There is a phrase that is frequently repeated on social networks and everyday conversations, especially in a country where the feeling of insecurity is no longer limited to the streets: “I went to a website and they emptied my bank account”. But is it really enough to visit a page to be hacked? Although the cybercriminals are becoming more and more creative, experts say that It is not so easy for a simple click to end in digital theft.
In most cases, when fraud or data theft occurs, it is the user themselves who—without realizing it—has provided sensitive information. It can happen by entering your credentials on a fake site, clone store, or spoofed banking page. The design may look identical to the original, but the data travels directly into the hands of attackers.
Much has already been said about phishingthat old technique that is still one of the most used in Peru. Through emails, messages or publications on social networks that impersonate known entities, criminals seek to get victims to reveal their personal or financial data without suspecting it.
However, the phishing has evolved. Today there are more precise versions, such as spear phishingwhich personalizes messages depending on the victim, or the smishingwhich uses SMS with fake links. Campaigns have even been detected that use artificial intelligence to imitate the way of writing of real contacts, making it increasingly difficult to distinguish between what is legitimate and what is fake.
So is it impossible for me to get hacked just for opening a page?
vulnerabilities in browsers or plugins
/
Under normal conditions, Just entering a website does not download or install malware on a modern and updated device. Here’s the key: updated systems and supported software. Current browsers and operating systems block most automated downloads or launches.
“Today, multiple protection mechanisms exist—such as process isolation, certificate verification, and content policies—that significantly reduce the risk of a website executing malicious code without user interaction.”explains to The Commerce Mario Micucci, computer security expert at ESET Latin America.
However, Micucci warns that there are exceptions. Some pages can take advantage vulnerabilities in browsers or plugins to execute code without intervention. “These attacks, known as drive-by downloadsare much less frequent today, but they explain the origin of this myth,” he maintains.
These attacks were common in the past decade, and although they are less common today, they continue to appear in targeted campaigns or on compromised sites. They occur when a page takes advantage of a flaw in the browser or plugins such as Flash, Java, or PDF readers. When the site loads, a script analyzes the software version and, if it detects a gap, downloads and executes code without the user noticing, installing Trojans or spyware.
Another common method is malvertisingwhich inserts malicious ads into legitimate ad networks. The user may be browsing a trusted portal, but the ad comes from an external server trying to redirect them or exploit a vulnerability. In some cases, you don’t even need to click: the code just loads into the notice space.
For their part, the exploit kits They are automated packages hosted on compromised sites, sometimes even on legitimate pages that were hacked. These tools analyze the visitor’s environment—browser, operating system, plug-ins, IP address—and launch a exploit adapted. If the attack is successful, they manage to install malware on the device, from banking Trojans to ransomware o spyware.
/
Updated systems
Although it sounds disturbing, for a simple visit to end in an infection it is necessary that the system has uncorrected vulnerabilities. These flaws act as open doors that attackers take advantage of to enter and take control of a computer.
When a developer detects a vulnerability, they fix it and release an update or “security patch.” That is why one of the pillars of cybersecurity is keeping equipment up to date: both applications and operating systems.
According to Micucci, today the most popular systems, such as Windows 10 and 11, incorporate measures that make it difficult to execute malicious code. The same happens in Android and iOS, which apply models of sandboxing to isolate processes and prevent intrusions, and in browsers like Chrome or Edge, which run each tab in separate environments with limited permissions.
Updated equipment is, therefore, more protected equipment. But even then, absolute security does not exist. “Zero-day vulnerabilities are real and, although rare, can be exploited in targeted attacks”explained Micucci. “An updated device offers a very high level of protection, but is not completely immune. The attack surface is still present, especially in components such as browsers, JavaScript engines and multimedia viewers”.
The specialist recommends having a reliable security solution installed on devices to complement protection and further reduce risk.