This is a form of attack called session hijacking. Keep in mind that strong passwords, MFA, and hardware keys are irrelevant against session hijacking attacks, as the attacker can use the valid session token to log in as you until the session token expires, which can be hours, days, or even weeks, depending on how the session management is implemented on the website. To remove the access, you need to invalidate your sessions by logging out of all your accounts on all your devices. In case you find your device is infected with a virus or malware, follow FAQ #11 below to remove it.
11. My computer is infected with malware. How did it happen, and how do I recover?
The root cause could be anything from installing pirated software or cheat codes to clicking on malicious links or visiting compromised websites (inadvertently or intentionally) and more. Run a full scan of your device with a malware scanner like Malwarebytes and/or a good VirusScan tool to remove/clean the infection. In most cases, that is all you need to do. However, while most virus/malware removal tools do a good job of removing infections, they may not be effective if you are infected with a persistent rootkit. In that case, you may have to do a complete wipe (wipe the hard drive, including the EFI partition) and reinstall the OS. This is quite different from the typical “Windows reset/reinstall” step most people are familiar with, which doesn’t remove things hiding in partitions outside the reach of a standard OS reset/reinstall. An explanation of how to do that is outside the scope of this answer, but you can consult an expert to help you accomplish it, or you can do it yourself by following the FAQ #13 below. Finally, to prevent future attacks, be cautious about the websites you visit, avoid clicking on random links, and refrain from downloading pirated software or crack codes, etc.
12. How do I backup my Google Authenticator secrets?
As a cybersecurity professional and practitioner, I would not advocate syncing authenticator secrets to any form of cloud storage; instead, keep them local. MFA is your second layer of protection and having the secrets for generating OTPs for MFA reside in the cloud makes you vulnerable in the event of future data leaks. Follow my instructions below to detach Authenticator from Google cloud sync and take responsibility for guarding your secrets under your control.
First, export all your secrets. Google Authenticator allows you export all secrets to a giant QR code. Save this QR code image to your local drive and follow the steps.
- Enable google sync.
- Now delete all the secrets.
- Let google sync empty Authenticator.
- Now, disable google sync.
- Import everything back from the giant QR code you saved above.
- Keep the QR code in a safe place or better yet, print a paper copy to store it.
Ultimately, Authenticator cloud syncing boils down to the "convenience over security" argument. In the digital age, online security is your lifeline. Therefore, I generally advise everyone to never prioritize convenience over security.
13. How do I completely wipe my hard drive to remove a rootkit or to dispose of it with no sensitive information?
Contrary to popular belief, deleting partitions and formatting a drive does not truly wipe data. While it renders the data inaccessible to the operating system, the actual data persists on the drive until overwritten by new information. Therefore, if your system was compromised with a rootkit (commonly hides in the EFI partition), repartitioning or formating does not guarantee its removal. To achieve a completely clean drive, every byte in every sector must be overwritten with zeros (or random byte) before partitioning and formatting to install fresh new OS. While numerous methods exist for wiping a drive clean, here's a straightforward approach if you know basic command-line skills in Linux.
First, download a Linux distribution (e.g., Ubuntu) to a USB drive, then shut down your machine and boot from it (adjust BIOS settings to prioritize USB boot). Once in Linux, open a terminal and type "sudo su" to gain root privileges. Identify the device file corresponding to your Windows hard drive/SSD. This will typically resemble /dev/sdc or /dev/sdd. For reference, the screenshot below shows a Windows hard drive at /dev/sdi. Ignore other details in the screenshot as they pertain to a different context.
You can determine your Windows drive's device file by running "fsdisk -l" without arguments and examining the output. Once you identify your windows drive device file, execute the following command, replacing "/dev/sdi" with your actual device file.
shred -vf -n1 /dev/sdi
Be prepared for a lengthy process (potentially hours) depending on the hard drive or SSD's size. Note: If you are disposing the hard drive, remove the -n1 argument to shred. It would not be a bad idea to perform a full scan of all the data you have backed up from the infected drive. In fact, it would be quite easy to do so in the step mentioned above while operating under Linux. You can install ClamAV (https://www.clamav.net/) using this command "apt install clamav". Then, identify the mount point of your USB drive that contains your backup data and run clamscan on it. This can be done simultaneously while you are wiping your hard drive as described in the previous step. Once your drive is completely wiped and your backup data has been scanned, install a fresh copy of Windows from read-only media. At this point, your Windows installation should be as clean as a whistle.
