There is a trick against hacking: how hackers crack passwords of Russians in seconds
Neural networks help cybercriminals crack Russian passwords in a matter of seconds. According to experts, simple combinations can take up to a minute, and passwords with letter and character replacements can take several minutes. Izvestia found out how to choose a strong password and how to protect themselves from the convincing schemes of scammers who have put AI at their service.
A quick hack
Neural networks have made life easier for hackers — now they can crack passwords from services and social networks in a few seconds. Sergey Voldokhin, CEO of Start X and a resident of the Cyberdome business club, told Izvestia about this.
— Imagine that you are typing a message on your phone and the keyboard assistant prompts you to finish a word or phrase for you. Sometimes he guesses so accurately that it feels like he's reading your mind. This is about how modern neural networks work when cracking passwords," Voldokhin explained.
According to him, scammers use special programs that have "learned" from millions of stolen passwords from past leaks. These programs already "know" that many people use similar techniques when creating passwords: replace the letter "a" with "@", add the character "!" or the year.
Based on this knowledge, the neural network creates a huge list of likely passwords. For example, if the password password is often used somewhere, the program will offer the options p@ssword, Password123, Password2025 and many other combinations.
— These assumptions are then loaded into password sorting programs that check each option. As a result, a simple password of eight characters (letters and numbers) is cracked in a matter of seconds, and a more complex password of 12 characters can be revealed in a few hours, — says the interlocutor of Izvestia.
Which passwords are the easiest to crack?
As Sergey Voldokhin explains, simple combinations are the fastest to crack. These are common words from the dictionary, the person's year of birth, the pet's nickname, the season with the addition of the year (for example, "summer 2025" or "winter 2024"), and neighboring letters on the keyboard.
Passwords with predictable character substitutions take a little longer to crack, but they also take minutes. Many people think that replacing letters with symbols makes a password secure, but modern programs easily recognize such patterns:
- replacing the letter "o" with the number 0;
- adding a "!" at the end of the password.
— Reusable passwords are especially dangerous. If you use the same password on different sites, it's enough for an attacker to hack your account on a less secure resource (for example, on a forum or in an online game) to gain access to more important services, including banking, the expert notes.
At the same time, adds Alexander Dubrovin, a business partner at the Edna IT company, fraudsters can be helped by merged databases that already contain passwords from some social networks and services. Therefore, it is worth checking your data in databases and urgently changing merged passwords, especially if they are used on different services.
What profiles are scammers interested in?
According to Sargis Shmavonian, an expert at Cyberprotect, scammers don't just collect passwords — they hunt for specific accounts that can benefit them:
- financial services — online banking, electronic wallets, payment systems;
- trading platforms — marketplaces with linked cards, delivery services, accounts with accumulated points;
- personal information storages — cloud services with documents, mailboxes (especially those linked to other services), social networks with personal correspondence;
- Premium service accounts: games, subscriptions, and services that provide access to paid services.
"Once they have access, attackers can debit money from linked cards, issue online loans or microloans in a person's name, steal or sell personal data (passport information, addresses, phone numbers), and use a person's identity to scam other people,— says Sergey Voldokhin.
According to him, hackers can generally hack into any accounts, but recently they have increasingly shown interest in employees of companies that deal with sensitive information. These are key account managers, specialists and heads of IT departments, accounting departments, and legal departments. Fraudsters may also sell access to such accounts to competitors.
Cybercriminals can also hunt for the profiles of artists, businessmen and bloggers in order to deceive subscribers on their behalf. There are cases when scammers gained access to private pictures and photos of media persons, demanded a ransom and, failing to receive it, published everything in the public domain.
How else do scammers use neural networks?
Hackers use neural networks not only to crack passwords. With their help, they can make deepfakes (video doubles), write convincing texts and imitate voice messages. In the last couple of years, scammers have learned how to record fake stories, ask for help or transfer money in them. At the same time, they only need a couple of photos or a few seconds of video with the victim to generate it.
— Neural networks can "animate" photos. The attackers create a video message in the messenger — the so—called "circle" - from animated photos and voice recordings. It looks especially convincing if the account was created on behalf of the same person and there is a photo of him on the avatar," says Alexander Dubrovin.
For voice recordings, scammers only need 3-5 seconds of audio, and now the "director" convincingly asks the accountant in the messenger to transfer money, adds Sergey Voldokhin. The AI can also generate an imitation of an "operator" who confidently conducts a dialogue with the subscriber to ask for important data.
According to Sarkis Shmavonian, the skills of cybercriminals are constantly being improved. One of the trends of last year was video calls using deepfake technologies. This year, scammers began to use multimodal attacks more often, when one AI system simultaneously fakes a voice and a face, automatic generation of various phishing sites appeared in the arsenal of criminals - it is enough to specify a domain name, and the rest ("brand", design, chatbot support) collects AI.
Finally, cybercriminals began to use the analysis of human correspondence using neural networks. Algorithms evaluate the possible reaction of the interlocutor and suggest options for the next message — this helps to deceive victims.
Methods of protection
In order to protect accounts from fraudsters, experts recommend using complex passwords — long combinations of lowercase and uppercase letters, numbers, and special characters (for example, @, etc.). At the same time, the password should not contain meaningful words, names, or memorable dates, and should also be unique for each user account. You can create it using a special generator or independently.
— To come up with such a password, you can use a trick: take a line from a song or poem, remove all vowels from it, add special characters instead, — advises Dmitry Galov, head of Kaspersky GReAT in Russia. — At the same time, it is important not only to come up with a unique password, but also to store it safely and change it regularly. It's difficult to do this on your own, especially if a person has multiple accounts. Therefore, it is better to use special solutions — password managers.
In addition, it is important to enable two-factor authentication wherever possible. At the same time, it is better to avoid SMS messages for transmitting authentication codes. Instead, choose code generator applications or hardware keys.
— If you receive a video call or message, check the other person's reality: ask them to turn their head, pay attention to discrepancies in the background, lighting, and reflections. Look for oddities in the area of eyes, teeth, and hair — neural networks often make mistakes in these details. Check the unnatural position of the ears, fingers, and the mismatch of body parts," advises Sergey Voldokhin.
At the same time, he urges not to trust emotional videos and requests for "urgent payments": deepfakes often put pressure on feelings of fear or pity. It is better to negotiate with your loved ones about a code word or phrase to verify your identity in emergency situations.
— Apply content verification features. Most social networks already label AI images. Use free metadata analysis services," the expert adds.
In turn, Alexander Dubrovin recommends that you always check information through an alternative communication channel. If you receive a suspicious message, it is better to call the person back and make sure that it was he who wrote.
The reverse side
However, neural networks can work "both ways" — they not only "help" cybercriminals, but are also used to combat them. The Yandex Browser press service told Izvestia that artificial intelligence is actively used to quickly identify new sources of threats and prevent fraud attempts. Neural networks help to quickly respond to the actions of intruders and protect users from even the newest fraudulent schemes.
— Neural networks embedded in the browser are able to detect signs of phishing pages based on hundreds of factors, in particular, by the date of their creation and by how often people visit them. The browser analyzes this data in real time, which allows you to prevent traffic even to those malicious sites that have not yet managed to get into popular phishing resource databases. Since the beginning of the year, neural networks have prevented attacks that could have killed more than 25 million people," the press service explained.
In the Yandex caller ID, available in the browser, neural networks analyze the facts of calls to a large number of people from one number, the duration of the call, information about who stopped the call — more than 300 factors in total. This allows you to more accurately identify the categories of calling numbers, including fraudsters.
Переведено сервисом «Яндекс Переводчик»
